VeriFone Holdings (NYSE: PAY), today announced an aggressive program to ensure implementation of the PCI Security Standards Council's (PCI SSC) Payment Application Data Security Standard (PA-DSS).
This program establishes a comprehensive PA-DSS compliance policy aimed at ensuring protection of cardholder information across virtually all merchant environments and all types of card acceptance devices.
VeriFone expects rapid availability of its terminal-based payment applications to meet all needs of acquirers and merchants in complying fully with the PA-DSS mandate. PC- and server-based VeriFone applications such as PAYware PC already comply with PA-DSS or its predecessor, the Visa Payment Applications Best Practices (PABP). PA‐DSS is intended to ensure secure payment applications do not store prohibited data, such as full magnetic stripe, CVV2, PIN or other sensitive data, and are compliant with the PCI Data Security Standard (PCI DSS).
First published in April 2008, PA-DSS expands upon PABP to encompass card acceptance devices known as "stand-alone POS terminals," which are commonly used by smaller "level 4" merchants who represent the largest installed base of payment acceptance devices globally. It also encompasses consumer facing payment devices and programmable PIN pads that are connected to electronic cash registers in use at larger "level 1 and 2" merchants.
Merchants are increasingly utilizing these systems in a manner that brings them under PA-DSS requirements, leading VeriFone to establish a universal compliance program for all of its applications used in its programmable payment acceptance devices going forward, initially targeting the US/Canada market. Because each payment application certified by each bank, processor or acquirer must now be audited, full PA-DSS compliance will result in hundreds of individual audits by qualified assessors. Auditing device-based payment applications at the supplier level will minimize the number of audits required and lower compliance costs for buyers.
"Adherence to the PA-DSS by vendors is an excellent way organizations can ensure the utmost in transaction integrity. Providoviding customers with only PA-DSS audited applications will help us further standardize security levels industry-wide," said Bob Russo, general manager of the PCI Security Standards Council.
The PCI-SCC was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. to enhance payment account data security by driving education and awareness of the PCI Security Standards.
"There is nothing more important to this industry than a consumer's trust in the payment system and VeriFone applauds this bold step by the PCI SSC to create a third-party validation testing program that positively verifies compliance to the PA-DSS standard and ensures protection of sensitive cardholder information," said VeriFone Chief Security Officer Dave Faoro. "We are taking this bold step to ensure that banks, acquirers and merchants can easily comply."
According to the PA-DSS mandate, POS terminals that encompass payment applications must be audited by a PA-QSA laboratory unless they are utilized in very limited environments that reduce the possibility of compromise. These restrictions stipulate that the payment device should have no connection to any of the merchant's systems or networks, that they connect to the acquirer or merchant via a private line, that they can be securely updated remotely, and that sensitive authentication data is not stored. The overwhelming majority of "stand-alone POS terminal" payment applications being certified today by leading processors no longer meet all of these usage restrictions, so therefore fall under the scope of the PA-DSS compliance mandate.