Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.ecrypt.com/llms.txt

Use this file to discover all available pages before exploring further.

ECRYPT is a Level 1 PCI-DSS Assessed Payment Processing Gateway. As a service provider, ECRYPT is committed to the secure transmission and storage of cardholder data. This document describes the PCI-DSS requirements ECRYPT meets for merchants using the ECRYPT Gateway. PCI-DSS applies to any organization that stores or transmits card data. The ECRYPT Gateway helps meet this requirement and reduces the compliance burden for merchants, specifically as it relates to card storage through tokenization. ECRYPT merchants are still responsible for their own PCI-DSS compliance. This document only defines the specific items ECRYPT assists merchants with. Any requirement not listed here is the merchant’s responsibility.

Requirement 3.2.1 — Data Retention

Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements.
  • ECRYPT: Stores merchant cards for 2 years from last token use.
  • Merchant: No action required.

Requirement 3.3.1 — Track Data Retention

The full contents of the track are not retained after authorization.
  • ECRYPT: Does not retain full track data after authorization.
  • Merchant: No action required.

Requirement 3.3.1.2 — CVV Retention

The card verification code (CVV) is not retained after authorization.
  • ECRYPT: Does not store the CVV after authorization.
  • Merchant: No action required.

Requirement 3.3.1.3 — PIN Retention

The PIN or PIN block are not retained after authorization.
  • ECRYPT: Does not store the PIN or PIN block after authorization.
  • Merchant: No action required.

Requirement 3.3.2 — SAD Encryption Prior to Authorization

Sensitive authentication data (SAD) stored electronically prior to completion of authorization is encrypted using strong cryptography.
  • ECRYPT: Provides HTTPS TLS 1.2 endpoints for secure transmission.
  • Merchant: Must connect to ECRYPT TLS 1.2 endpoints.

Requirement 3.4.1 — PAN Masking

PAN is masked when displayed.
  • ECRYPT: Masks PAN in the ECRYPT Dashboard.
  • Merchant: No action required.

Requirement 3.5.1 — PAN Storage

PAN is rendered unreadable anywhere it is stored, using one-way hashes, truncation, index tokens, or strong cryptography with associated key-management processes.
  • ECRYPT: Uses one-way hashes based on strong cryptography to store cards and maintains compliant key management processes and procedures.
  • Merchant: If card data is stored with the ECRYPT Gateway and billed via tokens, this requirement is met. If card data is stored separately from ECRYPT, the merchant must meet this requirement independently.

Requirement 3.6.1.2 — Key Storage

Secret and private keys used to encrypt/decrypt stored account data are stored in encrypted form, within a secure cryptographic device such as an HSM, or as at least two full-length key components.
  • ECRYPT: Uses an HSM to protect keys of encrypted cards.
  • Merchant: No action required.

Requirement 3.7.3 — Key Storage Policies

Key-management policies and procedures include secure storage of cryptographic keys used to protect stored account data.
  • ECRYPT: Has policies and procedures for the secure storage of cryptographic keys. This responsibility is met through an upstream service provider.
  • Merchant: No action required.

Requirement 3.7.7 — Key Substitution Prevention

Key-management policies and procedures include prevention of unauthorized substitution of cryptographic keys.
  • ECRYPT: Has policies and procedures to prevent the unauthorized substitution of cryptographic keys. This responsibility is met through an upstream service provider.
  • Merchant: No action required.

Requirement 3.7.8 — Key Custodian Acknowledgment

Cryptographic key custodians formally acknowledge in writing or electronically that they understand and accept their key-custodian responsibilities.
  • ECRYPT: Has designated key custodians for all cryptographic keys.
  • Merchant: No action required.

Requirement 4.2.1 — PAN Transmission Security

Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks, using only trusted keys, valid certificates, and secure protocol versions.
  • ECRYPT: Uses TLS 1.2 with valid SSL certificates to safeguard PAN over open public networks.
  • Merchant: No action required.

Requirement 4.2.2 — PAN in Messaging Technologies

PAN is secured with strong cryptography whenever sent via end-user messaging technologies.
  • ECRYPT: Transmits and receives PAN using secure messaging technologies with TLS 1.2 in transit and encryption at rest, with an attestation of compliance.
  • Merchant: Must send and receive card data only from systems inside their cardholder data environment (CDE) using secure technologies, and destroy SAD after transmission.