Visa rolls out new payment application security mandates
Companies accepting payment cards have three years to comply
Computerworld - Amid signs of growing frustration in the retail community over the credit card industry's Payment Card Industry (PCI) data security requirements, Visa on Tuesday quietly rolled out an additional set of Payment Application Security Mandates for all companies that handle credit and debit card transactions.
Under the multiphase initiative, covered entities will have three years to ensure that all their payment applications are compliant with a set of security requirements mandated by Visa (download PDF). The rules apply to any third-party payment software used by companies for storing, processing or transmitting cardholder data.
For many companies, especially large ones using older payment applications, Visa's mandate could mean "tens of millions of dollars" in upgrades to new technologies over the next few years, said Jim Huguelet, an independent consultant in Bolingbrook, Ill. The mandates will also "by proxy" force vendors of payment applications to finally start implementing security features that have been recommended by Visa and others for some time now, he said.
"This is a really major step forward for the industry in asking payment application vendors to step up and support more directly the compliance efforts of their customers," Huguelet said. Until now, adherence to such standards was an "optional sort of thing" for vendors. "Now it has become clear that payment vendors have to make their software support security standards" or risk being cast aside by their customers, he said.
Visa's mandates have been expected for some time and are designed to address long-standing security weaknesses in the applications merchants use to conduct payment card transactions. The biggest concern has been the fact that many payment applications now in use are designed to store data such as the full magnetic-stripe information from the back of cards, card-verification code numbers and PIN data. Storing that data has made payment systems an attractive target for hackers and has long been considered a fundamental security weakness. It is a practice that has been explicitly banned under PCI.
However, it has been hard for many companies to comply with this requirement since certain payment applications currently in use -- especially older applications -- are designed to store the prohibited data by default, sometimes without even the knowledge of the companies using them.
Visa has over the last two years or so been pushing the vendors of such payment applications into making their software more secure. The company has developed a set of so-called Payment Application Best Practices (PABP) to help vendors implement the recommended security features in their software. It maintains a list of validated payment applications that meet the PABP standards and has been urging companies to start using those applications.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts