Payment Services PCI Compliance and Data Security Standard

Copyright © 2018 CUSI, Inc. All rights reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission from CUSI, Inc. All copyright, confidential information, patents, design rights and all other intellectual property rights of whatsoever nature contained herein are and shall remain the sole and exclusive property of CUSI, Inc. Ltd.

The information furnished herein is believed to be accurate and reliable. However, no responsibility is assumed by CUSI, Inc. for its use, or for any infringements of patents or other rights of third parties resulting from its use.

The CUSI, Inc. name and CUSI, Inc. logo are trademarks or registered trademarks of CUSI, Inc. Limited.

All other trademarks are the property of their respective owners.

Dear CUSI’s Valued Clients:

CUSI understands the importance of PCI Compliance and Data Security as it relates to our clients. The Payment Card Industry Data Security Standard is a set of security standards designed to ensure all companies that accept, process, store or transmit credit card information maintain a secure environment. CUSI has designed our technology platform with built in protections for our clients at both the application and payment processor level.

CUSI’s Utility Billing Application and Customer Web Portal are designed not to store credit card holder data, meaning no cardholder data is stored, processed, or transmitted on the Utility’s applications or premises. In essence, Utilities are PCI “Out of Scope” in terms of the on premise and online software powering their payment processing. As required CUSI utilizes a third party auditor to certify the applications as being PCI compliant. CUSI has partnered with industry leading payment processors to manage the collection and storage of all cardholder data. As an additional layer of security, CUSI’s Payment Processors meet all requirements for PCI DSS for POS/Card Present, Internet/E-Commerce, and MOTO/Call Center transactions through a process called “tokenization”. Tokenization protects bank account numbers and credit card numbers in a secure, virtual vault that can be transmitted across wireless networks without adding unnecessary risk. A payment gateway stores sensitive data that allow for the random token to be generated. You will find our Payment Processor’s Attestation of Compliance for Onsite Assessments in this package.

CUSI will continue to implement and deploy the latest cyber security standards to our payment applications and devices to ensure an appropriate level of risk to our clients. We hope this package will alleviate any concerns you have in regards to PCI Compliance and our efforts to minimize your risk. Please reach out to us with any additional concerns or questions.

Best,

Morgan Jines Payment Services Operations Manager

Payment Services PCI Compliance and Data Security Standard

Morgan Jines

1228 East 7th Ave. Suite 200 Tampa, FL 33605 t 800.770.2701 f 813.433.5441 w kirkpatrickprice.com

July 3, 2017

Derek Johnson

Director of Product Development

Continental Utility Solutions, Inc.

300 S. Church Street, Ste. 200

Kirkpatrick Price, Inc. (KP) was contracted by Continental Utility Solutions, Inc. (CUSI) to

perform a third-party audit of the CUSI Customer Web Portal. The goal of the review was to ensure

the software, as implemented, meets the following Payment Card Industry Data Security Standard

(PCI DSS) requirements for e-commerce merchants.

Kirkpatrick Price performed a code review of CUSI’s “transparent redirect” payment processing

on the Customer Web Portal. The code showed that the transferred payment control is redirected

to the payment processor. The sample code showed that no cardholder data was stored, processed,

or transmitted over the Customer Web Portal. KP’s security analyst logged into the test site,

captured data, and reviewed the captured packets.

Kirkpatrick Price conducted an analysis of the live Customer Web Portal with a test user account.

While the test user was logged in, a payment was made, and the web transaction data was captured.

The analysis of the live site data capture indicated that no cardholder data was stored, processed,

or transmitted through the Customer Web Portal, as required by the PCI DSS. For more

information on PCI DSS requirements, as it relates to e-commerce merchants, please see

https://www.pcisecuritystandards.org/pdfs/best_practices_securing_ecommerce.pdf

In conclusion, Kirkpatrick Price has determined that CUSI has fully outsourced all cardholder data

functions to PCI DSS 3.2-compliant third-party service providers, with no electronic storage,

processing, or transmission of any cardholder data on the merchant’s systems or premises.

Sincerely,

Damon Sullivan, CPA

Kirkpatrick Price, Inc.