Enterprise suite of software solutions

Midwest Users ConferenceSeptember 24 – 25, 2015

Justin Cox, Patty Holton, Nell W. McCauley & LeAyn Walton

Our History

In the early 1970’s SEDC, then known as Southeastern Data Cooperative, was formed as a cooperative corporation for the benefit of its member-owners. SEDC was created with the goal of developing computerized billing and capital credits systems.

There were 19 member cooperatives when SEDC opened for business.

We are proud to boast that all are still with us.

What is SEDC?

SEDC is an enterprise solutions company and industry leader in accounting, engineering, and operations services in our utility software solutions. It is governed by a board of directors.

We currently serve utilities in more than 35 states.

Engineering Services

A Total Enterprise Solution

UPNMobile Work

Force Management

Financial Services

Payroll Billing

Printing

And much more!

Our Innovations • First Real-Time Online Payment Transaction Portal

• First Integrated Real-Time Cash Register

• First Automated Imaging, Independent of Manual Scanning

• First Virtualized Oracle Enterprise Database Environment

• First Mobile App for Consumers

• First Cloud-Based Hardware Independent IVR

• First True Data Analytics & Data Blending

• First Fully Integrated, Real-Time Mobile Workforce Suite

• First Rules-Based Automation Engine

• First with 100% Database Encryption

Our VisionWe will continually advance the utilities’ ability to meet the changing

future by leveraging technologies so our customers can better manage their businesses.

•SEDC solves issues, prevents new ones, and provides support

•We take pride in providing exceptional support to our utilities

Confidential and Proprietary SEDC ©2015

Regard SEDC as an extension of your staff

SEDC CEO R.B. Sloan

How can we serve you?• Field Implementation Group (FIG) - Implement our software to new

customers

• Product Support (PS) - Answer customer software questions and write fix work orders• Billing Product Support | Accounting Product Support

• General Application

• Billing

• Technical Support (TS) - Answer customer technical questions and write fix work orders• Networking

• Systems

• Financial Services - Develop and maintain financial transaction integrity • Lockbox

• Convenience Fees

• Credit Card or E-Check

How can we serve you?• District Sales Managers - Obtain new SEDC customers or discuss new products available

in UPN

• Territory Managers - Customer advocates to help customers better utilize the system

• Marketing - Maintain SEDC website, create newsletters, assist with User Conferences

• Technical Documentation - Create and maintain all technical documents and design and conduct training both internally and externally

• Interface Group - Design and support applications related to interfaces

• Mobile Workforce

• Mobile App

• MDM

• Design - Develop ideas and write specifications for new development

• Programming (PG) - Programs the code based on specifications

• Quality Control (QC)/Software Quality Assurance (SQA) - Test the software for integrity

New or upcoming solutions independent of the Version 36 release

AutoCue IVRIVR Without the Hassle.

No hardware to purchase, no infrastructure to maintain, and no long term commitments. Pay for actual usage instead of paying a set fee every month.

No Busy Signal.SaaS, or “Software as a Service,” means your IVR service will scale to your needs, ensuring you can handle any amount of voice traffic with no delay, no dropped calls, and no busy signal. Your customers won’t notice, but that’s the point!

Voice to Text.Revolutionary. Give your customers the option of interacting with your IVR system via text, using the same prompts, questions and options as the voice option. And every interaction is safe and secure, protecting your customer’s information with SSL encryption.

AutoCue IVR• Is a cloud-based IVR solution

that you can manage

• Can coexist with your PBX (internal phone system)

• Supports unlimited inbound calls (if members dial in directly to the IVR system)

• Is secure (HTTPS, no logging of sensitive data, hashing algorithm)

• Has failover capability

• Make secure payments using Credit Card, Credit Card profile, or E-Check profile.

• Get extensive account information

• Request a payment arrangement

• Report an outage

• Select a language (English or Spanish)

• Transfer to an operator

• Switch to text messaging

How can you get started?

1. Contact Conner Buckley, Solutions Consultant or your Territory Manger to get the process started.

2. Fill out a short questionaire

3. Schedule deployment

4. Determine if this will be done remotely or on site

It’s that easy!

ReportIQ

Dig deep into your data to truly capitalize on the information

available.

Generate your data quickly, understand it easily, and

customize it exactly the way you want to see it.

Create your own custom analytics.

Use ReportIQ’s unlimited options to see patterns, identify

trends, and discover visual insights in seconds.

Reporting Made Easy

Your connectionto the entire SEDC community

• Customer ForumsConnect with other SEDC software users, exchange tips and solutions, share best practices.• Virtual help deskView knowledgebase articles, look up case solutions, and find fixes or work-arounds for existing issues.• Idea ExchangeHave ideas for new functionality or a software enhancement?Submit your idea and let the community weigh in!• Customer-reported issuesSee what other users have reported and determine if the circumstances of the issue affect your utility.

Our Team

Training Methodologies

Based on pilot customer feedback; cost effective, no travel expenses, yet still personal connection and experience of the instructor and other participants

Webinars

Some people prefer learning in person; may be able to accomplish a certification in one trip

Training Center

Training Methodologies

Customers can leverage time & cost of meetings by also taking courses towards their certifications

Regional Training

Convenient, flexible, and cost effectiveE-Learning

PCI and Cyber Security

http://map.norsecorp.com/

What is SEDC doing to make UPN PCI

compliant?

PCI and SEDC,a historical perspective

• Started as a “Level 3 Merchant” and the only “Merchant of Record” for all its utility customers

• Grew to become a “Level I Service Provider”

PCI Required Utility Responsibility

• Quarterly Network Scans from a qualified scanning vendor

• Fill out their Self-Assessment questionnaire (SAQ)

• Annual Penetration Test if applicable based on SAQ Results

• If you take credit cards in any form, then you are in scope and complying with PCI is now as far as anyone can see, as certain as death and taxes.

• There are broader cyber security issues at stake that PCI helps address.

Why Mandatory?

When is SEDC Requiring this?

• Currently, no deadline has been set.

• However, the expectation is that ALL of SEDC’s utilities start as soon as possible.

• Putting this into your 2016 budget should be viewed as mandatory.

A PCI Prioritized Approachhttps://www.pcisecuritystandards.org/documents/Prioritized_Approach_for_PCI_DSS_v3-1.pdf

Homeland Security Justice State Labor

Energy Defense Commerce Personnel Mgmt.

EPA Federal Reserve Food & Drug

THE STATE OF U.S. CYBERSECURITY:Private Sector Hacks in 2014

SEDC’s Secure Payment Gateway

• SEDC is a Service Provider

– PCI DSS-compliant

– PCI-DSS Report On Compliance (ROC)

– Annual On-Site PCI Data Security Assessment

– Quarterly Network Scan by an Approved Scanning Vendor (ASV)

– Annual Penetration Testing

• Transparent data encryption (TDE)

– Entire Database

– Logfiles

– Database Backups

– Database Exports

• Encryption key management

How will SEDC better protect your data? Advanced Security

Advanced Security

•All data encrypted by Oracle Wallet (keystore)

•All access is authorized via the key store

•Algorithm of choice is AES-256

What is required for Advanced Security?

•Version 36 must be installed

•Maintenance window to encrypt data

- It takes approx. 1 hour to encrypt 10 GB of data

• One time cost– Advanced Security module: $8,000

– Configuration fee: $2,000 - $3,000 (< 50k meters = $2,000;

> 50k = $3,000)

• Annual costs– Advanced Security Oracle Support: $2,000

Who to contact? Connor BuckleySolutions Consultantconnorb@sedata.com(770) 414-8400 – Ext. 2846

Advanced Security Pricing

How will SEDC better protect your data? Tokenization

• SEDC’s secure payment gateway will be receiving an upgrade

• Key components of the payment gateway upgrade include Tokenization (data at rest protection)

– Tokenization replaced actual card data with a unique ID

– Protects data at rest and in reoccurring transactions

– Effectively reduces PCI scope

SEDC’s Strategic Partner and Trusted Advisor- Elavon

PCI Compliance Manager by Elavon

• PCI Compliance Manager Portal

• External scan to find and fix vulnerabilities

• Self-Assessment Questionnaire (SAQ)

SEDC’s Trusted Advisor: Sunera

• PCI Gap Analysis

• ASV Scanning (Approved Scanning Vendor)

• Penetration Testing

•Procure some level of cyber liability insurance.

- Lockton- McGriff, Seibels & Williams, Inc.- Rural Federated Insurance

Recommended Utility Responsibility

Cybersecurity Insurance Trusted Advisors:

• http://www.federatedrural.coop

• http://www.lockton.com

• http://www.mcgriff.com/detail.cfm?id=138

Cybersecurity Insurance

Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage.

http://www.dhs.gov/cybersecurity-insurance

EMV

• EMV Card Processing-Fraud prevention tool to validate the authenticity of a credit card in a card present environment (cash register)

• EMV does NOT apply to card not present transactions (Portal, SmartApps, UPN Inquiry, IVR, credit card draft, Auto Pay, or RPS)

• The liability shift on counterfeit card chargebacks originates from a face-to-face transaction (this type of fraud does not exist in our market today)

• SEDC will provide EMV capable devices in the next 12 – 24 months

EMV

SEDC Response Time to Vulnerabilities

Heartbleed Threat: On 4/15/14 LogMeIn announced they were vulnerable to a “man-in-the-middle” attack stemming from Heartbleed exploit.Remediation: SEDC followed LogMeIn remediation steps by changing all passwords on all windows logins on 4/17/15

ShellShock Threat: On 9/24/15 a vulnerability was discovered in BASH shell used on our Linux based systems.Remediation: SEDC made the patch available to its members on 9/26/15 following internal testing.

Poodle SSL 3.0 Threat: On 10/14/14 Google discovered a critical vulnerability in SSL Version 3.0 called POODLE (Padding Oracle On Downgraded Legacy Encryption)Remediation: SEDC Technical Services disable SSL 3.0 cipher suite on 10/23/14

Microsoft Vulnerability Threat: On 11/11/14 Schannel Protocol and Windows Object Linking and Embedding (OLE)Remediation: On 11/13/14 SEDC Technical Services applied windows updates to all customer servers to remediate the issue.

Ghost vulnerability Threat: On 1/27/15 Qualys reported a critical vulnerability named GHOST in the Linux glibc library which could allow an attacker to take control of a system remotelyRemediation: On 1/29/15 SEDC Technical Services made the patch available to all customer UPN and MDM database servers following internal testing.

HTTP.sys Threat: On 4/14/15 Microsoft announced a vulnerability in HTTP.sys Could Allow Remote Code ExecutionRemediation: On 4/18/15 SEDC Technical Services applied windows updates to all customer windows servers to remediate the issueMicrosoft Font Driver Threat: On 7/20/15 Microsoft announced a vulnerability in Microsoft Font Driver that could allow Remote Code ExecutionRemediation: On 7/21/15 SEDC Technical Services applied windows updates to all customer windows servers to remediate the issue

DHS Resources

• http://www.dhs.gov/about-critical-infrastructure-cyber-community-c%C2%B3-voluntary-program

• https://www.us-cert.gov/ccubedvp

• http://www.nist.gov/cyberframework/index.cfm

• Educate yourself:https://www.pcisecuritystandards.org

• General PCI Questions770-414-8400 option 5

• Pick Up Sunera, Elavon, and McGriff Flyers

Additional Information

Your Territory Manager

Purpose and Responsibilities

Territory Manager Mission Statement

As Relationship Managers, we are alink to coordinate the successful utilization

of our software solutions.

We want to help you capitalize on your investment and use the software to its fullest.

What is our Purpose?

•To be an advocate or liaison for our customers – we are your ‘go to’ team.

•To answer questions, provide information or coordinate quotes on new products.

•To keep you informed of new features, events, functionality, and announcements at SEDC.

Your TM’s objective during their visit•To assist with coordinating training, meetings, identifying whom to contact.

•To provide hands-on service and guide you through the process of setting up and turning on certain features.

•To discuss in detail the many functions and features available within the system that you may not be aware are available or how to utilize them.

Email:

tm@sedata.com

to reach ALL

Territory Managers

How to contact your Territory Manager

How to contact your Territory Manager

http://sedata.com login

• Service Area

• Phone numbers

• Email

How to contact your Territory Manager

Connect with us on LinkedIn

Follow us on Twitter

How to contact your Territory Manager

The Bridge will

soon be your

connection to

SEDC and

the Territory Managers.

We are here to serve you!

Character and commitment…your customer advocates.