©9cardconnect™ Patented Data Security by CardConnect CardConnect has been awarded two United States Patents for securing confidential information through tokenization. There is a critical need to secure payment card information, personally- identifiable information (PII), and other types of confidential information that Official Definitions a business collects related to their customers, patients, and employees. To ensure that this need is met, all computer systems a business uses to process unencrypted confidential information, and possibly an entire corporate data Cardholder data: PCI DSS standards define cardholder data as any clear center, must be compliant with a variety of regulations. The cost of compli- gr encrypted primary ance, as well as the cost of verifying compliance, can be substantial, both account number (PAN), and operationally and financially. declare any system that “processes, stores or During the past 20 years, CardConnect has become quite familiar with these transmits” cardholder data, regulations when architecting enterprise-level payment solutions for dozens as well as any system on of corporations. CardConnect has worked to develop solutions that minimize the same network segment, the exposure and risk a business has when handling confidential information. must comply with the DSS The end result is a patented system that uses tokenization in regards to the Standards. introduction, storage and use of confidential information in corporate enter- Personally-identifiable prise systems. information (PII): : .. . Government agencies Whats tokenization? describe Pll as information which can be used to distinguish or trace an individual's identity (name, social security number, no algorithmic relationship with the original piece of data (such as a credit biometric records) alone, or card number), meaning the token is irreversible, and cannot be unlocked with when combined with other a decryption algorithm. The only application that contains the token's corre- personal or _ identifying. sponding confidential information is the tokenizer, which is securely hosted information which is linked linkable to a specific and protected by CardConnect. or PEPE EN SEINE individual (date and place of Due to the irreversible nature of the token, tokens canbe used in any applica- birth, mother’s. maiden tion without the application, business system, or network having to comply ame). with regulatory standards, such as the Payment Card Industry Data Security Standard (PCI DSS). Before confidential information can enter a business system, application or computer, the information is captured and stored within a tokenizer. The tokenizer then returns a random string of data called a token. The token has cardconnect.com info@cardconnect.com©9cardconnect™ How CardConnect’s Patented Tokenization Stacks Up Token Security Token Intelligence Merchant Specific Security “High-Value” Token PCI Scope Reduction Keyed-in Card-Not- Present transactions Card Present Transactions E-Commerce Integration Capabilities History of Protecting Payments cardconnect.com cp Peewee) Luhn Test; BIN Recognition Single use, intelligent token - unique to eer eC ec ccccis eae gcd Prey tion of CardConnect's jon and integrated hardware (PANpad and P2PE terminals) help take a Le een aes ary tees PANpad device encrypts and tokenizes card ‘number immediately, removing customer Peete suena’ EMV-compatible P2PE devices resistant to pone eager ee eves tea Developer friendly API that brings secure ieee eters applications err ni ‘multiple Fortune 500 corporations without Pace ora foes Integrated Business Systems| Industry Standard Derivative Token (could potentially be hacked) Unrelated to 16-digit card number Multi-use token ~ Using the same token for ‘multiple merchants isa security risk Individually Administered Token ~ anew token is issued for every transaction Even with a quality tokenization solution, workstations and POS systems remain in scope of PCI compliance and potentially susceptible to catastrophic data breaches. Card number entered via standard keyboard, leaving the customer service workstation subject to PCI regulations Standard swipe terminal potentially susceptible to malware attacks Basic encryption solutions that leave website for e-commerce application in PCI scope Integration requires costly customization info@cardconnect.com