Visa offers new guidance on securing payment applications
The latest best practices complement existing payment application security standard, credit card company says
Computerworld - Visa on Tuesday announced a set of security best practices for vendors of payment applications and for the systems integrators and resellers responsible for implementing and managing them.
The guidelines are designed to address continuing vulnerabilities in the payment chain stemming from insecure implementations of the applications that are used in credit and debit card transactions, according to Eduardo Perez, Visa's head of global payment system security.
The existing Payment Application Data Security Standard (PA-DSS) administered by the PCI Security Council, already requires developers of payment applications to implement specific security controls in their software. For instance, the standard requires application vendors and developers to ensure their applications do not store certain cardholder and authentication data, such as PINs.
However, while the software itself may be secure, several vulnerabilities continue to persist because of improper configurations and other implementation errors, Perez said.
Visa's best practices are a natural extension to the PA-DSS requirements, Perez said. "What we have done is to go a bit beyond these requirements. PA-DSS is about secure payment applications and not about their secure implementation and management."
Visa's guidelines were developed in collaboration with the SANS Institute, a Bethesda, Md.-based security training and certification organization. The best practices touch upon 10 different issues and include a mix of technology and process-related advice.
For instance, the best practices urge developers and systems integrators to conduct application vulnerability detection tests and code reviews to detect common vulnerabilities. It also urges them to adhere to secure software development practices and to actively work at identifying and decommissioning payment applications that store PINs and other cardholder data that they're prohibited from storing.
Visa's guidelines are part of a continuing effort by the company to get stakeholders within the payment industry to adopt some fairly fundamental security standards for protecting cardholder data. Tuesday's best practices for instance, are similar to guidance the company has released previously on tokenization and encryption.
The company has also been the most vigorous proponent of the PCI data security standard and is believed to be the most aggressive at enforcing compliance with the standard.
In the past, several of Visa's best practices and guidelines have ended up being drafted into formal payment industry standard. Even the PA-DSS itself, for instance, was originally proposed by Visa as a set of best practices before it eventually became a formal PCI standard.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!