Point Secure Commerce Application (SCA) 2.x PCI PA-DSS Out of Scope White Paper Executive Summary Lyle Miller: CISSP, QSA PA-QSA December 3, 2013 VeriFone, Inc. (VeriFone) engaged Coalfire Systems Inc. (Coalfire), as a respected Payment Card Industry (PCI) Payment Application Qualified Security Assessor (PA-QSA) company, to conduct an independent technical assessment of their Point Secure Commerce Application (SCA) application. Coalfire conducted assessment activities including technical testing, architectural assessment, and compliance assessment. In this paper, Coalfire will describe that the Point Secure Commerce Application (SCA) application has been validated to the Payment Application Data Security Standard (PA-DSS), version 2.0 and is currently listed on the web site of the Payment Card Industry Security Standards Council (PCI SSC), Reference #: 13-08.00154.063. In a properly deployed solution with the guidance provided by VeriFone, the merchant s existing POS application would be rendered ineligible for PA-DSS validation using the validated Point SCA solution. About Point Secure Commerce Application (SCA) VeriFone Point Secure Commerce Application (SCA) 2.x provides software options for OS based/ecr (Electronic Cash Register) POS systems which handles all card holder data during the authorization and settlement processes, allowing developers to achieve an Out of Scope solution for their POS application. Prepared for:
Audience This assessment white paper has two target audiences: 1. The first target audience includes merchants and service providers evaluating the Point Secure Commerce Application (SCA) 2.x solution for deployment in their payment card environment; 2. The second target audience is partners and developers that are developing POS solutions that integrate with the Point Secure Commerce Application (SCA) 2.x solution in merchant and service provider payment card environments; Assessment Scope The scope of this assessment was to validate that neither unencrypted credit card data nor sensitive authentication data was stored or transmitted by the Point Secure Commerce Application (SCA) 2.x. The assessment testing focused on the following functional areas: 1. Integration of the VeriFone device. 2. Encryption of all card data using a VeriFone device and VeriFone VeriShield Protect (VSP). 3. Validation that the payment application in use by the merchant can be properly integrated with VeriFone Point SCA. When properly integrated with VeriFone Point SCA, the third party POS application does not have access to the decryption keys used by VeriFone Point SCA and therefore does not have access to cardholder data. 4. Validation that no cardholder data is stored on the system. Encryption at the moment of swipe by the VeriFone card swipe devices that are PTS 3.x approved devices. VeriFone Point Payment Gateway is listed as a Visa compliant service provider as of the date of this report. Methodology Coalfire has implemented industry best practices in our assessment and testing methodologies. Coalfire completed a multi-faceted technical assessment process during the course of this project using these industry and audit best practices. Coalfire conducted technical lab testing in our Colorado lab May 13 24, 2013 and July 31 August 16, 2013. At a high level, testing consisted of the following tasks: 1. Technical review of the architecture of the full solution and its components. 2. Implementation of the VeriFone Point SCA payment application integrated with a POS application installed in Coalfire s PCI compliant lab environment and transactional testing. 3. Evaluation of the data in-transit on the systems running the POS application and also VeriFone s Point SCA payment application. 4. Forensic evaluation of all data-at-rest on the system running the POS application. Page 2
Merchant PCI Compliance Scope There will always be certain controls for PCI compliance that must be independently assessed in any merchant s environment and PCI compliance will always apply to a merchant if cardholder data is transmitted, processed, or stored anywhere in their physical environment. However, if the Point Secure Commerce Application (SCA) 2.x solution is properly integrated in the merchant environment, then it can remain out of scope of PA-DSS validation requirements. Technical Security Assessment The modular design of the Point Secure Commerce Application (SCA) 2.x application presented Coalfire with one deployment scenario. Our assessment covered this deployment architecture and configuration options included with the application. The Point Secure Commerce Application (SCA) 2.x application was reviewed following the Payment Application-Data Security Standard and following the format of the Report on Validation (ROV) normally completed by our PA-QSA company. The assessment included a comprehensive set of administration, technical, and physical control testing performed for the deployment architecture. Applicable compliance control requirement adherence from the PCI PA-DSS was validated within the scope of our security assessment. The assessment included the following components: Third party POS A Point of Sale application in use by the merchant. This could be a PA-DSS validated payment application. PTS 3.x approved device: VeriFone PinPad with VeriFone s Point SCA payment application installed and configured to use VeriFone s Verishield Protect solution. Deployment Scenarios There is only one deployment scenario available for the Point Secure Commerce Application (SCA) 2.x. For the VeriFone solution, the system utilizes the VeriFone Point SCA payment application for payment capture and the POS terminal which communicates date, time, dollar amount, and invoice number to VeriFone with SoftPay for payment processing sending. The VeriFone PTS 3.x approved device encrypts the data at the point of capture using AES-128 using the included SRED functionality and transmits directly to VeriFone s Point Payment gateway using SSL3/TLS1.0 OR ABOVE over public networks. The Point Payment gateway processes the transaction. The Point Payment Gateway then processes with the payment processor. After processor authorization occurs, the Point Payment gateway receives authorization responses from the payment processor and forwards the response to the Point SCA payment application. The VeriFone Point SCA payment application receives authorization responses back from the Point Payment gateway and forwards the authorization response to the integrated, 3rd party POS application. Only simple transaction details such as date, time, and amount and invoice number are required by the Point of Sale software, keeping the POS application out of scope of PA-DSS compliance requirements. Page 3
Summary Findings The following findings are relevant highlights from this assessment: 1. A VeriFone PTS 3.x approved card-swipe reader encrypts all credit card data at the swipe head. 2. The merchant s 3 rd party POS systems do not have access to keys that can decrypt the credit card data. 3. The system does not transmit any unencrypted card data over its network connection. Assessor Comments Our assessment scope put a significant focus on validating the removal of PA-DSS scope from an existing point of sale system used by the merchant when properly integrated with VeriFone s Point Secure Commerce Application (SCA) 2.x. The Point Secure Commerce Application (SCA) 2.x solution can benefit POS developers by reducing the cost of a PCI PA-DSS compliance assessment and validation, thus providing an increased value proposition to their clients. It is also important to note that an Out of Scope solution for the integrated 3 rd party POS application, as detailed in this whitepaper, does not eliminate a merchant s compliance responsibility to PCI DSS requirements. Be aware that disregarding PCI requirements and security best practice controls for systems and networks outside of PCI DSS scope can introduce many other security or business continuity risks to the merchant. Security and business risk mitigation should be any merchant s goal and focus for selecting security controls. PCI PA-DSS Compliance Scope The PCI PA-DSS applies to a payment application (as defined by PCI SSC) as follows: The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties (PCI PA-DSS Version 2.0, 2010, October: Page 5). VeriFone Point Secure Commerce Application is a PA-DSS validated payment application and is currently listed on the PCI SSC web site with Reference #: 13-08.00154.063. The PCI Security Standards Council maintains a document entitled, Applications_Eligible_for_PA- DSS_Validation.pdf which poses 13 questions for the purpose of determining if an application is eligible for assessment under the PA-DSS standard. As of the date of this writing, the document can be found at https://www.pcisecuritystandards.org/documents/which_applications_eligible_for_pa-dss_validation.pdf If the answer is YES to ANY of the following 13 questions, the application is NOT eligible for validation under PA-DSS. Note: These questions are answered from the 3 rd party integrated POS system perspective. 1) Is this a beta version of the application? a) No. This is a production ready application. 2) Does the application handle cardholder data, but the application itself does not facilitate authorization or settlement? a) No. Cardholder data is not handled by the POS application,. 3) Does the application facilitate authorization or settlement, but has no access to cardholder data or sensitive authentication data? a) Yes. The POS application does facilitate authorization and settlement activities by pushing a prompt to the attached Verifone device which accepts, processes and transmits cardholder data. 4) Does the application require source code customization or significant configuration by the customer (as opposed to being sold and installed off the shelf ) such that the changes impact one or more PA-DSS requirements? a) No. The application is sold to customers and does not require source code customization. 5) Is the application a back-office system that stores cardholder data but does not facilitate authorization or settlement of credit card transactions? For example: Page 4
(1) Reporting and CRM (2) Rewards or fraud scoring a) No. No cardholder data was found to be stored during testing on the POS application. 6) Is the application developed in-house and only used by the company that developed the application? a) No. The application is sold to multiple merchants. 7) Is the application developed and sold to a single customer for the sole use of that customer? a) No. There are multiple customers to which this application is sold. 8) Does the application function as a shared library (such as a DLL) that must be implemented with another software component in order to function, but that is not bundled (that is, sold, licensed and/or distributed as a single package) with the supporting software components? a) No. In order to remain unacceptable for validation against the PA-DSS, the application requires the use of a VeriFone PTS 3.x approved device through a call to a secure URL which processes, encrypts and transmits cardholder data directly to processing center systems. 9) Does the application depend on other software in order to meet one or more PA-DSS requirements, but is not bundled (that is, sold, licensed and/or distributed as a single package) with the supporting software? a) Yes. The application requires the use of a VeriFone PTS 3.x approved device, running VeriFone s Point SCA payment application. 10) Is the application a single module that is not submitted as part of a suite, and that does not facilitate authorization or settlement on its own? a) No. The POS payment application is not a single module that is not part of a suite and the application does not facilitate authorization and settlement on its own. 11) Is the application offered only as software as a service (SAAS) that is not sold, distributed, or licensed to third parties? a) No. The POS application is not offered only as software as a service. 12) Is the application an operating system, database or platform; even one that may store, process, or transmit cardholder data? a) No. The merchant s point of sale application operating on Windows or other operating system computing device and properly integrated with VeriFone s Point SCA payment application. 13) Does the application operate on any consumer electronic handheld device (e.g., smart phone, tablet or PDA) that is not solely dedicated to payment acceptance for transaction processing? a) No. As tested, the third party POS application resides on a Windows PC device and integrated with VeriFone s Point SCA application installed and running on a VeriFone PTS 3.x approved device. Page 5
Technical Assessment Assessment Methods The assessment used the following methods to assess the PCI PA-DSS scope-impact of the solution: 1) Analysis of the architecture and configuration of the solution in accordance VeriFone documentation and the Payment Application Data Security Standard. 2) Network analysis of transmitted credit card data. 3) Forensic analysis of the computer system to determine if credit card data is ever stored on the system or point of sale application and whether or not the decryption keys are available. Point Secure Commerce Application (SCA) Components Point Secure Commerce Application (SCA) is an integrated solution comprised of: 1) A point of sale application that can integrate with VeriFone s Point SCA payment application. 2) VeriFone s Point SCA payment application installed and configured on VeriFone PTS 3.x approved device. Assessment Environment The payment application was assessed in Coalfire s lab and included VeriFone s Point SCA payment 2.18.01. The system was implemented on VeriFone PTS 3.x approved device running VeriFone s custom Linux operating system in a closed environment. Updates to this system are periodically provided by VeriFone s VHQ system. The payment application was integrated with a point of sale simulator provided by the vendor. This system was installed on a Dell E6420 Laptop running Microsoft Windows 7 Enterprise SP1. The system was observed to be running with the latest Microsoft patches and updates. The system was observed to be running Microsoft Forefront Security Client with the latest virus definitions installed. All systems were separated from the Internet by use of a FortiGate 110C firewall. Page 6
Typical Network Implementation The following diagram depicts the typical network setup for the VeriFone SCA payment application. Notes: Merchant Environment is the Cardholder Data Environment. POS devices and receipt printer are part of the required payment application to which Point Secure Commerce Application (SCA) integrates. Data in flight is protected using SSL3/TLS 1.0. VeriFone back end (Point Payment gateway) is a (Visa PCI Compliant Service Provider). Page 7
Swiped Card Data Flow The diagram below illustrates the data flow of a credit card transaction as it occurs in the Point Secure Commerce Application (SCA) payment application: Sale/Authorization with Credit Card (Card Swipe/Tap) Transaction data sent from 3rd party POS application to VeriFone PTS 3.x approved device. The VeriFone PTS 3.x approved device prompts for Payment card swipe. The VeriFone PTS 3.x approved device encrypts PAN/track data at the swipe head with AES-128. Encrypted PAN/Track data transmitted to Point Payment gateway using SSL3/TLS1.0 OR ABOVE over public networks. Point Payment gateway processes transaction with payment processor. Payment processor transmits authorization response to the Point Payment gateway which re-transmits response to the VeriFone PTS 3.x approved device. Track 2 data is encrypted by the VeriFone PTS 3.x approved device at the moment of swipe and is transmitted directly to VeriFone s back end Point Payment gateway systems. At no time does the Page 8
integrated POS application see or have access to cardholder or sensitive authentication data. Page 9
Sale/Authorization with Credit Card Manual Entry Transaction data sent from 3rd party POS application to the VeriFone PTS 3.x approved device. The VeriFone PTS 3.x approved device prompts for Payment card swipe. The VeriFone PTS 3.x approved device encrypts PAN/track data at the swipe head with AES-128. Encrypted PAN/Track data transmitted to Point Payment gateway using SSL3/TLS1.0 OR ABOVE over public networks. Point Payment gateway processes transaction with payment processor. Payment processor transmits authorization response to Point Payment gateway which re-transmits response to the VeriFone PTS 3.x approved device. Cardholder data manually entered on the VeriFone PTS 3.x approved device is encrypted at the moment of capture and is transmitted directly to VeriFone s back end Point Payment gateway systems. At no time does the integrated POS application see or have access to cardholder or sensitive authentication data. Page 10
Network Traffic Assessment A Wireshark Ethernet port sniffer was used to monitor network traffic from the VeriFone PTS 3.x approved device. Wireshark was also used to capture network traffic from the PC on which the 3 rd party POS application was running. The captures indicate that no cardholder data is being transmitted over the network in the clear and that no communication of cardholder data or sensitive authentication data to the POS destination IP address occurred. Forensic Analysis The technical assessment included a forensic examination of the hard drive of the system running the Point Of Sale Application integrated with Point Secure Commerce Application. The process for examining the hard drive was as follows: 1. The Point Secure Commerce Application (SCA) solution installation disk was captured for forensic analysis. 2. Encase was used to search the forensic images for key criteria, including cardholder and sensitive authentication data. No findings were identified with the image when searched using Encase. The following represents the conclusions from performing forensic analysis: The forensic analysis demonstrates that there is no residual cardholder or sensitive authentication data on the system running the integrated the Point Of Sale Application. After conducting several transactions, the disk image of the testing system was taken and scanned for the evidence of any credit card data or sensitive authentication data. Encase software was used for this forensic analysis and it showed no findings. The interview with the developers and review of the VeriFone Point SCA 2.x software confirmed there is no intent to store any credit card data or sensitive authentication data for any reason. Page 11
Tools and Techniques Standard tools Coalfire utilizes for its application security reviews can include: Tool Name Description Encase Wireshark Additional tools *Forensic tool for digital data and media analysis. Wireshark Ethernet port sniffer was used to observe the traffic coming in and out of the system. FTK Imager, Process Explorer *Forensic tool: A tool or method for uncovering, analyzing and presenting forensic data, which provides robust ways to authenticate, search, and recover computer evidence rapidly and thoroughly. Notes: CoalFire Systems, Inc. has performed a PA-DSS validation on VeriFone s Point SCA application on a VeriFone MX925 (PTS 3.x approved, Reference # 4-10110) device. Coalfire Systems, Inc. is scheduled to assess VeriFone s Point SCA payment application on a VX820 (PTS 3.x Approved, Reference # 4-40054) device. Point Payment Gateway leverages VeriFone s Payware Connect gateway currently listed as Visa compliant at the time of this report. Page 12