Cypherz.
Start free

Global · PCI DSS

PCI DSS-aligned AI

The cleanest way to keep PCI scope tight is to keep cardholder data out of the systems that need to read prompts. Cypherz detects PANs (Luhn-checked, 13-19 digits), CVVs (custom regex), and expiry dates, then tokenizes them before requests leave your environment. The LLM provider sees `<CC_a1b2c3d4e5f6>`, never `4111 1111 1111 1111`.

Start freeTry the free PII detector

  • 01

    Luhn-checked PAN detector

    We only tokenize values that pass Luhn — no false positives on random 16-digit strings.

  • 02

    Tokens are deterministic, not encrypted

    Same PAN always tokenizes to the same surrogate within a project. Joins and dedupe keep working without decrypting.

  • 03

    Out-of-scope by design

    Your LLM provider never receives a PAN. It cannot become part of your PCI scope.

What PCI DSS requires you to do

• Req 3 — Protect stored cardholder data — Encryption, truncation, or tokenization are the approved approaches. Cypherz is purpose-built for tokenization.

• Req 4 — Encrypt transmission — TLS 1.3 on every hop; envelope encryption for keys at rest.

• Req 10 — Track and monitor — Audit log on every PAN-touching action.

How Cypherz helps

• Luhn-checked PAN detector — We only tokenize values that pass Luhn — no false positives on random 16-digit strings.

• Tokens are deterministic, not encrypted — Same PAN always tokenizes to the same surrogate within a project. Joins and dedupe keep working without decrypting.

• Out-of-scope by design — Your LLM provider never receives a PAN. It cannot become part of your PCI scope.

Important caveat

PCI scope is determined by your QSA based on your specific environment. Cypherz helps you keep LLM vendors out of scope but does not perform the assessment.

Common questions

Frequently asked.

Does Cypherz make my app PCI DSS-compliant by itself?

No tool can — compliance is a posture across people, process, and technology. Cypherz handles a critical technical layer (pseudonymization, encryption, audit logging) but you still need policy, training, and assessment.

Where is Cypherz hosted?

EU (Hetzner — Helsinki and Falkenstein) by default for the managed product. Self-host anywhere with one docker-compose command if your compliance posture requires it.

Do you sign formal agreements?

Yes — Business and Enterprise tiers include DPAs and BAAs. We're working through SOC 2 Type II audit; ask for our latest report.

Can I get an audit log export?

Yes — every action is logged with structured metadata, exportable via the API. Common formats supported for SIEM ingestion.

Get started

Bring your AI features into PCI DSS scope cleanly.

Sign up free. Create a project. The audit trail starts logging from request one.

Start freeTry the free PII detector

Other compliance topics