QSA Coalfire Systems' Assessment Says App is Not Within Scope of PA-DSS; Mobile Payment Solution for Smartphones, PDAs and Tables Can Reduce Scope of Overall PCI DSS Compliance
SAN JOSE, CA - VeriFone Systems, Inc. (NYSE: PAY), today announced that an independent evaluation by Coalfire Systems, Inc, a leading IT audit and compliance firm, has validated the security compliance of VeriFone's PAYware Mobile Enterprise solution for enabling smartphones, PDA's and tablets to securely accept payments.
Coalfire, a PCI Qualified Security Assessor (QSA) and PCI Qualified Payment Application Security Assessor, determined that the PAYware Mobile Enterprise application does not capture, store, process or transmit cardholder data as part of authorization or settlement, and thus "is not within scope of PA-DSS." As recently outlined by the PCI Security Standards Council, applications that do not store, process, or transmit cardholder data do not fall under the PA-DSS program.
"Coalfire's assessment provides merchants with the assurance they can use a mobile-based payment application without violating the PA-DSS standard and can safely deploy the VeriFone solution without risking PCI DSS compliance," said Erik Vlugt, VeriFone vice president of marketing for retail and vertical segments. "Those merchants who chose PAYware Mobile Enterprise to revolutionize customer service and store operations can save considerable cost, time, and effort in their compliance efforts."
According to Coalfire's report, when implemented according to specific PCI guidance provided by VeriFone, the company's PAYware Mobile solution "can be deployed in a fully PCI DSS compliant manner and can reduce the scope of PCI DSS compliance in a merchant environment."
PAYware Mobile Enterprise integrates with existing in-store POS systems and incorporates a PCI PTS-approved card encryption sleeve and PIN debit keypad, as well as a 2D bar code scanner for quickly and efficiently performing mobile check out or inventory control tasks. VeriFone's mobile payment solution for enterprise retail environments also incorporates VeriShield Total Protect, Secured by RSA, providing end-to-end data encryption and tokenization that ensures no card data can be transmitted or stored in an unsecure manner.
Coalfire determined that VeriFone's mobile payment solution complies with Visa Best Practices for Mobile Payment Acceptance Solutions v 1.0, released on 27 April, 2011, and evaluated three key aspects of VeriFone's PAYware Mobile for small to medium-sized merchants and PAYware Mobile Enterprise for large retail enterprises:
o The PAYware Mobile card encryption sleeve can be deployed in a PCI DSS compliant manner and reduce the scope of PCI DSS compliance for merchants.
o The PAYware Mobile POS application running on a mobile device with the card encryption sleeve and VeriShield Total Protect is out of scope of PA-DSS as it does not capture, store, process or transmit cardholder data as part of authorization or settlement.
o Forensic analysis of the mobile device in scope of this assessment showed no transmission or persistence of unencrypted cardholder data during and following card present transactional testing.
Coalfire's report is available at http://www.verifone.com/pwm-enterprise