Start a conversation

PCI-DSS

PCI-DSS requires safeguarding credit card data that you receive. Email is not a secure way to ask a customer to provide their credit card information to set up their automatic payment or pay. Email is also not secure to share your business card data with your employees or vendors. 

Encyro helps you securely communicate credit card data, protected using encryption and multiple security safeguards. Encyro maintains PCI-DSS compliance as a service provider level 2. This means that customers may use Encyro as a service provider to collect card data from their clients. 

  • AOC: If your credit card processor requires you to submit an attestation of compliance (AOC) for your service providers such as Encyro, please contact us to request Encyro's AOC for PCI DSS. 

Collecting Payment Information From Clients Using Encyro

  • Many professionals use the Encyro E-Sign feature to collect card information as part of a client onboarding form, new patient intake form, or an engagement letter. 
  • Use the Encyro upload page feature to securely request a voided check image or similar auto-payment information. See this article for how customers can click a photo of their voided check or credit card using a phone camera and send it to you securely.

Customer Responsibility

Encyro is not a complete system for payment data collection or processing. You must acquire your own devices, and additional software such as a web-browser, to use Encyro services. If the the data you collect using Encyro is subject to PCI DSS compliance, then it is your responsibility to ensure that your complete system and workflow is PCI-DSS compliant.

The following Encyro configuration options and features can help you ensure your usage of Encyro is within PCI DSS compliance requirements.

PCI DSS v4.0 Requirement
Customer Responsibility
2
Enable automatic log-off upon inactivity in your Encyro account settings (unless your devices have automatic screen locks configured).
3
  • Customer should delete data not required anymore (PCI DSS Req. 3.2.1).
  • Customer should not collect or store SAD, CVC, and full-track data in Encyro (PCI DSS Req. 3.3.1).
  • Screens where an Encyro account is accessed (to view PAN data) should be appropriately protected. Compensating controls are needed because Encyro does not track which data includes PANs and does not mask any portion of it displayed in the Encyro account (PCI DSS Req. 3.4.1).
7
The “Data Manager” permissions within your Encyro account should be granted to appropriate staff members only.
8
  • Use Encyro compliance settings to enforce strong passwords for all staff users’ Encyro accounts (PCI DSS Req. 8.3.6).
  • Ensure all staff users configure MFA using SMS, Authenticator app, or both in your Encyro account security settings (PCI DSS Req. 8.3.1).
  • If using Single Sign On (aka, social login) options for your Encyro account, then ensure that you configure appropriate safeguards on the external login provider (Encyro MFA and strong password settings only apply to the Encyro login and not to the external login providers).
  •  Use access control best practices. Do not share passwords.
10
Familiarize with audit logs functionality in Encyro and develop a process for regular log review.

Disclaimer 

While the above information offers general guidance as to how an Encyro account may be configured for compliance, the ultimate responsibility for the customer’s complete system and usage being compliant with PCI DSS will be made by the customer and/or their Qualified Security Assessor (QSA).




Choose files or drag and drop files
  1. Team Encyro

  2. Posted
  3. Updated