Trust Guard PCI Certification Service Technical White Paper Trust Guard provides PCI DSS Compliant Scans that exceed PCI requirements. What’s more, your IT administration team is surely more concerned about maintaining your enterprise day-to-day than it is in implementing strategic processing benchmarks, particularly when they are subject to change at a moment’s notice. If you process transactions from American Express, Discover, JCB, MasterCard, and Visa International, you need a secure environment that puts as few demands on your existing resources as possible, securely implement all PCI DSS controls, and have the confidence your transaction environment will retain its compliance in the event of modifications to the standard. Trust Guard offers you all of this and more, It requires no changes to your infrastructure, no purchase of additional hardware or network security mechanisms, or any maintenance whatsoever by your otherwise-engaged IT team. We provide seamless compliance through managed private clouds. he fact is that all businesses that store, process, or transmit payment cardholder data must be PCI-compliant. There are certainly many avenues available today through which to achieve compliance, but it is well to note that the security requirements are rigorous, the compliance mandate specific and absolute, and the road to compliance an often-changing endeavor. T Trust Guard Technical White Paper 1

PCI DSS Compliance Summary Trust Guard is positioned in the forefront of providing vendor compliance services with the Payment Card Industry Data Security Standard. PCI DSS is a self-imposed mandate by the payment card industry for safeguarding all data associated with credit and debit card transactions. It applies to all companies that process and maintain cardholder data, and is endorsed by Visa Inc., MasterCard Worldwide, Discover Network, American Express and JCB. The critical importance of safeguarding personal transaction data cannot be overestimated. It speaks to the credibility of an organization, the integrity of its business practices, and ultimately its veracity as a business itself. Our PCI Compliant Service Provider status assures you that our strategy meets or exceeds all existing PCI standards. We employ a multi-tiered, comprehensive suite of services to assure PCI DSS-compliance and perform frequent assessments of our solutions in the face of changing and emerging technologies. PCI DSS is a road map of a changing road, and we will not use obsolete strategies in an arena of such high stakes. How our Security Scanning works Trust Guard Technical White Paper 2

Web Application Scanning Service Trust Guard scans all applications residing on your enterprise’s web servers, proxy servers, web application servers, as well as all active web services. The scanner crawls your entire website, analyzing each file it finds and displays the entire website structure. It then performs an automatic audit for common web security vulnerabilities by launching a series of Web attacks. Web applications are deconstructed on the code level to reveal potentially malicious code sequences and embedded scripts that could launch an attack. A total vulnerability solution for your enterprise includes Trust Guard’ network vulnerability scanning. It scans all open network ports, IP addresses, and network-resident operating systems to safeguard all processing and data-handling across your entire network. We are confident that Trust Guard is among the most refined and accurate web application vulnerability scanning solutions ever devised. We run literally thousands of scans per day, and are experts in both their deployment and their subsequent interpretation. The net results of performing a web application audit using Trust Guard are: Enhanced web application security Improved risk visibility Diminished web application maintenance costs Compliance with regulatory agency mandates Trust Guard recommends a complete vulnerability scan of a network at least on a quarterly basis. Trust Guard PCI Certification Solution Features Detects vulnerabilities from a current database of known existing flaws Deep scanning capabilities detect and report alerts for the following types of vulnerabilities: Cross Site Scripting (XSS) SQL Injection Flaws Information Leakage and Improper Error Handling Broken Authentication and Session Management Failure to Restrict URL Access Improper Data Validation Cross Site Request Forgery (CSRF) Insecure Direct Object Reference Insecure Cryptographic Storage Insecure Communications Malicious File Execution Trust Guard Technical White Paper 3

Analyzes an application’s code content, including PHP, ASP,.NET components, and JavaScript Detects sensitive content in HTML (transaction card data, SSNs) Crawls and analyzes all website components, including Flash objects, SOAP app-to- app communication links, and AJAX routines Finds SQL injection flaws, cross-site scripting Uses browser emulation to find and test all links Deep level scans and through coverage Low false positives/negatives ratio Many out of the box web application vulnerability scanners are available, but none come with the networking security credentials of Trust Guard. Our customized solution is constantly updated to reflect newly discovered problems and security flaws, and our results are guaranteed. Our many years of network security service stand behind every scan we perform. Trust Guard PCI Certification solutions offer Merchants, Service Providers and Authorized users access to a web based Security portal. The easy-to-use interface enables users to enter their IP address information and instantly initiate PCI Compliance Scans. Users may also repeat or reschedule their Security Scan at no additional cost. Following the completion of a Security Scan, the user will receive a Detailed Vulnerability Report and an Attestation of Compliance Report. The Attestation of Compliance Report is the document required by your merchant bank to confirm compliance. Trust Guard® LLC, All Rights Reserved, the reproduction, distribution, display or transmission of the content of this site is strictly prohibited. All other company & product names may be trademarks of the respective companies with which they are associated. Our Certified ASV scanning partner is Clone Systems, Inc. Clone Systems.Certified ASV scanningClone Systems Trust Guard Technical White Paper 4