WIXLIB

PCI-ValidatedPoint-to-Point-Encryption (P2PE)Client FAQ913.888.0772 officewww.imodules.com web

What is P2PE?Point-to-point encryption (P2PE) is a standard established by the Payment Card Industry (PCI)Security Standards Council. The objective of P2PE is to provide a payment security solution thatinstantaneously converts confidential payment card (credit and debit card) data and informationinto indecipherable code at the time the card is entered or swiped to prevent hacking and fraud.Why do I need a P2PE solution?iModules maintains compliance with the Payment Card Industry Data Security Standard (PCI DSS)and is certified compliant as a Level One Service Provider by a Qualified Security Assessor (QSA)authorized by the PCI Security Standards Council. This Level One compliance, the highest levelof PCI DSS compliance, ensures that your e-commerce transaction data is securely protected,transmitted, and stored by iModules.As part of updates to the Payment Card Industry Data Security Standard (PCI DSS), PCI 3.1and 3.2, the compliance requirement now extends to your institution’s computers and network,making you responsible for protecting credit card information throughout your internal systems—from keyboard to network endpoint. This requirement is separate from iModules’ own complianceresponsibility and ensures that credit card payments entered on devices at your institutionthrough the Encompass administrative interface (on behalf of your constituents) are not leftunencrypted and vulnerable to data breach upon entry or while being transmitted through yourinstitution’s internal network to the endpoint for transmittal to iModules’ servers. This is whatis referred to as a “card not present” transaction, meaning the constituent is not entering in thecredit card information via his/her own device.What is a P2PE solution provider?The P2PE solution provider is a third-party entity (for example, a processor, acquirer, or paymentgateway) that has overall responsibility for the design and implementation of a specific P2PEsolution, and manages P2PE solutions for its merchant customers. The solution provider hasoverall responsibility for ensuring that all P2PE requirements are met, including any P2PErequirements performed by third-party organizations on behalf of the solution provider (forexample, certification authorities and key-injection facilities).Why did iModules partner with Bluefin?iModules has partnered with Bluefin Payment Systems, a leading provider of payment securitysolutions for U.S. and Canadian organizations, to provide the security and PCI scope reduction ofBluefin’s PCI-validated P2PE solution to organizations that use iModules. Bluefin is a ParticipatingOrganization (PO) of the PCI Security Standards Council (SSC); Bluefin’s P2PE systems have beenaudited and approved by the PCI Security Standards Council as validated solutions.2PCI-Validated Point-to-Point-Encryption (P2PE)Client FAQ

iModules partnership with Bluefin’s P2PE solution provides your institution with: Reduced time and cost investments: Reduce the amount you spend on annual PCI auditsand compliance by limiting your cardholder data environment (CDE) with P2PE. Secure cardholder data: The ID Tech SREDKey keypad from Bluefin immediately encryptsyour payment data. Increased device security: PCI-certified P2PE devices are designed to detect tampering. Ifmalicious activity is detected, the device is automatically deactivated, preventing a breachat the point of entry device. One-on-one customer support: Your institution gets one-on-one support through a Bluefinrelationship manager assigned directly to iModules clients.How does Bluefin’s P2PE solution work?Using a keypad card entry hardware that connects to any device with a USB port, Bluefin’s PCIvalidated P2PE solution encrypts cardholder data at the Point of Interaction (POI). Decryptionis done off-site in an approved Bluefin Hardware Security Module (HSM). The solution preventsclear-text cardholder data from being present in your institution’s system or network where itcould be accessible in the event of a data breach.Bluefin will provide the keypad card entry device (ID TECH SREDkey) to your institution. Thekeypad device can be used with a laptop, Microsoft surface, or any other computer with a USBport.(Note: although the provided ID TECH SREDkey device includes a card swipe slot, iModules does not currentlysupport swipe transactions.)Will my institution need a new payment gateway?No. The Bluefin P2PE system is separate from the payment gateway you use for your iModulestransactions, and it supports all iModules API gateways.Gateways supported with P2PE system: Authorize.net Beanstream CASHNet api (non-hosted) CyberSource Elavon Converge First Data Global Gateway IATS Payments Moneris eSelectPlus Nelnet QuikPay Official Payments PayPal PayFlow Pro TouchNet API GatewayGateways not supported with P2PE system: CASHNet hosted TouchNet T-Link(Note: Hosted page gateways cannot be supported because card information is not collected in the iModulesinterface.)PCI-Validated Point-to-Point-Encryption (P2PE)Client FAQ3

Who provides customer support for the P2PEsolution?The P2PE solution and hardware will be sold, managed, and supported by Bluefin PaymentSystems.How does my institution get started?Your institution will contract directly with Bluefin for the PCI-Validated Point-to-Point Encryption(P2PE) solution. You can request that someone from Bluefin contact you by filling out this shortform: http://clients.imodules.com/p2pe request.4PCI-Validated Point-to-Point-Encryption (P2PE)Client FAQ

How does Bluefin's P2PE solution work? Using a keypad card entry hardware that connects to any device with a USB port, Bluefin's PCI-validated P2PE solution encrypts cardholder data at the Point of Interaction (POI). Decryption is done off-site in an approved Bluefin Hardware Security Module (HSM). The solution prevents