DataDivider Security and Compliance - PCI QSAThe Virtual Terminal ConundrumWhat is the Isolating Access Terminal? - IAT CONFIDENTIAL

PCI Problem : Virtual Terminal Access CONFIDENTIAL - Everything is in scope for PCI as data is being enteredinto Virtual Terminals from the local network

3Implement all required PCI controlsDual Workstation/Dual NetworkHypervisorUSB DeviceSecure Browser SolutionPossible Solutions CONFIDENTIAL

Solution: Isolating Access TerminalVT are in scope because the agent enters payment data via a keyboard manually, thereby including the desktop and its network in scopeDataDivider is a compensating control for your existing VT so thatThe workstation, the keyboard and screen are isolatedThere is no chance to log keystrokes or capture screen shotsDataDivider is secure & PCI compliantQSA approvedPCI compliant datacenterFully managed/hosted CONFIDENTIAL

5PCI Solution: Isolating Access Terminal CONFIDENTIAL

How Does IAT Work? CONFIDENTIAL

How does IAT Work? CONFIDENTIAL

DataDivider Data Flow Option 1: CONFIDENTIAL

DataDivider Data Flow Option 2: CONFIDENTIAL

IAT SolutionOnce connected to required sites the Keypad appears wherever numeric card entry data is required.Secure Browser Keypad is autolaunched on desired fields CONFIDENTIAL

Secure Browser CONFIDENTIAL

Q&AIs DataDivider PCI compliant?Yes, we are certified as a Level 1 PCI Compliant Service Provider and are listed on the Visa Global Registry of Service Providers: http://www.visa.com/splisting/searchGrsp.doAnd the Mastercard Compliant Service Provider List:http://www.mastercard.com/us/company/en/docs/SP_Post_List_2012.pdf CONFIDENTIAL

Q&AIs DataDivider PA-DSS compliant?DataDivider is a Software as a Service offering hosted within a level 1 PCI Compliant datacenter and therefore, as a wholly hosted service, not subject to PA-DSS. How long does it take to implement?DataDivider implementation can be completed within as little as 24 hours once appropriate approvals, configuration parameters and user account details have been provided by the customer. DataDivider does not require hardware or software installations at the client site. CONFIDENTIAL

Q&AHow was QSA testing performed?QSA Testing was performed by a third party approved Qualified Security Assessor Company (QSAC) K3DES. Testing was performed according to the testing guidelines outlined by the PCI Security Standards Council and included application and network layer penetration testing, vulnerability scanning and a use of both open source and commercial tools, similar to penetration testing techniques to provide assurance against data leakage.  A review from our QSA can be downloaded here:http://datadivider.com/resources/#pci-compliance  CONFIDENTIAL

Q&AWhat are the system requirements?32/64 bit Windows XP, Vista, 7 or 8 SSH client (provided by DataDivider)IE7 to IE10 (potentially compatibility mode required) ActiveX RDP Client (provided by DataDivider via Microsoft) Potential admin rights during install of ActiveX RDP Client and first RDP connection CONFIDENTIAL

Q&ACan I switch payment provider? Yes. DataDivider is payment gateway/processor agnostic and you can use one or many and switch between payment gateways at any time.What tokens do you support?DataDivider is token agnostic. We can work with tokens that you already have , tokens that are provided to you by your payment processor or provide you with tokens. We also have the ability to ‘translate’ tokens if you need to communicate data between different third parties in different formats. CONFIDENTIAL

Q&ACan this solution integrate with any application?Yes, DataDivider can integrate with your internal ERP, CRM systems or other applications and replace sensitive data with tokens so that no cardholder data or other data ever enters your systems. We can also transmit other data between your application and your payment gateway in the format that you require.How do you secure traffic between the client and the services?Traffic is transmitted over HTTPS within a Secure Browser within SSH CONFIDENTIAL

Q&AWhat other services do you offer?We offer a range of supplementary services to de-scope functions and network segments within your corporation, including application integration, voice solutions, IVR solutions, secure messaging and fax, secure printing and email gateway filtering to prevent any sensitive data from re-entering your corporation. All services are fully secured, compliant and safe from data loss, and protected for integrity and can require strong authentication. We can also host entire applications and make them accessible to agents via IAT. CONFIDENTIAL

Q&AWhat are some other features of the secure browser?Zero-hour Malware Defense Blocks theft of keyboard inputs and screen capture. Browser Process Isolation Blocks hostile code injection attacks (Man-in-the-Browser) and hostile browser add-ons (plug-ins) launching Browser Session Data Privacy Encrypts all disk-based session data - content, cookies, history - using 256-bit RC4. Hostname Resolution Bypass Provides DataDivider hostname resolution, enabling the bypass of local host file or DNS resolution, mitigating name resolution-based attack. Content Information Controls Control file operations such as copy, save, clipboard, print and print screen Browser firewall Controls Browser connections destinations via white listSSL Certificate Defenses Mitigates MITM / hostile SSL proxying of secured connections Session Timers Determines the overall session length as well as user inactivity Virtual Machine / RDP Block Blocks access from virtual OS or terminal services connections CONFIDENTIAL

More Questions? Please contact Info@DataDivider.com CONFIDENTIAL