Recertification: 02/2017

Previous recertifications: 03/2012 and 08/2014

Initial certification: 03/2010

ValidSoft proved that its IT product VALid-POS complies with EU data protection law. Customers of ValidSoft such as banks or payment processors use the product in order to identify possibly fraudulent credit- and debitcard “card-present” transactions at Automated Telling Machines (ATMs or “cashpoints”) and at Point of Sale (POS) terminals. They can be sure that the respective data processing  is in line with the demanding provisions of EU data protection law. Card holders (bank customers) can be positive that their data is only used to assist financial institutions in countering the fraudulent use of credit- and debit cards.

Press Release 2010 Image Image

Image

European Privacy Seal for VALid-POS

Product/Version

Image

VALid-POS® Standard Edition v2

Qualification: IT product

View the VALid-POS Certificate

Cert. No.

EP-P-PL0Y59

Version of Certification Criteria

11/2011 (95/46/EC)

Validity

03/02/2017 until 28/02/2019

Second recertification on August 12, 2014

First recertification on March 31, 2012

Initial certification on March 31, 2010

Public Report

2017 recertification VALid-POS public report [PDF] 

2014 recertificaton VALid-POS public report [PDF]

2012 recertification VALid-POS public report [PDF]

2010 VALid-POS public report [PDF]

Manufacturer/Provider

VALIDSOFT LIMITED
Arthur Cox Building
Earlsfort Terrace
Dublin 2
Ireland

BEST

VALid-POS sticks to the principle of data avoidance and minimisation by keeping the personal data processed to the absolute minimum and by making use of obfuscation measures. Buyers of the software are comprehensively informed about their data protection obligations and contractually bound to ensure compliance with the applicable data protection law when making use of VALid-POS.

ATTENTION:

n.a.

Summary

VALid-POS is a tool to assist financial institutions such as banks or payment processors (henceforth referred to as "banks") in identifying possibly fraudulent credit- and debitcard “card-present” transactions at Automated Telling Machines (ATMs or “cashpoints”) and at Point of Sale (POS) terminals, as used in supermarkets, retailers, restaurants, etc. Basically, VALid-POS verifies, with the help of a partner telecommunications service provider (TSP), whether the card that is being presented is in the same country or area as the mobile phone that the cardowner has registered with the bank.

Details

Recertification 02/2017:

The TOE has not changed. Nothing has been added to the TOE. Nothing has been removed from the TOE. There are no new regulations relevant to the TOE. The EuroPriSe Criteria Catalogue requirements relevant to the TOE have not changed. The experts verified that there are no new technical standards relevant to the TOE and that the state of the art has not changed.

Recertification 08/2014:

The TOE has not changed. Nothing has been added to the TOE. Nothing has been removed from the TOE. There are no new regulations relevant to the TOE. The EuroPriSe Criteria Catalogue requirements relevant to the TOE have not changed. The experts verified that there are no new technical standards relevant to the TOE and that the state of the art has not changed.

Initial certification (03/2010):

The product is to be used by ValidSoft's customers (banks or payment processors) as follows: If a proposed ATM- or POS-terminal transaction is assessed as potentially fraudulent by the bank’s own risk engine, information on the ATM or POS terminal is sent within the bank to the VALid-POS tool, together with the number of a mobile phone which the card-holder has registered with the bank, and a unique lookup reference number. This information does not reveal the geographical location of the ATM or POS terminal: for the software, it  is simply a unique (abstract) number.

The VALid-POS tool passes the telephone number on to the partner-TSP. The latter one carries out a “lookup” of the mobile phone in question and, on the basis of this lookup, sends largely obfuscated information on the whereabouts of that mobile phone to the VALid-POS tool. The obfuscation means, in particular, that the information as sent from the TSP to the software does not reveal the geographical location of the mobile phone: for the VALid-POS tool, this too is simply a unique (abstract) number.

The software then correlates the two unique numbers relating to the ATM  or POS terminal and the whereabouts of the mobile phone and can determine from this whether it is likely that the card is in the same country or area as the mobile phone. VALid-POS is capable of this because the pattern of links between unique numbers relating to particular ATMs and (obfuscated) unique numbers relating to particular mobile network segments has been previously established by the software during a learning phase.

If the card and the mobile phone are not in the same country or area, this suggests that the transaction is indeed potentially fraudulent, and that the bank should indeed consider declining the transaction as its own risk engine suggested. On the other hand, if the mobile phone is in the same country or area as the card, it is less likely that the transaction is fraudulent, and therefore more likely that the bank’s risk engine’s conclusion was a “false positive”.

Technical Evaluator

Javier Garcia-Romanillos Henriquez de Luna
Calle Zurbarán 7, 6B
28010 Madrid
Spain

Legal Evaluator

Prof. Douwe Korff
Wool Street House
Gog Magog Hills
Babraham
Cambridge CB22 3AE
UK

Formerly Certified Versions

n.a.

Image

Disclaimer:

This register is kept with the utmost care. However, EuroPriSe does NOT guarantee the accuracy of information found on the Site. Your reliance on information found on the Site is at your own risk. For more information please go to EuroPriSe Terms & Conditions.

© 2008 - 2019 | EuroPriSe GmbH - European Privacy Seal | Handelsregister-Nr. (Commercial Register No.): Bonn HRB 20387

No responsibility for the accuracy of the information. Contact | Privacy Notice | Imprint

Product/Version

REISSWOLF f.i.t.

v1.5; service function as provided in 05/2018

Qualification: IT product and IT-based service (processor service)

View the REISSWOLF f.i.t. certificate

Version of Certification Criteria

11/2011

Cert. No.

EP-S-X5TSCN

Validity

24/05/2018 - 31/05/2020

Monitoring

01/2019

09/2019

Public Report

f.i.t. Short Public Report Image Image 

Manufacturer/Provider

REISSWOLF Systems GmbH

Im Heegen 13
22113 Oststeinbek
Germany

BEST

Access policies can be used to restrict system usage to specific times of the day and/or IP addresses to reduce the attack vector for third-party access. A user session is controlled by means of a cross-tab synchronised session countdown.

ATTENTION

Regarding the processing of personal data on third persons by means of f.i.t., it must be highlighted that the (usually) corporate users of the service qualify as controllers whereas REISSWOLF Systems GmbH acts as a processor on behalf of the users. Customers are advised that the legitimate use of the service may require the collection of the data subject's consent and/or declaration of release from confidentiality.

SUMMARY

REISSWOLF f. i. t. is a web-based archiving system for data storage and access. It serves the purpose of uploading, storing, managing and exchanging data in the sense of a document management system. f.i.t. is a web application that can be used with common internet browsers. 

DETAILS

REISSWOLF f. i. t. is primarily designed for commercial use. It is distributed by REISSWOLF Systems GmbH and operated as Software as a Service (SaaS) in a data center in Germany.

The ToE includes

  • The web-based service REISSWOLF f.i.t. (for details, please cf. the short public report)

It does not include

  • REISSWOLF f.i.t. mobile app
  • REISSWOLF f.i.t. hotfolder
  • Office module
  • Teamviewer
  • Other alternative interfaces to clients

Technical + Legal Evaluator

Ann-Karina Wrede
Innungsstraße 7
21244 Buchholz
Germany

Initial Certification: 05/2018

REISSWOLF f.i.t. provides a web-based service that enables companies to upload, store, manage and exchange data in the sense of a document management system. Users of the service are controllers in respect of personal data on third persons that is processed by means of f.i.t.. The service is designed in a way that facilitates the users' compliance with EU data protection law.

Image

Disclaimer:

This register is kept with the utmost care. However, EuroPriSe does NOT guarantee the accuracy of information found on the Site. Your reliance on information found on the Site is at your own risk.

Image

European Privacy Seal for REISSWOLF f.i.t.