Answers to Common Questions
What is Zencurity™?
Zencurity, by Bright Lion™, is Compliance as a Service, using our patent-pending secure payment gateway. Zencurity acts as a bridge between enterprise resource planning (ERP) applications and/or ecommerce sites, which are used to collect payment card information, and payment processing services.
Your Zencurity subscription includes:
- Ecommerce service that integrates with web stores and online payments
- P2PE service for P2PE card entry devices
Who can use Zencurity?
Any company that uses QAD® ERP applications can use Bright Lion’s application. The service works with all versions of QAD.
Where is Zencurity available?
Bright Lion offers global availability for the Zencurity subscription, through our partner ProStar Software. Any customer using QAD’s Enterprise Applications solutions is eligible. For further information, contact ProStar: +1-800-470-7581 info@prostarsoftware.com
Does Zencurity store my credit card information?
No credit card information is stored on Zencurity systems. Zencurity processes the credit card information in volatile memory and transmits it to payment processors over a secure link.
Is Zencurity compliant with the Payment Card Industry (PCI) Data Security Standards (DSS)?
Zencurity is compliant with PCI DSS. The service has been audited by a qualified security assessor to act as a PCI Level-2 Service Provider.
If I use Zencurity, would I still need to be compliant with PCI DSS?
Companies using ecommerce will need to comply with PCI SAQ A standards, and companies using the P2PE solution will need to comply with PCI SAQ P2PE standards. Just these two, plus Zencurity, will allow you to be fully PCI DSS compliant.
What is an "SAQ" – and what do I do with it?
The PCI DSS Self-Assessment Questionnaire (SAQ) series was developed to enable qualifying merchants to internally evaluate their own compliance needs and provide a statement of compliance. Based on your payment methods and other process variables, different versions of the SAQ will apply to different use cases. However, each SAQ has two sections:
- Environment-specific questions related to the PCI DSS requirements, which define the correct SAQ for your environment and the testing procedures to expect.
- Attestation of Compliance (AoC), which includes both your declaration of eligibility for the applicable SAQ and your self-assessment results.
With Zencurity, we can help reduce your compliance obligations to the minimum required documentation: Self-Assessment Questionnaire A, or Self-Assessment Questionnaire P2PE.
How does Zencurity fit into my company's existing cybersecurity plan?
First, we understand how difficult it can be to navigate PCI DSS compliance. While the combined risks of having unaudited systems and a signed security-validation commitment with your bank are steep, those annual PCI audits can be extremely time consuming and resource intensive.
However, a complicated process isn't the only way to achieve satisfactory compliance, and Zencurity can significantly simplify your plan. When you have Zencurity, your servers are shielded from exposure to sensitive payment data – which keeps them entirely out of scope for PCI audit requirements.
Not only will you successfully minimize risk and liability, you'll be certain that all of your business compliance concerns are continually covered by our highly skilled security experts.
What does PCI DSS compliance do for my business?
If you accept payment cards, the benefits of compliance are threefold:
- From a legal perspective, you'll be avoiding breach of contract, given that your signed bank agreement already includes a commitment to being compliant.
- From a financial perspective, you'll safely avoid the hefty penalties that will be imposed if your company is found to be noncompliant.
- From a brand-loyalty perspective, you'll be able to protect your customers' highly sensitive personal data – and their positive opinion of your company.
How much protection does being PCI compliant offer?
According to the Verizon 2019 Payment Security Report, "in revisiting payment card security breaches investigated by the VTRAC | Investigative Response Team, we can definitively state that we have never, ever reviewed an environment, or investigated a PCI data breach involving an impacted entity, that was truly PCI DSS compliant." (Verizon 2019 Payment Security Report, Verizon, p. 32)
In short, "the claim by industry experts that 'no truly PCI DSS–compliant merchant has ever been breached'" continues to hold true, and Bright Lion offers an elegantly simple solution to help you maintain full compliance.
Isn’t my company already compliant?
For starters, every business that accepts payment cards has already committed to maintaining PCI DSS compliance by way of signing a bank agreement. However, many companies have been misinformed that by having some part of their payment processing outsourced, including ecommerce, they are not responsible for maintaining compliance. This is false.
Given that organizations are legally bound to maintain PCI DSS compliance – and the stakes are high if they fail to do so – financial institutions may assess hefty penalties against non-compliant merchants. We will help assess your needs and bridge any gaps.
With Zencurity, it's simple to stay on the right side of compliance requirements.
How do criminals obtain credit-card data – and how can they be stopped?
If a merchant's payment card-processing system is unsecured, hackers have many ways to access and steal payment data through vulnerable networks and software. Fortunately, there are two proven strategies that can help make payment-processing systems impenetrable: encryption and tokenization.
As it passes between parties, encryption helps protect credit-card data from being compromised. For this reason, Zencurity requires a designated point-to-point encryption (P2PE) device keypad for inputting sensitive data.
Tokenization is the process of converting sensitive payment information into a secure token, which can then be used again and again without the payment information ever being exposed to an insecure network. Zencurity manages the tokenization process for not only traditional cards but also virtual ones.
Does Bright Lion perform security assessments to validate the security of its systems?
Yes, as required by PCI DSS, the company performs quarterly vulnerability (internal and external) scans, half yearly tests on segmentation controls, and annual penetration tests (internal and external).
What is Bright Lion’s PCI DSS charter?
Our management approved PCI DSS charter can be found here.
I am a customer with a security concern or a bug bounty hunter who wants to notify Bright Lion of a vulnerability. How can I reach Bright Lion?
All security concerns should be sent to security@bright-lion.com