From: J.D. Oder II
Sent: Thursday, May 17, 2018 8:37 AM
To: Taylor Laurer
Subject: Fwd: Goetia

So here Taylor is in at the bottom.

Begin forwarded message:

From: "Taylor Laurer"
Date: May 17, 2018 at 8:32:17 AM MDT
To: "J.D. (){)er II"
Subject: Re: Goetia

Hey JD,

So I've played with Goetia a lot. I'll admit, it's a little addicting.

The tokenization process within Goetia is actually not tokenization at all. The card numbers,
when stored on the device, are encrypted using a very strong encryption algorithm. The
encryption method is DUKPT, which is a key management system.

When you store a credit card in Goetia, the PAN is encrypted in a string that is sent to the
Shift4 API and stored not only in that format but also in a UTG2-t-xxxxxxxx format. It allows
you to run transactions by using either the encrypted string (that only we can read) or the
UTG2. The UTG2 tag is not a token at all.

So this is a bit of a concern to me and why I don't promote the use of Goetia outside of i4Go.

It's very easy to run a credit card through Goetia, copy the customer's PAN, and use that
information within the UTG2.

If a customer discovered that their card was being used through a UTG2 tag even if the card
holder's PAN was stored elsewhere they could try to sue for something under the PCI
regulation.

If they stored their card with a merchant that didn't use Goetia, it's not an issue. Only the
merchants using Goetia would have access to their card.

Let me know if you need me to explain this over a quick call. I can tell you that when I
talked about this to Jon 0, he was equally confused about the security behind it.

Best,
Taylor Laurer

On Thu, May 17, 2018 at 8:21 AM, J.D. Oder II <jod > wrote:
What's the Goetia security stuff you were telling rock about?

J.D. Oder II
Chief Executive Officer

Shift4 Payments
SHIFT (fJ
PAYMENTS

From: J.D. Oder II
Sent: Saturday, June 23, 2018 12:23 PM
To: Taylor Laurer; Michael J. Russo
Subject: Fwd: Gateway Funnel

All you. What’s the plan joe?

Begin forwarded message:

From: "J.D. Oder II"
Date: June 23, 2018 at 11:05:57 AM MDT
To: "Jared Isaacman"
Cc: "Daniel Montell;

Subject: Re: Gateway Funnel

So I assume you guys are looking into Goetia being a core for Lighthouse?

Sent from my iPhone

On Jun 23, 2018, at 10:58 AM, Jared Isaacman wrote:
>
> All our focus is the gateway so all hands on that.

From: Jared Isaacman [mailto:jisaacman@shift4.com]
Sent: Friday, February 21, 2020 3:29 PM
To: J.D. Oder II <jod >
Cc: Daniel Montell <dmontell@shift4.com>
Subject: RE: CardConnect

Understood.
So to summarize the present circumstances:
•    A suite of 5 products (or capabilities) doesn’t matter if they are all dependent on one – the
gateway. As you said, it is a single point of failure. Our efforts should be entirely devoted towards
correcting the gateway deficiencies and building stability irrespective of those 5 capabilities. In no
way should our solution be “go around the gateway” and then return in 5 years to clean up the mess.
•    There should not be mass migrations without migrations having been tested. You have made
this point numerous times with respect to Goetia. You always said, prove it and test it, before you
migrate it.
•    We should be very careful in using bolt-on’s to solve critical problems. While I respect your
view of bolt-on’s in order to achieve redundancy, you have almost always been critical of using
another company’s tech to solve an immediate problem.

From: J.D. Oder II
Sent: Friday, February 21, 2020 5:50 PM
To: Jared Isaacman
Cc: Daniel Montell
Subject: Re: CardConnect

Agreed.

And yes.

But it does put us in the same position we were in before.

I've never approved bolt-ons unless they were to solve a short term problem of if they were to
be used for redundancy.

As with Goetia. You can't migrate without proving and testing.

Sent from my Verizon, Samsung Android 18

ISAACMAN, JARED
From:
Sent:
To:
Cc:
Subject:

Attachments:

Taylor Laurer
Friday, May 18, 2018 1:23 PM
Daniel Montell
J.D. Oder II; Joe Mach
RE: Text from Taylor Laurer

image001.png; image002.png; image003.png; image004.png

Sounds good. I have a meeting with the product team at 1:30 that I can ask them about this on.

Best,
Taylor Laurer |

| t:
| e:

From: Daniel Montell <dmontell@shift4.com>
Sent: Friday, May 18, 2018 1:21 PM
To: Taylor Laurer <tlaurer@shift4.com>
Cc: J.D. Oder II <jod@shift4.com>; Joe Mach <joem@shift4.com>
Subject: RE: Text from Taylor Laurer

Can you engage someone on the product team to perform an assessment on this and share back
with us early next week?

From: Taylor Laurer
Sent: Friday, May 18, 2018 12:53 PM
To: J.D. Oder II; Joe Mach
Cc: Daniel Montell
Subject: Text from Taylor Laurer

SHIFT (fJ
PAYMENTS

J.D. Oder II at 12:48 PM
Not sure this is totally accurate. I mean I
can use i4Go on my phone and not pay a fee.

Need to look into it more

Taylor Laurer at 12:50 PM
I mean that the customer always pays a fee
when using our 4Go product, whether
using the app, the terminal or the website
version.

J .D. Oder II at 12:50 PM
I can use the app and not pay anything.

Taylor Laurer at 12:51 PM
Oh really? They must have had some
setting turned on for that.

J.D. Oder II at 12:52 PM
Nope

Taylor Laurer at 12:52 PM
We need to do some more work

J.D. Oder II at 12:52 PM
I'll run a couple of them now.

ISAACMAN, JARED
From:   Taylor Laurer
Sent:   Wednesday, June 20, 2018 1:08 PM
To: J.D. OderII
Subject: Fwd: Goetia

Begin forwarded message:

From: "Taylor Laurer" <tlaurer@shift4.com>
Date: June 20, 2018 at 12:55:03 PM MDT
To: "Jon 0" <jono@shifM.com>, "Nate Hirshberg" <nhirshberg@shift4.com>
Cc: "J.D. Oder II" <jod@shift4.com>
Subject: Goetia

Hey Jon,

I hate to put this in an email, but I have too much on my plate today to spend a significant amount of
time discussing this

I was asked by JD and Dan to review the security flaws in the Goetia product from a PCI perspective.
After researching, testing and reviewing the product and the code behind how it works, I've provided
my professional recommendation that we do not promote the usage of the product outside of being a
means of running transactions through i4Go on the P400/bbpos.

We would be putting the company at great risk of major legal issues by promoting the usage of Goetia.

I do need to have a conversation in person or over the phone where I can be more direct than I can be in
an email if you'd like.

Best,
Taylor Laurer |
t:  | e:

ISAACMAN, JARED
From:
Sent:
To:
Subject:

J.D. OderII
Wednesday, May 7, 2018 3:45 PM
Jared Isaacman; Daniel Montell
RE: goetia

I didn't know it was broke. No one is in that department right now so who knows when it
will be fixed.

         ISAACMAN, JARED
         From:
         Sent:
         To:
         Subject:

Taylor Laurer
Friday, May 18, 2018 10:23 AM
Daniel Montell
RE: Text from Taylor Laurer

Sounds good. I have a meeting with the product team at 1:30 that I can ask them about this on.

Best,
Taylor Laurer |

| t:
|e:

        From: Daniel Montell <dmontell@shift4.com>
        Sent: Friday, May 18, 2018 1:21 PM
        To: Taylor Laurer <tlaurer@shift4.com>
        Cc: J.D. OderII <jod@shift4.com>; Joe Mach <Joem@shift4.com>
       Subject: RE: Text from Taylor Laurer

         Can you engage someone on the product team to perform an assessment on this and share back
      with us early next week?

          From: Taylor Laurer
          Sent: Friday, May 18, 201812:53 PM
          To: J.D. Oder II; Joe Mach
         Cc: Daniel Montell
         Subject: Text from Taylor Laurer

SHIFT (fJ
PAYMENTS