VeriShield Protect

VeriShield Total Protect Technical Assessment by Independent QSA

VeriFone engaged Coalfire Systems Inc. (Coalfire), as a respected Payment Card Industry (PCI) Qualified Security Assessor (QSA) company, to conduct an independent technical assessment of the VeriShield Total Protect End-to-End Encryption solution offering. Coalfire conducted assessment activities including technical testing, architectural assessment, industry analysis, compliance validation and peer review. In this final white paper assessment, Coalfire will describe how the VeriShield Total Protect solution can nearly eliminate the current risk of credit card data compromise for a merchant's retail environment, and dramatically reduce the scope of PCI compliance.

Key points from this assessment include:

  • The VeriShield Total Protect solution meets all Visa Data Field Encryption Best Practices.
  • VeriShield Hidden Encryption (VHE) meets encryption best practices and standards for cryptographic algorithms and key strength. The format preserving methods meet industry standards and Visa best practice guidance.
  • The VeriShield Protect solution integrates securely with PC based POS or cash registers without exposing card data, encryption keys or authentication data to these platforms.
  • A properly deployed VeriShield Total Protect solution can provide significant risk mitigation of data compromise and is one of the most effective data security controls available to merchants today.
  • The format preserving VeriShield Hidden Encryption provided successful integration with all payment application, POS and back-office servers tested.
  • The key management processes of the VeriShield Total Protect solution remove most of the challenges of key management for the merchant that have been found in many other end point encryption solutions.
  • The integration with tested payment applications and POS systems was quick, required very little customization and worked effectively with all post authorization, sales audit and refund transactions tested.
  • The VeriFone terminal should be the only point in a merchant retail environment that captures card data through swiped or keyed entry to achieve the greatest PCI compliance scope reduction.
  • A payment application or POS that is not PABP/PA-DSS validated can be taken out of PCI scope if all payment data is captured through the VeriShield Total Protect solution and the system is cleansed of all legacy card data.
  • A deployment architecture that has all card data captured in a VeriShield Total Protect TRSM and communicates directly to a PCI compliant processer who manages all decryption services for the merchant provides the greatest security and compliance risk mitigation.
  • A merchant should have ownership rights to the decryption keys but not have access or possession of keys to achieve the greatest PCI scope reduction.
  • A merchant can remove PCI compliance scope for the majority of their retail environment and corporate environment if all electronic card data is captured in a VeriShield Total Protect TRSM and no decryption appliances or decryption keys exist in their environment.
  • A VeriShield Total Protect solution will not remove PCI control requirements for network firewall, network configuration, physical controls and administrative procedures for a merchant.
  • The VMCS provides effective compliance and security auditing for the merchant and QSA. Store validation sampling of compliance is simplified with this tool set. Compliance reporting over time is easily evidenced for auditors using the VMCS.

DOWNLOAD THE ASSESSMENT

-->