VeriFone PAYware Mobile with VeriShield Total Protect Technical Assessment White Paper

Transcription

1 VeriFone PAYware Mobile with VeriShield Total Protect Technical Assessment White Paper Prepared for: April 5 th, 2011 Bruce DeYoung, QSA, PA-QSA Dan Fritsche, CISSP, QSA, PA-QSA Andrey Sazonov, Lab Testing

2 Table of Contents EXECUTIVE SUMMARY... 3 THE PAYWARE MOBILE TERMINAL TECHNICAL ASSESSMENT... 4 SETTING THE STAGE... 4 TECHNICAL ASSESSMENT DETAILS... 7 TEST LAB CONFIGURATION AND PAYWARE MOBILE TERMINAL TRANSACTIONAL TESTING...12 FORENSIC RESULTS...18 ASSESSMENT CONCL USIONS...21 APPENDIX A: VISA BEST PRACTICES FOR MOBILE PAYMENT ACCEPTANCE SOLUTIONS V APPENDIX B: IMPL EMENTATION GUIDE ON USING PAYWARE MOBILE TERMINAL...24 GLOSSARY...27 Copyright 2011, Coalfire Systems Inc. Page 2

3 Executive Summary Mobile technologies have become a part of everyday consumer life. With increased processing power and functionality, they are quickly moving into commercial enterprises where staff enablement and efficiencies are targeted. Simultaneously, the security of these new platforms is being brought into question and exposed as a new threat vector for unauthorized capture of consumer sensitive data (PII, credit card information, etc.). Merchants recognize the opportunity for increased customer service with mobile-based POS systems. However, the Payment Card Industry Security Standards Council (PCI SSC) has placed all mobile-based POS application reviews on hold, and will not review or list as compliant POS applications running on these platforms. This means that there is currently no way to validate a mobile-based payment application against the PA-DSS standard and no clear path to deploying such an application in a merchant environment in a manner that clearly supports the merchant s PCI DSS compliance. VeriFone s PAYware Mobile POS application enables card swiping and manually-keyed data with the VeriFone VX600 integrated sled for mobile platforms. VeriFone has addressed security and PCI compliance concerns by integrating the VeriShield Total Protect (VTP) solution into the VX600 sled to create a full point-to-point encryption solution for mobile payment platforms. Taken together, these components comprise the VeriFone PAYware Mobile Terminal solution (including both the SMB Small and Medium Business - and Payware Mobile Enterprise offerings). VeriFone engaged Coalfire Systems Inc. (Coalfire) to conduct an independent technical assessment of the PAYware Mobile Terminal solution. Coalfire reviewed the full PAYware Mobile Terminal solution through architecture review, technical testing, forensic analysis and compliance control alignment and validation. The overall objectives included: 1. Validate that the PAYware Mobile POS application component of the PAYware Mobile Terminal solution does not capture, store, process or transmit cardholder data as part of authorization or settlement and is, therefore, not within scope of PA-DSS. 2. When implemented according to specific PCI guidance provided by VeriFone, the PAYware Mobile Terminal can be deployed in a fully PCI DSS compliant manner and reduce the scope of PCI DSS compliance in a merchant environment. This report has two target audiences: 1. Merchants and Service Providers evaluating the VeriFone solution to meet their operational, compliance and security needs; and 2. Qualified Security Assessors (QSA s) and other industry stakeholders seeking an in-depth independent technical assessment that they can use to validate the vendor s marketing claims. Summary of Findings The relevant findings from the assessment testing completed by Coalfire include: The PAYware Mobile Terminal can be deployed in a PCI DSS compliant manner and reduce the scope of PCI DSS compliance for merchants. The PAYware Mobile POS application running on the mobile device and integrated to the VeriFone VX600 with VTP is out of scope of PA-DSS as it does not capture, store, process or transmit cardholder data as part of authorization or settlement. Copyright 2011, Coalfire Systems Inc. Page 3

4 Forensic analysis of the mobile device in scope of this assessment showed no transmission or persistence of unencrypted cardholder data during and following card present transactional testing. The PAYware Mobile Terminal Technical Assessment Setting the Stage The Issue Mobile technologies including smart phones of many types are ubiquitous and have become a part of everyday consumer life. As mobile platforms have become more powerful and enabled, they are quickly moving into the commercial setting where enterprises are evaluating their use to enable staff in new ways not previously conceived. At the same time, the security of mobile platforms and the applications they run is of great concern, in parti cular where the handling of sensitive data occurs (PII, Cardholder Data, etc.). Many merchant organizations recognize that mobile-based point-of-sale (POS) solutions are a convenient way to provide better customer service by processing transactions immediately on the retail floor or in the field. So providing payment acceptance via mobile devices is a desired and highly-demanded solution in many markets today. However, there are many security concerns over processing transactions on these consumer-oriented mobile devices (e.g. iphone, ipod, ipad, Android, etc.) and these concerns present hurdles to wide-spread acceptance and deployment, not to mention compliance and regulatory requirements. Highlighting these security concerns, the Payment Card Industry Security Standards Council (PCI SSC, the governing body which defines the security compliance standards for payment applications which capture, store, process or transmit cardholder data as part of authorization or settlement), has placed all mobile-based POS application reviews on hold. As a result, PCI SSC will not review nor list as PA-DSS (Payment Application Data Security Standard) compliant a mobilebased POS application running on one of these platforms. Since the card brands have generally mandated that newly boarded merchants must be running PA-DSS-validated payment applications, this means that it is nearly impossible to deploy a third party developed mobile-based POS application in a merchant environment with a clear path to supporting that merchant s full compliance with PCI DSS. The Objectives of the Assessment VeriFone, Inc. provides a mobile-based POS application named PAYware Mobile which runs on the iphone and ipod touch platforms (hereafter, the mobile platform). This solution is enabled for card swiping and manually-keyed data entry with an integrated sled device into which the mobile platform slides. To address the security and compliance issues raised above, VeriFone has integrated their VeriShield Total Protect (VTP) End-to-End Encryption solution into the VeriFone VX600 sled. Integrating the PAYware Mobile POS application on the mobile platform with the VX600 sled (aka the PAYware Mobile Terminal) creates a full point-to-point encryption solution where no cleartext cardholder data is ever touched by the PAYware Mobile POS application or the underlying mobile platform. VeriFone engaged Coalfire Systems Inc. (Coalfire), as a respected Payment Card Industry (PCI) Qualified Security Assessor (QSA) and Payment Application Qualified Security Assessor (PA-QSA) company, to conduct an independent technical assessment of the PAYware Mobile Terminal. Coalfire performed technical testing of this platform including, architectural assessment, technical/transactional testing, forensic analysis and compliance validation and compliance controls alignment. Copyright 2011, Coalfire Systems Inc. Page 4

5 The overall objectives of this effort were as follows: 1. Validate that the PAYware Mobile POS application, when integrated with the VeriFone VX600 with VTP sled, is brought entirely out of scope of PA-DSS as it does not capture, store, process or transmit cardholder data as part of authorization or settlement. 2. When implemented according to specific PCI guidance provided by VeriFone, the PAYware Mobile Terminal can be deployed in a fully PCI DSS compliant manner and reduce the scope of PCI DSS compliance in a merchant environment. 3. Verify that the PAYware Mobile Terminal complies with Visa Best Practices for Mobile Payment Acceptance Solutions v 1.0 released on 27 April, PCI Compliance Scope Reduction or Elimination The VeriFone PAYware Mobile Terminal solution is designed to reduce merchant PCI compliance scope and eliminate PA- DSS compliance applicability for the PAYware Mobile POS application. In order to achieve these goals, one must first understand PCI s guidance regarding encrypted cardholder data. PCI has published two documents which address this, FAQ Article #10359 and the document entitled Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance. Both of these documents clearly state the following: encrypted data may be deemed out of scope [of PCI] if, and only if, it has been validated that the entity that possesses encrypted data does not have the means to decrypt it. (PCI SSC FAQ Article #10359 and Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance, Page 8) While the reduction of PCI DSS scope for the VTP solution has been covered in detail in the Coalfire document VeriFone VeriShield Protect Technical Assessment White Paper, the elimination of PA-DSS scope is further addressed in this document. An application is considered a payment application by PCI SSC if it meets the following definition: The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. (Payment Application Data Security Standard Requirements and Security Assessment Procedures Version 2.0, Page 5) If an application captures, stores, processes or transmits cardholder data exclusively through a device which encrypts at the point of interaction (via swipe or card insert) and if this application and the entity running it have no means for decrypting it, then per PCI SSC guidance this encrypted cardholder data is out of scope of PCI. Therefore, the application can be considered out of scope of PA-DSS as it does not store, process or transmit cardholder data as part of authorization or settlement. Additionally, the Initial Roadmap document from PCI SSC, clarifies that a well-designed point-to-point encryption (P2PE) solution must address specific controls across the various domains which comprise an entire P2PE system. The following domains are specifically included in the Initial Roadmap document and have been covered in Coalfire s earlier paper on the VeriShield Total Protect solution, showing the VTP solution fully aligned to PCI s defined domains: Copyright 2011, Coalfire Systems Inc. Page 5

6 Encryption Device Sensitive data (PAN and sensitive authentication data) must be encrypted in a device that is physically and logically secure. Payment Application An application that has access to plaintext data on an encrypting device must still undergo validation (i.e. PA-DSS or within scope of PTS validation process). Merchant Encryption Environment The merchant must ensure adequate physical and logical controls and any segmentation controls if these are not specifically part of the P2PE solution. Encryption and Decryption Operations and Key Management These operations must be validated if a merchant implements both encrypt and decrypt functions within their network. Decryption Environment The environment where encrypted data is returned to plaintext state through decryption is a critical point of security in a P2PE solution. Such an environment must satisfy the future Validation Requirements for Point-to-Point Encryption and undergo an annual PCI DSS assessment. Enhanced Key Management for Decryption Environment Secure management of cryptographic keys is fundamental to the security of any P2PE solution. Any P2PE solution must satisfy the future Validation Requirements for Point-to-Point Encryption which will include enhanced key management procedures derived from existing industry standards for PIN key management. Scope of this White Paper The remainder of this report documents the technical assessment testing conducted by Coalfire to validate the assertions stated previously. The report is subsequently divided into 3 sections: Details of the Technical Assessment PCI DSS Scope Reduction and PA-DSS Scope Elimination Technical Assessment Conclusions Copyright 2011, Coalfire Systems Inc. Page 6

7 Technical Assessment Details Coalfire has implemented industry best practices in our assessment and testing methodologies. Coalfire completed a multi-faceted technical assessment process during the course of this project using these industry and audit best practices. Coalfire conducted technical lab testing in our Colorado lab from March 27 to April 27, At a high level, testing consisted of the following tasks: 1) Technical review of the architecture of the full solution and its components including integration hooks between the PAYware Mobile POS and the VX600 sled with VTP device. 2) Implementation of the PAYware Mobile Terminal solution in the Coalfire lab environment and transactional testing. 3) Forensic evaluation of all data in transit between the mobile devices and the PAYware Gateway as well as data at rest on the mobile devices and supporting host systems. Technical Review of the PAYware Mobile Terminal Architecture Components of the PAYware Mobile Terminal Solution The components of the system, referred to as the PAYware Mobile Terminal, in scope of this security assessment included: 1. VeriFone VX600 Sled with VTP 2. iphone 3GS and ipod touch 4 (aka the mobile devices) 3. VeriFone s PAYware Mobile POS application (aka PAYware Mobile POS) The PAYware Gateway provides back-end VTP decryption and payment authorization services. The VeriFone PAYware Gateway is a compliant Service Provider listed on Visa s Global Registry of Service Providers ( While test transactions were conducted using the PAYware Gateway, it was not in scope of the technical testing conducted by Coalfire for this project as the VTP decryption services it provides are covered in detail in the separate white paper on this subject. The VeriFone VX600 with VTP sled is designed with protection of sensitive cardholder data, reduction of PCI DSS scope and elimination of PA-DSS scope in mind. By integrating the PAYware Mobile POS application running on an ios-based device with the VeriFone VX600 with VTP sled, VeriFone asserts that a merchant can achieve maximum security and usability while minimizing or eliminating components of PCI compliance. Physical Security The VeriFone VX600 sled is a PCI PTS 2.1 certified payment terminal that has also been certified by UKCC (UK) and Interac (Canada). The VeriFone VX600 sled with VTP device in scope of this assessment is built upon the same TRSM foundation as the currently certified sled, with the primary difference being the implementation of the VTP solution for Point of Interaction (POI) encryption using the VTP VeriShield Hidden Encryption (VHE) component of the previously assessed VTP solution. VHE implements VeriFone s Format Preserving Encryption (FPE) algorithm. The updated VeriFone VX600 sled with VTP has passed PTS certification and is currently listed as PTS approved device on the PCI website. Copyright 2011, Coalfire Systems Inc. Page 7

8 The VeriFone VX600 sled with VTP currently supports only the Apple iphone and ipod platforms. The VX600, a TRSM, provides the only POI for sensitive cardholder data when integrated with the iphone and ipod platforms. All cardholder data introduced into the PAYware Mobile Terminal system is completed exclusively via the VX600 sled. While card-notpresent (CNP) is supported by the VX600 device, it was not in scope of this whitepaper. Both Coalfire and VeriFone will be working on additional documentation and testing that specifically addresses CNP mode with manually keyed data on the VX600 device. The PAYware Mobile POS application runs on the iphone or ipod touch platform. This POS application provides only POS functionality such as item definition and product catalogues, pricing, tax rules, shipping information, item scanning and checkout initiation. No cardholder data is introduced via interfaces provided by the PAYware Mobile POS application or any other function or interface on the iphone or ipod platform. There is absolutely no support for either direct or indirect handling of cleartext card data. While not within scope of this assessment, the PAYware Gateway is a hosted payment processing gateway currently hosted in a commercial data center the Telecity Powergate Data Center in London, England. The data center is certified to ISO27001:2005 Security Management standard and has been PCI DSS certified as a compliant Level1 Service Provider since The PWMG is connected to the participating financial institutions by dedicated circuits or VPNs. The internet-facing web servers are located in DMZs that are physically separated by dual firewalls from the database, payment switch, decryption and key management servers. In addition to the secure hosted service provider data centers, VeriFone supports a clean room for injection of keys into the VX600 platform to initialize VTP encryption. The clean room is a secure facility which is a sterile room with no windows and a minimum of furniture to easily ascertain that no cameras or other extraneous electronic equipment has been installed. Procedures are in place for start- and end-of-day inspections of the clean room, records keeping for physical access and logs of work performed and by whom. Multi-Layer Encryption The PAYware Mobile Terminal solution is built around multiple layers of encryption. Data captured via the VX600 sled with VTP is encrypted at the data layer using the VTP VeriShield Hidden Encryption component. This module implements the industry standard AES encryption algorithm to generate a format preserved encrypted (FPE) value of the swiped sensitive authentication data. All swiped data including full TRK and sensitive authentication data is encrypted using this algorithm. In addition to this data layer encryption, all traffic transmitted over both the cellular and wireless (WiFi) channels is encrypted at the transport layer using Transport Layer Security (TLS). This provides transport encryption between the PAYware Mobile Terminal and the PAYware Gateway. Copyright 2011, Coalfire Systems Inc. Page 8

9 Typical Network Implementation of the PAYware Mobile Terminal The following two diagrams illustrate the complete PAYware Mobile Terminal solution communicating over both the cellular and WiFi communication channels. PAYware Mobile Terminal over cellular channel to the PAYware Gateway In this deployment scenario, the PAYware Mobile Terminal communicates with the PAYware Gateway over the cellular communication channel. All data introduced into the system is data layer encrypted at the POI by the VX600 sled with VTP. It is then transmitted via TLS over the cellular channel to the PAYware Gateway for authorization purposes. At no time is cleartext sensitive cardholder data available on the integrated iphone or ipod touch device. Copyright 2011, Coalfire Systems Inc. Page 9

10 PAYware Mobile Terminal over the WiFi channel to PAYware Gateway In this deployment scenario, the PAYware Mobile Terminal communicates with the PAYware Gateway over a WiFi communications channel established by the merchant. All data introduced into the system is data layer encrypted at the POI by the VX600 sled with VTP. It is then transmitted via TLS over the WiFi channel to the wireless access point (WAP) in the merchant network and then via SSL/TLS over the wire to the PAYware Gateway for authorization purposes. At no time is cleartext sensitive cardholder data available on the integrated iphone or ipod touch device or on the merchant wireless network. Cardholder Data Flow in the PAYware Mobile Terminal Solution Cardholder data flows through the integrated components of the PAYware Mobile Terminal as follows: The VX600 with VTP sled accepts a consumer s card data (via the MSR swipe interface on the VX600) and encrypts it using the VeriShield Hidden Encryption component of VTP using the hardware programmed private key. This encrypted data is then transferred to the PAYware Gateway using a secure connection via the mobile device. Transaction success or failure information (including non-sensitive, truncated cardholder data) is returned from the PAYware Gateway to the PAYware Mobile POS application interface. At no time does the PAYware Mobile POS application nor the mobile platform see unencrypted cardholder data during this process. The following diagram further illustrates the dataflow of sensitive information through the PAYware Mobile Terminal system: Copyright 2011, Coalfire Systems Inc. Page 10

11 Figure 1: Cardholder Data Flow diagram 2 PAYware Mobile POS PAYware Merchant Gateway(PWMG) After the merchant has selected items to be purchased, adjusted pricing and modified surcharges in the PAYware Mobile POS application: 1. The PAYware Mobile POS application sends start transaction signal to the VeriFone VX600 Device. 2. The VX600 sends the request to the PAYware Gateway via the PAYware Mobile POS application to determine if the gateway is available and ready to receive a transaction request. 3. The VX600 gathers and encrypts Cardholder Data and sends it to the gateway via the PAYware Mobile POS application on the mobile platform over SSL/TLS. 4. The response contains non-sensitive details of the transaction, including Response code, Transaction Status, Transaction ID, etc. The PAYware Mobile POS application then pulls transaction and order details together to confirm with merchant. 5. The Merchant confirms or denies the order on the PAYware Mobile POS and the result is sent to PAYware Gateway which processes/cancels transaction accordingly. VeriFone Mobile Framework (VMF) An important part of the PAYware Mobile Terminal solution is the interface between the PAYware Mobile POS and the VeriFone VX600 sled. All interaction between these two system components is provided by the VeriFone Mobile Framework (VMF). The VMF provides a limited interface which prevents the PAYware Mobile POS from ever requesting or accessing cleartext sensitive cardholder data (PAN, track data, card validation codes, etc.) from the VX600 device. 1) All the functions for sensitive data capture will always encrypt the sensitive data before returning it to the calling application. 2) The encryption is turned on by default and there is no way it can be turned off or disabled. 3) The messages that prompt a user on the VX600 terminal cannot be changed. All messages are predefined and can be accessed via message ID from the calling application. The file that stores the message is digitally signed, is stored on the VX600 sled and cannot be replaced except by a VeriFone. Copyright 2011, Coalfire Systems Inc. Page 11

12 Test Lab Configuration and PAYware Mobile Terminal Transactional Testing Devices Devices provided for testing included TRSM-compliant VeriFone VX600 sled with VTP integrated with the Apple iphone 3G/3GS and ipod touch 4 th generation. While a different form factor is required for the different Apple platforms, the VX600 solutions are identical and the only difference is the mounting mechanism to support the physically different iphone and ipod touch platforms. Coalfire tested several different payment types (swipe and EMV chip reader) with several test cards. Testing procedures also included intentionally generating different error conditions. The specific devices used during Coalfire testing included: VeriFone VX600 sled with VTP Cedar release version 3.0 Apple iphone 3G ios v on ATT network Apple ipod touch 4 ios v. 4.3 over local WiFi network PAYware Mobile POS mobile application v Implementation and Test Case Details The assessment included testing all components of the PAYware Mobile Terminal solution and the data that they capture, store, process or transmit. The PAYware Mobile POS application was installed and configured on both the iphone 3GS and ipod touch 4 platforms. Numerous test cards (VISA, MasterCard, AMEX and Discover) were swiped on the VX600 sled for transactional testing purposes. The primary objective of this transactional testing was to validate that no cleartext cardholder data is stored, processed or transmitted by any components of the PAYware Mobile Terminal solution. A synopsis of the testing process follows: 1) Observation and review of data in transit between the PAYware Mobile Terminal and PAYware Gateway, over both the WiFi and cellular network channels. 2) Observation and review of data at rest on the PAYware Mobile POS and on the host computer on which mobile backup data is stored (i.e. itunes backup data) using forensic analysis tools. 3) Validation that no unencrypted card data is transmitted from the VX600 sled to the mobile platform either directly or indirectly via the PAYware Mobile POS application by reviewing the application programming and command interfaces between the mobile platform and the VX600. 4) Generation of error conditions and review of data introduced into the system as a result of these error conditions. More details on each test case are provided below. Thereafter, the results of the data analysis and forensic review are provided in detail. Copyright 2011, Coalfire Systems Inc. Page 12

13 Test 1 Process: Observing dataflow between the PAYware Mobile Terminal and the PAYware Gateway To observe the data in transit between the PAYware Mobile Terminal and the PAYware Gateway we connected the ios device to a wireless access point (WAP) via Wi-Fi. The WAP was connected to a HUB including a host computer on which Wireshark packet sniffing software was installed. This small wireless network included a connection to the public internet and to the PAYware Gateway. This network setup allowed us to view all traffic from the PAYware Mobile terminal in both directions (i.e. outbound and inbound) and to search for any cardholder data or sensitive authentication data in transit. The diagram below illustrates the network setup as used by Coalfire for this test case. Wireless Access Point with no encryption 2 Hub Internet iphone VX PAYware UK application 1 PAYware Gateway Computer with Packet Sniffer PAYware Mobile Terminal All encryption takes place at the VX600 device. Decryption takes place at the VTP Server. In the diagram above, the orange path represents encrypted cardholder data flow. In this test case the sensitive data flows as follows: 1. The PAYware Mobile POS sends a transaction request to the VX600. All cardholder data is captured via the VX600 MSR swipe interface and immediately encrypted in a format preserving manner using the embedded VeriShield Hidden Encryption (VHE) component on the VX600. The PAYware Mobile POS application receives the encrypted data via the command interface and prepares to send it to the PAYware Gateway. 2. The PAYware Mobile POS uses the iphone platform WiFi connection to transmit the VTP-encrypted data to the PAYware Gateway. For testing purposes no encryption was used for both the WiFi connection and public internet channel to the PAYware Gateway. This was done in order to validate data layer encryption by the VX600 device. (Note: Production deployment scenarios must enable WiFi encryption (WPA2) and transport layer encryption over the public internet.) Copyright 2011, Coalfire Systems Inc. Page 13

14 3. In this test case, the encrypted cardholder data travelled via the WAP through a hub outbound to the PAYware Gateway. All traffic on this channel was captured using the Wireshark packet sniffer running on the host connected to the hub. 4. The PAYware Gateway implements the VeriShield Total Protect decryption process. Once decrypted, the data was sent to the processor for authorization. The authorization request resul t is returned via the same channels to the PAYware Mobile POS application running on the iphone platform. The data returned to the application does not include any Card Data, just the non-sensitive transaction summary such as the response code, transaction status, transaction ID, etc. Test 2 Process: Observing data at rest on the device and on the host computer For this analysis, we used two approaches. The first task was to gather and analyze data on a clean (i.e. non-jail-broken) mobile platform. Coalfire used Paraben Device Seizure Software to obtain data from the non-jail-broken mobile platform. The example of the application and the data acquired is shown on the following screenshot: In this case, we observed the file system of the iphone and the user partition in particular. However, the Paraben Device Seizure application did not perform a scan of the unallocated space of the iphone drive. The solution was to jailbreak the device and capture the image using the Linux dd command. To perform this more in-depth analysis of the iphone platform, the following steps were performed: 1. Jailbreak the device using redsn0w tool. 2. Capture the image of the hard drive of the iphone using the following command: Copyright 2011, Coalfire Systems Inc. Page 14

15 dd if=/dev/ rdisk0s1 bs=2048kb ssh 'dd of=/home/iphone_image.dd' 3. Convert the dd image to the Encase E01 format using FTK Imager and perform forensic analysis using EnCase against the following keywords: Unencrypted Credit/Debit card numbers (real test card numbers and CC templates) Encrypted Credit/Debit card numbers of test cards Track1/Track2 data Expiration date of test cards CSC codes of tested credit cards PIN codes of tested debit cards Merchant ID Merchant login Merchant password User address A sample of the information returned by the Encase Forensics tool follows. A more detailed review of the forensic results occurs later in this document. Copyright 2011, Coalfire Systems Inc. Page 15

16 Test 3 Process: Architectural evaluation of the communication interface between the PAYware Mobile POS and VX600 sled. Coalfire reviewed the documentation describing how all three components of the PAYware Mobile Terminal communicate with each other and what command interface exists for that purpose. In particular great attention was focused on the VeriFone Mobile Framework (VMF) and data flow blueprints for each Card Payment Scenario. Test 4 Process: Error State and Out-of-Band Encryption Review Error conditions were intentionally generated during the assessment. Most of the attention was focused on transactions with expired cards and cards with non-typical/damaged track data. These scenarios were tested and verified that VTP encryption is turned off in several cases. The PAYware Mobile Terminal utilizes the same error state algorithm that is used by the VeriShield Protect solution previously reviewed by Coalfire. It is configured to securely encrypt the greatest number of transactions possible at the point of swipe while managing a number of out-of-range and error conditions. There are a couple of transactional scenarios where encryption does not occur and they are: Invalid track data this can include formatting issues on the magnetic stripe, the PAN does not pass a LUHN check, the PAN is not consistent in both Tracks or that the track data does not have the Service Code. Expiration Out-of-Range If a card is swiped with an expiration date earlier that 2008 or if the card has an expiration date beyond 2040 the encryption function will not be executed Expiration out-of-range is the primary exception scenario that has the potential to impact PCI compliance scoping. During previous testing and review of transactional history from large merchant deployments the number of transactions meeting this criterion is very small. The expired cards with a year of 2008 or smaller are the transaction types that Coalfire reviewed most closely. Even though these are cards are expired they must be treated as a valid PAN for PCI compliance. Coalfire has reviewed the real-world exposure this out-of-range exception condition for expired cards could create and has considered it very low risk for security and compliance purposes. There are a very small number of potential transactions that this condition could effect and there will be smaller number of potential 2008 or earlier expired dates overtime. VeriFone is continuing to engineer solutions and configuration options for customers that can reduce the number of non-encrypted exceptions to an even smaller number. A customer should track the number of exceptions using CDMS and work with VeriFone to insure that it remains statistically insignificant. Software Used for Testing Coalfire used several software packages during this assessment: 1. Wireshark Ethernet port sniffer version The Wireshark software was primarily used to observe packets coming in and out of the PAYware Mobile Terminal. For testing purposes SSL encryption was temporarily turned off by VeriFone and we could observe unencrypted data at the transport layer as if it would be coming directly from the VX600 sled. 2. EnCase Forensics version EnCase Forensics is a commercial class forensic analysis package. It was used to gather and analyze the image of the full iphone/ipod touch disk drives. Copyright 2011, Coalfire Systems Inc. Page 16

17 3. FTK Imager software to convert dd image of the iphone drive to E01 format that s more suitable for the EnCase Forensics tool. 4. Paraben s Device Seizure Software version 4.2 This tool enabled the observation of data being stored on the PAYware Mobile POS in the user partition. However the mobile platform was jailbroken to provide full access to the non-user system partition. The chances that any card data resides on the system partition are extremely low, but for completeness sake Coalfire performed jailbreak of the device and captured the full disk image that was later analyzed in Encase Forensics Software. Copyright 2011, Coalfire Systems Inc. Page 17

18 Forensic Results Following the transactional testing and forensic analysis, Coalfire concluded that: No unencrypted cardholder data was transferred over the network. No unencrypted cardholder data is accessible over VX600 API interface. Both unencrypted and encrypted cardholder data were not present on the disk of the mobile platform. Both unencrypted and encrypted Track1/Track2 data were not present on the hard drive of the mobile platform. No other sensitive personal data was observed to be present on the disk of the mobile platform. Test 1 Analysis - Data in Transit The examples of packets (request and respond) are shown in the following screenshot. We advise you to read the VeriFone VeriShield Total Protect Technical Assessment White Paper prepared by Coalfire, where you can find more details on the format preserving encryption algorithm in use by the VeriShield Total Protect solution. Track data transmitted were observed and compared to the original track data of the test card: Test Card 1 encrypted vs unencrypted data Original Track = Track2 captured = Test Card 2 encrypted vs unencrypted data Original Track = Track2 captured = The following screenshot shows packet sent from the PAYware Mobile POS to a PAYware Gateway (red text) and response from the gateway (blue text). This communication was observed at step 3 on the Cardholder Data Flow diagram. Copyright 2011, Coalfire Systems Inc. Page 18

19 The rest of credit and debit cards tested had data encrypted the same way as illustrated in the example above. The only exception occurred when testing cards that generated error conditions as described earlier in this document. Test 2 Analysis Stored Data When using Paraben Device Seizure software, we observed some findings in file transactions_log.sqlite: In particular this log file had information about the orders that went through, such as: customer , transaction number, geographical location of the device at the moment of the transaction, result of the transaction (approved/declined) and other non-sensitive data that is typical for a log file. No sensitive information was found in this file. Some keywords that we used were only 3 or 4 digits, for example the CSC (Card Security Code) and the PIN code. This particular search generated hundreds of false positive results that we looked through and determined none were valid hits. The Encase Forensic scan on the full disk image showed identical results to what was observed in Paraben Device Seizure Software. Copyright 2011, Coalfire Systems Inc. Page 19

20 Test 3 Analysis - Data Flow between Components of the PAYware Mobile Terminal No specific tests were conducted, however the documentation review, interview with the developers and the rest of the assessment were consistent with the following statements: All the functions for sensitive data capture will always encrypt the sensitive data before returning it to the calling application. The encryption on the VX600 device is turned on by default in the deployment center and there is no way it can be turned off in the merchant environment. No card data is transmitted between the VX600 sled and any integrated application or system in the clear, unless it is one of the error conditions previously described. By reviewing the command list between VX600 sled and the PAYware Mobile POS, several use a nomenclature which implies access to card data: obtaincarddata getcarddata VFICardData These functions are available for the application that resides on the iphone/ipod, however all card data captured or returned via these functions is encrypted by the VX600 device at the point of swipe and the PAYware Mobile POS application never receives any unencrypted Sensitive Authentication Data or Cardholder Data. Test 4 Analysis - Error State and Out-of-Band Encryption Review As mentioned previously, a couple of transactional scenarios occur where data encryption does not occur. These are: Invalid track data this can include formatting issues on the magnetic stripe, the PAN does not pass a LUHN check, the PAN is not consistent in both Tracks or that the track data does not have the Service Code. Expiration Out-of-Range If a card is swiped with an expiration date earlier that 2008 or if the card has an expiration date beyond 2040 the encryption function will not be executed Tests were conducted on two types of cards: Expired cards with expiration dates in 2009 and 2010 Cards with no Service Code in the Track In the case of expired cards, we were able to see that encryption was actually turned on for the cards expired 2009 and For the cards that expired in 2008 and earlier according to the previous whitepaper (VeriFone VeriShield Protect Technical Assessment Whitepaper) encryption is turned off. Additionally, test cards with no Service Code in the Track were sent over the network unencrypted. Copyright 2011, Coalfire Systems Inc. Page 20

21 Assessment Conclusions Coalfire validated that the PAYware Mobile POS application component of the PAYware Mobile Terminal solution does not capture, store, process or transmit cardholder data as part of authorization or settlement. As a result, the PAYware Mobile POS application is not within scope of PA-DSS. When implemented according to specific PCI guidance provided by VeriFone, the PAYware Mobile Terminal can be deployed in a fully PCI DSS compliant manner and can reduce the scope of PCI DSS compliance in a merchant environment. Coalfire also verified that PAYware Mobile Terminal meets Visa Best Practices for Mobile Payment Acceptance Solutions v 1.0 released on 27 April, 2011 (Appendix A). Copyright 2011, Coalfire Systems Inc. Page 21

22 Appendix A: Visa Best Practices for Mobile Payment Acceptance Solutions v1.0 At the time of the assessment Visa released a set of best practice guidance that addresses best practices for Mobile Payment Acceptance Solutions for Vendors and Merchants. In this section we will take a closer look at meeting VISA requirements in more detail. Visa Best Practices 1. Provide payment acceptance applications and any associated updates in a secure manner with a known chain of trust. 2. Develop mobile payment acceptance applications based on secure coding guidelines. VeriFone PAYware Mobile Terminal Solution VX600 updates are embedded in the PAYware Mobile POS application and distributed by publishing an application update to the AppStore or other enterprise distribution methods. Once Apple approves the update it becomes available in the AppStore and can be downloaded by merchants through secure distribution mechanism. ios coding practices include frequent review of Developer Forums hosted by Apple for information on vulnerabilities within the mobile devices or other potential security issues discovered. On the Vx600 side, vendor follows the PTS and PADSS compliance guideline. So, all governmental and industry compliance mandates are reviewed for the impact. 3. Protect encryption keys that secure account data against disclosure and misuse in accordance with industry-accepted standards. The updated VeriFone VX600 sled with VTP has passed PTS certification and is currently listed as PTS approved device on the PCI website. PTS certification insures protection of cryptographic keys. 4. Provide the ability to disable the mobile payment acceptance solution. 5. Provide functionality to track use and key activities within the mobile payment acceptance solution. 6. Provide the ability to encrypt all public transmission of account data. PAYware Mobile uses Merchant ID to be able to authorize on the server. It can be deactivated by VeriFone in case the device was lost or stolen. PAYware Gateway provides ability to access transaction logs over the web interface. The Card Data is encrypted with point-2-point encryption that utilizes VTP algorithm and with SSL encryption when transmitted over the network. 7. Ensure that account data electronically read from The documentation reviewed and the developers Copyright 2011, Coalfire Systems Inc. Page 22

23 a payment card is protected against fraudulent use by unauthorized applications in a consumer mobile device. 8. Provide the ability to truncate or tokenize the Primary Account Number (PAN) after authorization to facilitate cardholder identification by the merchant. 9. Protect stored PAN data and/or sensitive authentication data. interviewed confirm that no applications running on the Mobile Platform have access to unencrypted data electronically read by the VX600. Card Data is tokenized on the VX600 device at the moment of card swipe. PAN data and/or sensitive authentication data is not stored on the VX600 sled or on the PAYware Mobile POS. Best practices for merchants: The implementation Guide (Appendix B) addresses all of the following requirements: 1. Only use mobile payment acceptance solutions as originally intended by an acquiring bank and solution provider. 2. Limit access to the mobile payment acceptance solution. 3. Immediately report the loss or theft of a consumer mobile device and/or hardware accessory. 4. Install software only from trusted sources. 5. Protect the consumer mobile device from malware. Copyright 2011, Coalfire Systems Inc. Page 23

24 Appendix B: Implementation guide on using PAYware Mobile Terminal General recommendations Only use PAYware Mobile terminal as originally intended by an acquiring bank and solution provider. Limit access to the PAYware Mobile terminal to only people you trust. Immediately report the loss or theft of a consumer PAYware Mobile POS and/or VX600 sled. Install software only from VeriFone trusted sources. Protect the consumer mobile device from malware. That can be achieved for example if installation of new applications is forbidden. PCI-Compliant Wireless settings PAYware Mobile POS does support wireless technologies and the following guidelines for secure wireless settings must be followed per PCI Data Security Standard 1.2.3, and 4.1.1: 1.2.3: Perimeter firewalls must be installed between any wireless networks and systems that store cardholder data, and these firewalls must deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment : All wireless networks implement strong encryption (e.g. AES) Encryption keys were changed from default at installation, and are changed anytime anyone with knowledge of the keys leaves the company or changes positions Default SNMP community strings on wireless devices were changed Default passwords/passphrases on access points were changed Firmware on wireless devices is updated to support strong encryption for authentication and transmission over wireless networks (for example, WPA/WPA2) Other security-related wireless vendor defaults, if applicable 4.1.1: Industry best practices are used to implement strong encryption for the following over the wireless network in the cardholder data environment (4.1.1): o Transmission of cardholder data o Transmission of authentication data Payment applications using wireless technology must facilitate the following regarding use of WEP: For new wireless implementations, it is prohibited to implement WEP as of March 31, For current wireless implementations, it is prohibited to use WEP after June 30, PCI-Compliant Delivery of Updates This section will describe how payment application updates and patches are delivered to the merchant. The method used must provide a secure chain of trust per requirements in PA-DSS 7.2.a, including: Copyright 2011, Coalfire Systems Inc. Page 24

25 Timely development and deployment of patches and updates. In case vulnerability is found, VFI will make its best effort to release a fix as soon as practical, with a review by Apple usually completed within 7 days. Delivery in a secure manner with a known chain-of-trust. Updates are distributed by publishing an application to the Apple AppStore where they are digitally signed and available to download in a secure manner. Delivery in a manner that maintains the integrity of the deliverable. Once Apple approves the update it becomes available in the AppStore and can be downloaded by merchants through secure distribution mechanism. Integrity testing of patches or updates prior to installation. App Store updates are digitally signed with a valid Apple certificate As a development company, VeriFone keeps abreast of the relevant security concerns and vulnerabilitie s in the area of development and expertise. Vendor does this by: Frequent review of Developer Forums hosted by Apple for information on vulnerabilities within the mobile devices or other potential security issues discovered. Key Management Roles & Responsibilities PAYware Mobile POS application does not store cardholder data in any way nor does it provide any configurability that would allow a merchant to store cardholder data. Encryption keys for the transactions are stored on the VX600 device and meet PCI requirements according to PTS standards. All key management is accomplished using the same processes reviewed and described in the VeriShield Total Protect Whitepaper earlier published by Coalfire. PCI-Compliant Use of End User Messaging Technologies (PA-DSS 12.2.b) PAYware Mobile POS application does not allow or facilitate the sending of PANs via any end user messaging technology (for example, , instant messaging, and chat). PAYware Mobile Terminal Initial Setup & Configuration Installing the Payment Application Defining the Payment Gateway Obtaining and Installing the SSL Certificate Running Test Transactions Special Instructions for Upgrades Accessing PAYware Gateway Portal Copyright 2011, Coalfire Systems Inc. Page 25

26 Performing Maintenance Updating your Encryption Key Copyright 2011, Coalfire Systems Inc. Page 26

27 Glossary VX600 sled VeriFone VX600 device that mounts on the iphone/ipod device and used in conjunction with PAYware Mobile POS application. PAYware Mobile POS the Apple ios based device. Currently iphone 3G/3GS and ipod touch 4G are the only supported devices VTP VeriShield Total Protect PTS PIN Transaction Security TRSM Tamper-Resistant Security Module SPD SmartPhone Device Copyright 2011, Coalfire Systems Inc. Page 27