Global | Change

Verifone Takes Lead in Securing Card Payments with PA-DSS

Will Only Provide PA-DSS Audited Payment Applications in Initiative that Supports New Rules Governing PCI Compliance for All Levels of Merchants October 30, 2008 San Jose, CA

Verifone Holdings, Inc. (NYSE: PAY), today announced an aggressive program to ensure implementation of the PCI Security Standards Council’s (PCI SSC) Payment Application Data Security Standard (PA-DSS). This program establishes a comprehensive PA-DSS compliance policy aimed at ensuring protection of cardholder information across virtually all merchant environments and all types of card acceptance devices.

Verifone expects rapid availability of its terminal-based payment applications to meet all needs of acquirers and merchants in complying fully with the PA-DSS mandate. PC- and server-based Verifone applications such as PAYware PC already comply with PA-DSS or its predecessor, the Visa Payment Applications Best Practices (PABP). PA‐DSS is intended to ensure secure payment applications do not store prohibited data, such as full magnetic stripe, CVV2, PIN or other sensitive data, and are compliant with the PCI Data Security Standard (PCI DSS).

First published in April 2008, PA-DSS expands upon PABP to encompass card acceptance devices known as “stand-alone POS terminals,” which are commonly used by smaller “level 4” merchants who represent the largest installed base of payment acceptance devices globally. It also encompasses consumer facing payment devices and programmable PIN pads that are connected to electronic cash registers in use at larger “level 1 and 2” merchants.

Merchants are increasingly utilizing these systems in a manner that brings them under PA-DSS requirements, leading Verifone to establish a universal compliance program for all of its applications used in its programmable payment acceptance devices going forward, initially targeting the US/Canada market. Because each payment application certified by each bank, processor or acquirer must now be audited, full PA-DSS compliance will result in hundreds of individual audits by qualified assessors. Auditing device-based payment applications at the supplier level will minimize the number of audits required and lower compliance costs for buyers.

“Adherence to the PA-DSS by vendors is an excellent way organizations can ensure the utmost in transaction integrity. Providing customers with only PA-DSS audited applications will help us further standardize security levels industry-wide,” said Bob Russo, general manager of the PCI Security Standards Council.

The PCI-SCC was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. to enhance payment account data security by driving education and awareness of the PCI Security Standards.

“There is nothing more important to this industry than a consumer’s trust in the payment system and Verifone applauds this bold step by the PCI SSC to create a third-party validation testing program that positively verifies compliance to the PA-DSS standard and ensures protection of sensitive cardholder information,” said Verifone Chief Security Officer Dave Faoro. “We are taking this bold step to ensure that banks, acquirers and merchants can easily comply.”

According to the PA-DSS mandate, POS terminals that encompass payment applications must be audited by a PA-QSA laboratory unless they are utilized in very limited environments that reduce the possibility of compromise. These restrictions stipulate that the payment device should have no connection to any of the merchant’s systems or networks, that they connect to the acquirer or merchant via a private line, that they can be securely updated remotely, and that sensitive authentication data is not stored. The overwhelming majority of “stand-alone POS terminal” payment applications being certified today by leading processors no longer meet all of these usage restrictions, so therefore fall under the scope of the PA-DSS compliance mandate.

Additional Resources:

About Verifone Holdings, Inc. (
Verifone Holdings, Inc. (“Verifone”) (NYSE: PAY) is the global leader in secure electronic payment solutions. Verifone provides expertise, solutions and services that add value to the point of sale with merchant-operated, consumer-facing and self-service payment systems for the financial, retail, hospitality, petroleum, government and healthcare vertical markets. Verifone solutions are designed to meet the needs of merchants, processors and acquirers in developed and emerging economies worldwide.

Safe Harbor Statement under the Private Securities Litigation Reform Act of 1995 for Verifone Holdings, Inc.: This press release includes certain forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. These statements are based on management’s current expectations or beliefs and are subject to uncertainty and changes in circumstances. Actual results may vary materially from those expressed or implied by the forward-looking statements herein due to changes in economic, business, competitive, technological and/or regulatory factors, and other risks and uncertainties affecting the operation of the business of Verifone Holdings, Inc. These risks and uncertainties include: our ability to successfully implement the Payment Application Data Security Standard (PA-DSS) with respect to our POS terminals, our customers' acceptance and adoption of the PA-DSS requirements, our ability to protect against fraud, the status of our relationship with and condition of third parties upon whom we rely in the conduct of our business, our dependence on a limited number of customers, uncertainties related to the conduct of our business internationally, our dependence on a limited number of key employees, short product cycles, rapidly changing technologies and maintaining competitive leadership position with respect to our payment solution offerings. For a further list and description of such risks and uncertainties, see our filings with the Securities and Exchange Commission, including our annual report on Form 10-K and our quarterly reports on Form 10-Q. Verifone is under no obligation to, and expressly disclaims any obligation to, update or alter its forward-looking statements, whether as a result of new information, future events, changes in assumptions or otherwise.