Security and PCI Compliance
Security and PCI Compliance
At Zero Technologies, security isn't just a feature; it's our foundation. As pioneers in the payment gateway landscape, we not only meet but surpass industry security benchmarks. Our active role as a PCI SSC Participating Organization ensures that we are consistently ahead of the curve, adapting to evolving threats and the ever-changing landscape of data security standards.
Your business's safety is our utmost priority. With Zero Technologies, you gain more than just a secure payment system; you earn the peace of mind that every transaction—yours, your merchants', and their customers'—is protected to the highest degree.
Compliance and Certificates
PCI-DSS Level 1
Zero Technologies is a PCI-DSS Level 1 Service Provider.
Security continues to be a hot-button topic thanks to the seemingly endless breaches and leaked card details that hit news feed with increasing frequency. Zero Technologies is committed to ensuring that your customers' payment information is constantly protected and they have a superior subscription experience. This standard is reflected in the people, technologies, and processes we employ.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) or sensitive authentication data (SAD), including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.
Zero Technologies ensures that your customers' sensitive card information is encrypted and handled in a safe and secure manner. With annual audits and PCI-DSS Level 1 certification, Zero Technologies protects sensitive data.
Cardholder Data Security
Hosting Security
Zero Technologies operates in a cloud based environment via GCP with multiple mechanisms in place to ensure resiliency and business continuity. For more information please reference the GCP Compliance page, which certifies extensive physical protections as well, and houses various other banking, government, and security agencies.
Data in Transit
Zero Technologies requires TLS v1.2 for its Core transactional API when supported by the connecting client. Beyond that single requirement, Zero’s secure configuration currently warrants an A+ rating from SSL Labs, meaning that Zeros’s website security is resilient to attacks exploiting older weaker TLS versions.
Data at Rest
Zero Technologies uses the Advanced Encryption Standard (AES) with 256-bit keys when encrypting confidential data within the vault. Each confidential record within the vault is encrypted using a separate, randomly generated, encryption key. This key itself is then further protected by encrypting with an asymmetric key (RSA, 2048 bits).
Corporate Security
Ongoing Security Evaluation
These terms mean different things to different organizations but they each share in representing a continuum of constantly assessing and improving information security — from known patchable vulnerabilities, syntactical coding exploits, and semantic process deficiencies. Zero performs all three of these assessment types (including social engineering tests such as phishing tests) on a regular basis in addition to process-only table top exercises that seek to assess and improve our incident response to common likely and impactful threats such as ransomware.
Layered Approach to Security
From an architectural perspective, Zero Technologies seeks to embrace zero trust security ideals where access to resources are fully authenticated, fully authorized, and fully encrypted based upon user credentials (with Multi-Factor Authentication) from inventoried and managed devices. And we measure our resilient information security posture against the Secure Controls Framework (SCF), bettering our ability to prevent, detect, and respond to information security attacks. We also maintain an "B" for our Security Scorecard score click below for the details.
Password Best Practices
Longer passwords are harder to guess/crack. Zero Technologies recommends creating passwords using passphrases. Passphrases are made up of longer sentences and/or words that are meaningful to a user (and not others) that allows one to more easily remember a password without writing it down. Session timeouts due to inactivity and forced log outs are also in place.
Multi-Factor Authentication (MFA)
MFA is a required protection for all Zero Technologies access. MFA enhances security by requiring another factor of login verification to Zero Technologies administration tools versus just a single username and password.
A necessity to strengthen defenses – Multi-Factor Authentication (MFA) goes a long way in protecting sensitive PCI data and network access. While it’s never possible to stop all data breaches and attacks, MFA can help merchants reduce the likelihood of a cyberattack.
Role-Based Access Control (RBAC)
Compartmentalize access to sensitive areas of your Zero Technologies administrative tools: Security keys, reporting, and more by leveraging RBAC. Zero Technologies offers several pre-configured roles to ensure the appropriate administration and needed separation for specific functions.
Organizations can manage their own users’ access to sensitive company information by selecting the appropriate role(s) of key customer stakeholders. These user access controls result in a more secure method for employees to access the unique information they need to do their jobs and prevents them from accessing information that doesn't pertain to them. Other site updates
Privacy, Personal Data Use And Processing
Privacy Notice for California Consumers
Zero Technologies is in compliance with the Privacy Notice for California Consumers. More information can be found here.
Privacy Shield
Zero Technologies remains a member of the US Privacy Shield which may afford customers with additional enforcement options as data protection laws are enforced in-country by the U.S. Department of Commerce. View our Privacy Policy here.