Contact Us

Corporate Connect Security — Encryption, Multi-Factor Authentication, and Compliance

Corporate Connect protects every commercial banking session with 256-bit TLS encryption, RSA SecurID multi-factor authentication, IP address whitelisting, and maker-checker dual authorization controls. The platform is SOC 2 Type II certified, PCI DSS compliant, and undergoes annual penetration testing by independent security firms.

US Bank operates under the supervision of the Office of the Comptroller of the Currency, and all eligible deposit accounts are protected by FDIC insurance. Corporate Connect's layered security architecture ensures that no single point of failure can compromise corporate payment operations or sensitive financial data.

Corporate Login Guide Contact Security Team
Corporate Connect security architecture showing encryption layers, MFA authentication, and compliance certifications

Corporate Connect Security Overview — April 2026

  • 256-bit TLS encryption for all data in transit; AES-256 encryption for data at rest with HSM key management
  • RSA SecurID multi-factor authentication required for every login — hardware tokens or mobile push notifications
  • IP address whitelisting restricts Corporate Connect access to authorized office networks and VPN endpoints
  • Maker-checker dual authorization for all payment initiation above configurable dollar thresholds
  • SOC 2 Type II certified, PCI DSS compliant, annual penetration testing by third-party security firms
  • Comprehensive audit logging: operator ID, timestamp, IP address, and full transaction details for every action
  • FDIC insured deposits, OCC regulatory oversight, NMLS #401249, BSA/AML and OFAC compliance

Encryption and Data Protection in Corporate Connect

Corporate Connect applies multiple layers of encryption to protect corporate financial data from interception, tampering, and unauthorized access at every stage of processing.

Transport Layer Security — Data in Transit

Every connection between a user's browser and the Corporate Connect servers is encrypted using 256-bit TLS (Transport Layer Security). The platform enforces TLS 1.2 as the minimum protocol version and supports TLS 1.3 for clients that negotiate it. Weak cipher suites — including RC4, DES, and 3DES — are disabled entirely. Certificate pinning prevents man-in-the-middle attacks by validating that the server certificate matches a known fingerprint before establishing the encrypted session.

The TLS implementation uses AES-256-GCM (Galois/Counter Mode) for symmetric encryption, providing both confidentiality and integrity verification in a single cryptographic operation. Perfect forward secrecy (PFS) ensures that even if a server's private key were compromised in the future, previously recorded sessions could not be decrypted. This is achieved through ephemeral Diffie-Hellman key exchange (ECDHE) that generates a unique session key for every connection.

Data at Rest — Storage Encryption and Key Management

Transaction records, beneficiary details, account information, and audit logs stored within Corporate Connect are encrypted using AES-256 at rest. Encryption keys are managed through dedicated hardware security modules (HSMs) that are FIPS 140-2 Level 3 certified. The HSMs generate, store, and rotate encryption keys within tamper-resistant hardware — keys never exist in plaintext outside the HSM boundary.

Database backups are encrypted with separate keys from production data, ensuring that a compromised backup cannot be decrypted using production credentials. Backup encryption keys are stored in a geographically separate HSM cluster. Data retention policies automatically purge records beyond the seven-year federal requirement, and cryptographic erasure renders deleted data unrecoverable even if storage media were physically accessed.

Multi-Factor Authentication and Access Controls

Corporate Connect requires every operator to authenticate with multiple factors before accessing any commercial banking function.

RSA SecurID Token Authentication

After entering a company ID, operator ID, and password, Corporate Connect requires a one-time passcode (OTP) from an RSA SecurID hardware token or a push notification approved through the RSA Authenticate mobile application. The hardware token generates a new six-digit code every 60 seconds using a time-based algorithm synchronized with the RSA authentication server. Codes cannot be reused and expire immediately after a single successful verification.

Failed authentication attempts trigger progressive lockout policies. Three consecutive incorrect MFA codes lock the account for 30 minutes. Five failures within a 24-hour period require administrator intervention to restore access. These thresholds are configurable by company administrators to match organizational security policies. All authentication events — successful and failed — are logged with timestamp, IP address, and device information for audit trail purposes.

IP Whitelisting and Session Controls

Company administrators configure IP whitelisting rules that restrict Corporate Connect access to specific network addresses — typically the organization's office networks and approved VPN endpoints. Login attempts from non-whitelisted IP addresses are blocked before the authentication process begins, preventing credential-based attacks from unauthorized locations.

Active sessions are subject to configurable inactivity timeouts. The default timeout is 15 minutes of inactivity, after which the operator must re-authenticate to continue. Concurrent session controls prevent the same operator credentials from being used on multiple devices simultaneously — a new login automatically terminates any existing session. Administrators can also terminate active sessions remotely through the user management module for immediate access revocation when an employee leaves the organization or a device is reported lost.

Maker-Checker Dual Authorization Workflow

The maker-checker control separates payment creation from payment approval, ensuring no single operator can authorize a transaction independently.

How Dual Authorization Works

The maker (first operator) creates a payment transaction — entering the beneficiary details, amount, value date, and purpose. The transaction enters a pending approval queue visible to authorized checkers. A different operator (the checker) reviews every field, compares it against the original payment instruction, and either approves or rejects the transaction. Approved payments proceed to settlement; rejected transactions return to the maker with comments explaining the reason for rejection.

For high-value transactions above a configurable threshold, Corporate Connect supports a third-level supervisor approval. The dollar thresholds, the roles authorized to serve as checker or supervisor, and the transaction types subject to dual authorization are all configurable by the company administrator through the user management module.

Fraud Prevention and Anomaly Detection

Real-time fraud monitoring analyzes every transaction against behavioral baselines. Unusual patterns — a wire to a new international beneficiary, a payment amount significantly larger than historical averages, or a transaction initiated outside normal business hours — trigger automated alerts to the company administrator and the US Bank fraud operations team. Transactions flagged as high-risk are held for additional review before settlement.

BSA/AML screening checks every outbound payment against federal anti-money laundering databases. OFAC sanctions list verification runs before payment execution to ensure compliance with US Treasury Department economic sanctions programs. These compliance checks are automatic and invisible to the operator — flagged transactions are escalated to the US Bank compliance team for manual review.

Corporate Connect Security Layers

Each layer of the Corporate Connect security architecture addresses a specific threat vector, from network interception to insider fraud.

Security LayerTechnologyThreat AddressedCertification / Standard
Transport Encryption256-bit TLS 1.2/1.3 with AES-256-GCMData interception in transitNIST SP 800-52
Storage EncryptionAES-256 at rest with HSM key managementUnauthorized data access at restFIPS 140-2 Level 3
Multi-Factor AuthenticationRSA SecurID hardware tokens / push MFACredential theft and phishingNIST SP 800-63B (AAL2)
IP WhitelistingNetwork-level access control listsUnauthorized location accessNIST SP 800-41
Dual AuthorizationMaker-checker workflow with configurable thresholdsInsider fraud and payment errorsCOSO Internal Controls
Session ManagementTimeout, single-session, remote terminationSession hijacking and stale sessionsOWASP Session Guidelines
Fraud MonitoringReal-time behavioral analysis and anomaly detectionUnusual transaction patternsBSA/AML, OFAC
Audit LoggingImmutable event logs with 7-year retentionAccountability and regulatory complianceSOC 2 Type II
Penetration TestingAnnual third-party testing with remediation SLAsApplication and infrastructure vulnerabilitiesPCI DSS Requirement 11.3
Vulnerability ScanningContinuous automated scanning, 48-hour patch SLAKnown CVEs and zero-day exploitsPCI DSS Requirement 11.2

Security controls are audited annually under OCC supervision. SOC 2 Type II reports available to enterprise clients upon request.

Compliance Certifications and Regulatory Framework

Corporate Connect operates within a comprehensive regulatory and certification framework that governs every aspect of commercial banking security.

SOC 2 Type II

An independent auditing firm evaluates Corporate Connect's security, availability, processing integrity, confidentiality, and privacy controls over a continuous 12-month period. The resulting attestation confirms that controls are not just designed appropriately but operate effectively throughout the year. Enterprise clients receive the full report through their relationship manager.

PCI DSS Compliance

Corporate Connect meets Payment Card Industry Data Security Standard requirements for handling corporate card data. This includes network segmentation, access control, encryption, vulnerability management, and monitoring. PCI DSS compliance is validated annually through a qualified security assessor (QSA) audit and quarterly network scans by an approved scanning vendor (ASV).

Federal Banking Regulation

US Bank is regulated by the Office of the Comptroller of the Currency and insured by the FDIC. NMLS registration #401249 confirms nationwide banking licensure. BSA/AML compliance programs, OFAC sanctions screening, and Regulation E protections are enforced across all Corporate Connect payment channels. Audit-ready reports support both internal compliance teams and external examiners.

Security Questions About Corporate Connect

Contact the Corporate Connect security team to discuss encryption standards, compliance certifications, penetration test results, or custom security configurations for your organization. Enterprise clients can request the full SOC 2 Type II report through their relationship manager.

Contact Security Team Login Guide

Frequently Asked Questions About Corporate Connect Security

Answers about encryption, authentication, dual authorization, compliance certifications, and penetration testing.

What encryption does Corporate Connect use?

Corporate Connect uses 256-bit TLS (TLS 1.2/1.3) with AES-256-GCM for data in transit. Data at rest is encrypted with AES-256 using FIPS 140-2 Level 3 certified hardware security modules (HSMs) for key management. Perfect forward secrecy via ECDHE ensures past sessions remain secure even if keys are later compromised.

How does multi-factor authentication work in Corporate Connect?

After entering company ID, operator ID, and password, users must provide a one-time passcode from an RSA SecurID hardware token or approve a push notification via the RSA Authenticate app. Codes rotate every 60 seconds. Three consecutive failures trigger a 30-minute lockout; five failures require administrator unlock. See the login guide for step-by-step instructions.

What is maker-checker dual authorization?

Maker-checker requires two separate operators to complete a payment. The maker creates the transaction; a different operator (checker) reviews and approves it. Dollar thresholds for mandatory dual authorization are configurable. High-value transactions can require a third-level supervisor approval. This control prevents both insider fraud and payment errors.

Is Corporate Connect SOC 2 Type II certified?

Yes. An independent auditing firm evaluates Corporate Connect's security, availability, processing integrity, confidentiality, and privacy controls over a continuous 12-month period. The Type II attestation confirms controls operate effectively throughout the year. Enterprise clients can request the full report through their US Bank relationship manager.

How often does Corporate Connect undergo penetration testing?

At least annually by independent third-party security firms. Tests cover SQL injection, XSS, session hijacking, privilege escalation, and API abuse. Findings are remediated within defined SLAs and verified through retesting. Continuous automated vulnerability scanning supplements the annual penetration test, with critical patches applied within 48 hours.