Thursday, January 21, 2010

Independent QSA Technical Assessment of VeriShield Protect

VeriFone has contracted with Coalfire Systems, Inc. a leading IT security consulting firm and PCI QSA to conduct an independent technical assessment of VeriShield Protect. The goal of this assessment is to determine if VeriShield Protect meets and follows industry standards, how a proper implementation of VeriShield Protect can improve the security of a retailer’s cardholder environment and the impact VeriShield Protect can have on reducing PCI scope and compliance costs.

The assessment is complete and a white paper of the findings will be published in February. The assessment by Coalfire included lab testing of the system, evaluation of VeriShield Protect as implemented at a Tier 1 retailer and a review of all planned deployment scenarios.

At NRF, Kennet Westby, Coalfire co-founder and COO, presented the initial findings from their assessment to a breakfast meeting of retail CIO’s and security executives. An executive summary from the forthcoming whitepaper was also released at NRF.

Key points from this executive summary include:

• A properly deployed VeriShield Protect solution can provide significant risk mitigation of data compromise and may be one of the most effective controls available to merchants today.

• There can be very clear and dramatic reduction of PCI compliance scope with a properly deployed VeriShield Protect solution.

• The benefit to merchants is the VeriShield Protect solution can reduce the cost of PCI compliance assessment and validation and allow them to invest more of those dollars into risk mitigating controls.

• The VeriShield Protect solution integrates securely with PC based POS or cash registers without exposing card data, encryption keys or authentication data to these platforms.

• The format preserving VeriShield Hidden Encryption provided successful integration with all payment application, POS and back-office servers tested.

• The integration with tested payment applications and POS systems was quick, required very little customization and worked effectively with all post authorization, sales audit and refund transactions tested

• The VeriShield Protect solution meets all VISA Data Field Encryption Best Practices.

• VeriShield Hidden Encryption meets encryption best practices and standards for cryptographic algorithms and key strength. The format preserving methods meet industry standards and VISA best practice guidance.

• The key management processes of the VeriShield Protect solution remove most of the challenges of key management for the merchant that are found in many previous end point encryption solutions

• The VeriFone terminal should be the only point in a merchant environment that captures card data through swipe or keyed entry to achieve the greatest security and PCI compliance scope reduction

• A payment application or POS that is not PABP/PA-DSS validated can be taken out of PCI scope if all payment data is captured through the VeriShield Protect solution and the system is cleansed of all legacy card data.

• A deployment architecture that has all card data captured in a VeriShield Protect TRSM and communicates directly to a PCI compliant processer who manages all decryption services for the merchant provides the greatest security and compliance risk mitigation.

• A merchant should have ownership rights to the decryption keys but not have access or possession of keys to achieve the greatest PCI scope reduction.

• A merchant can remove PCI compliance scope for the majority of their retail environment if all electronic card data is captured in a VeriShield Protect TRSM and no decryption appliances or decryption keys exist in their environment.

• The VSDMS provides effective compliance and security auditing for the merchant and QSA. Store validation sampling of compliance is simplified with this tool set. Compliance reporting overtime is easily evidenced for auditors using the VSDMS.

• The VeriFone VeriShield Protect solution impressed the Coalfire technical assessment team and their QSA auditors. The technology and tools are well architected and effective. The maturing of the solution based on their assessment input, customer feedback and industry best practice was equally impressive. Solution support, technical capabilities and security expertise of both VeriFone and its technology partner have benefited early customers in achieving their security and compliance goals.

This full executive summary can be downloaded here.