Visa offers new guidance on securing payment applications
The latest best practices complement existing payment application security standard, credit card company says
Computerworld - Visa on Tuesday announced a set of security best practices for vendors of payment applications and for the systems integrators and resellers responsible for implementing and managing them.
The guidelines are designed to address continuing vulnerabilities in the payment chain stemming from insecure implementations of the applications that are used in credit and debit card transactions, according to Eduardo Perez, Visa's head of global payment system security.
The existing Payment Application Data Security Standard (PA-DSS) administered by the PCI Security Council, already requires developers of payment applications to implement specific security controls in their software. For instance, the standard requires application vendors and developers to ensure their applications do not store certain cardholder and authentication data, such as PINs.
However, while the software itself may be secure, several vulnerabilities continue to persist because of improper configurations and other implementation errors, Perez said.
Visa's best practices are a natural extension to the PA-DSS requirements, Perez said. "What we have done is to go a bit beyond these requirements. PA-DSS is about secure payment applications and not about their secure implementation and management."
Visa's guidelines were developed in collaboration with the SANS Institute, a Bethesda, Md.-based security training and certification organization. The best practices touch upon 10 different issues and include a mix of technology and process-related advice.
For instance, the best practices urge developers and systems integrators to conduct application vulnerability detection tests and code reviews to detect common vulnerabilities. It also urges them to adhere to secure software development practices and to actively work at identifying and decommissioning payment applications that store PINs and other cardholder data that they're prohibited from storing.
Visa's guidelines are part of a continuing effort by the company to get stakeholders within the payment industry to adopt some fairly fundamental security standards for protecting cardholder data. Tuesday's best practices for instance, are similar to guidance the company has released previously on tokenization and encryption.
The company has also been the most vigorous proponent of the PCI data security standard and is believed to be the most aggressive at enforcing compliance with the standard.
In the past, several of Visa's best practices and guidelines have ended up being drafted into formal payment industry standard. Even the PA-DSS itself, for instance, was originally proposed by Visa as a set of best practices before it eventually became a formal PCI standard.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts