Coalfire validates security compliance of VeriFone’s PAYware mobile enterprise solution



VeriFone announced that an independent evaluation by
Coalfire has validated the security compliance of VeriFone’s PAYware Mobile
Enterprise solution for enabling smartphones, PDA’s and tablets to securely
accept payments.


Coalfire, a PCI Qualified Security Assessor (QSA) and PCI
Qualified Payment Application Security Assessor, determined that the PAYware
Mobile Enterprise application does not capture, store, process or transmit
cardholder data as part of authorization or settlement, and thus is not within
scope of PA-DSS.” As recently outlined by the PCI Security Standards Council,
applications that do not store, process, or transmit cardholder data do not
fall under the PA-DSS program.


Coalfire’s assessment provides merchants with the
assurance they can use a mobile-based payment application without violating the
PA-DSS standard and can safely deploy the VeriFone solution without risking PCI
DSS compliance,” said Erik Vlugt, vice president of marketing for retail and
vertical segments, VeriFone.


Those merchants who chose PAYware Mobile Enterprise to
revolutionize customer service and store operations can save considerable cost,
time, and effort in their compliance efforts,” Vlugt added.


According to Coalfire’s report, when implemented
according to specific PCI guidance provided by VeriFone, the company’s PAYware
Mobile solution can be deployed in a fully PCI DSS compliant manner and can
reduce the scope of PCI DSS compliance in a merchant environment.”


PAYware Mobile Enterprise integrates with existing
in-store POS systems and incorporates a PCI PTS-approved card encryption sleeve
and PIN debit keypad, as well as a 2D bar code scanner for quickly and
efficiently performing mobile check out or inventory control tasks.


VeriFone’s mobile payment solution for enterprise retail
environments also incorporates VeriShield Total Protect, Secured by RSA,
providing end-to-end data encryption and tokenization that ensures no card data
can be transmitted or stored in an unsecure manner.


Coalfire determined that VeriFone’s mobile payment
solution complies with Visa Best Practices for Mobile Payment Acceptance
Solutions v 1.0, released on 27 April, 2011, and evaluated three key aspects of
VeriFone’s PAYware Mobile for small to medium-sized merchants and PAYware
Mobile Enterprise for large retail enterprises.


The PAYware Mobile card encryption sleeve can be deployed
in a PCI DSS compliant manner and reduce the scope of PCI DSS compliance for


The PAYware Mobile POS application running on a mobile
device with the card encryption sleeve and VeriShield Total Protect is out of
scope of PA-DSS as it does not capture, store, process or transmit cardholder
data as part of authorization or settlement.


Forensic analysis of the mobile device in scope of this
assessment showed no transmission or persistence of unencrypted cardholder data
during and following card present transactional testing.


By Team
[email protected]