PCI-DSS requires safeguarding credit card data that you receive. Email is not a secure way to ask a customer to provide their credit card information to set up their automatic payment or pay. Email is also not secure to share your business card data with your employees or vendors.

    Encyro helps you securely communicate credit card data, protected using encryption and multiple security safeguards. Encyro maintains PCI-DSS compliance as a service provider level 2. This means that customers may use Encyro as a service provider to collect card data from their clients.

    • AOC: If your credit card processor requires you to submit an attestation of compliance (AOC) for your service providers such as Encyro, please contact us to request Encyro’s AOC for PCI DSS.

    Collecting Payment Information From Clients Using Encyro

    • Many professionals use the Encyro E-Sign feature to collect card information as part of a client onboarding form, new patient intake form, or an engagement letter.
    • Use the Encyro upload page feature to securely request a voided check image or similar auto-payment information. Seethis article for how customers can click a photo of their voided check or credit card using a phone camera and send it to you securely.

    Customer Responsibility

    Encyro is not a complete system for payment data collection or processing. You must acquire your own devices, and additional software such as a web-browser, to use Encyro services. If the the data you collect using Encyro is subject to PCI DSS compliance, then it is your responsibility to ensure that your complete system and workflow is PCI-DSS compliant.

    The following Encyro configuration options and features can help you ensure your usage of Encyro is within PCI DSS compliance requirements.

    • PCI DSS v4.0 Requirement 2: Enable automatic log-off upon inactivity in your Encyro account settings (unless your devices have automatic screen locks configured).
    • PCI DSS v4.0 Requirement 3: Ensure that your workflow follows the steps below:
      • Customer should delete data not required anymore (PCI DSS Req. 3.2.1).
      • Customer should not collect or store SAD, CVC, and full-track data in Encyro (PCI DSS Req. 3.3.1).
      • Screens where an Encyro account is accessed (to view PAN data) should be appropriately protected. Compensating controls are needed because Encyro does not track which data includes PANs and does not mask any portion of it displayed in the Encyro account (PCI DSS Req. 3.4.1).
    • PCI DSS v4.0 Requirement 7: The “Data Manager” permissions within your Encyro account should be granted to appropriate staff members only.
    • PCI DSS v4.0 Requirement 8: Configure the following settings.
      • Use Encyro compliance settings to enforce strong passwords for all staff users’ Encyro accounts (PCI DSS Req. 8.3.6).
      • Ensure all staff users configure MFA using SMS, Authenticator app, or both in your Encyro account security settings (PCI DSS Req. 8.3.1).
      • If using Single Sign On (aka, social login) options for your Encyro account, then ensure that you configure appropriate safeguards on the external login provider (Encyro MFA and strong password settings only apply to the Encyro login and not to the external login providers).
      • Use access control best practices. Do not share passwords.
    • PCI DSS v4.0 Requirement 10: Familiarize with audit logs functionality in Encyro and develop a process for regular log review.


    While the above information offers general guidance as to how an Encyro account may be configured for compliance, the ultimate responsibility for the customer’s complete system and usage being compliant with PCI DSS will be made by the customer and/or their Qualified Security Assessor (QSA).

    Related articles

    • IRS Publication 4557 provides seven checklists for tax preparers to help protect tax clients' tax data. The safeguards also protect your business from a da...

    • The GLB Act of 1999 and the Safeguards Rule of 2002 require all financial service providers to protect their customer's financial privacy and is enforced b...

    • Encyro helps you comply with FINRA cyber-security requirements is the following ways: Encyro maintains the confidentiality and integrity of data as require...

    • The SEC Regulation  Title 17: Chapter II, Part 248, Subpart A: §248.30 requires every broker, dealer, and investment company, and every investment adviser ...

    • Can I use Encyro for HIPAA compliance? Can I store and send patient information using Encyro? Encyro complies with Health Insurance Portability and Account...

    • (If your Encyro account is part of an organization, see organizational compliance settings.) To enable or edit compliance settings, go to your account Sett...

    • Can I enforce a password for my messages? Can I make it mandatory for my clients to use a password or create an account? How do I remove the option to rece...

    • Who can access my content? Can Encyro view my data? Is it different from Protonmail and other encrypted email services that claim they cannot access my dat...