PCI-DSS requires safeguarding credit card data that you receive. Email is not a secure way to ask a customer to provide their credit card information to set up their automatic payment or pay. Email is also not secure to share your business card data with your employees or vendors.
Encyro helps you securely communicate credit card data, protected using encryption and multiple security safeguards. Encyro maintains PCI-DSS compliance as a service provider level 2. This means that customers may use Encyro as a service provider to collect card data from their clients.
- AOC: If your credit card processor requires you to submit an attestation of compliance (AOC) for your service providers such as Encyro, please contact us to request Encyro's AOC for PCI DSS.
Collecting Payment Information From Clients Using Encyro
- Many professionals use the Encyro E-Sign feature to collect card information as part of a client onboarding form, new patient intake form, or an engagement letter.
- Use the Encyro upload page feature to securely request a voided check image or similar auto-payment information. See this article for how customers can click a photo of their voided check or credit card using a phone camera and send it to you securely.
Encyro is not a complete system for payment data collection or processing. You must acquire your own devices, and additional software such as a web-browser, to use Encyro services. If the the data you collect using Encyro is subject to PCI DSS compliance, then it is your responsibility to ensure that your complete system and workflow is PCI-DSS compliant.
The following Encyro configuration options and features can help you ensure your usage of Encyro is within PCI DSS compliance requirements.
|PCI DSS v4.0 Requirement
Enable automatic log-off upon inactivity in your Encyro account settings (unless your devices have automatic screen locks configured).
The “Data Manager” permissions within your Encyro account should be granted to appropriate staff members only.
Familiarize with audit logs functionality in Encyro and develop a process for regular log review.
While the above information offers general guidance as to how an Encyro account may be configured for compliance, the ultimate responsibility for the customer’s complete system and usage being compliant with PCI DSS will be made by the customer and/or their Qualified Security Assessor (QSA).