Visa offers new guidance on securing payment applications

The latest best practices complement existing payment application security standard, credit card company says

Visa on Tuesday announced a set of security best practices for vendors of payment applications and for the systems integrators and resellers responsible for implementing and managing them.

The guidelines are designed to address continuing vulnerabilities in the payment chain stemming from insecure implementations of the applications that are used in credit and debit card transactions, according to Eduardo Perez, Visa's head of global payment system security.

The existing Payment Application Data Security Standard (PA-DSS) administered by the PCI Security Council, already requires developers of payment applications to implement specific security controls in their software. For instance, the standard requires application vendors and developers to ensure their applications do not store certain cardholder and authentication data, such as PINs.

However, while the software itself may be secure, several vulnerabilities continue to persist because of improper configurations and other implementation errors, Perez said.

Visa's best practices are a natural extension to the PA-DSS requirements, Perez said. "What we have done is to go a bit beyond these requirements. PA-DSS is about secure payment applications and not about their secure implementation and management."

Visa's guidelines were developed in collaboration with the SANS Institute, a Bethesda, Md.-based security training and certification organization. The best practices touch upon 10 different issues and include a mix of technology and process-related advice.

For instance, the best practices urge developers and systems integrators to conduct application vulnerability detection tests and code reviews to detect common vulnerabilities. It also urges them to adhere to secure software development practices and to actively work at identifying and decommissioning payment applications that store PINs and other cardholder data that they're prohibited from storing.

Visa's guidelines are part of a continuing effort by the company to get stakeholders within the payment industry to adopt some fairly fundamental security standards for protecting cardholder data. Tuesday's best practices for instance, are similar to guidance the company has released previously on tokenization and encryption.

The company has also been the most vigorous proponent of the PCI data security standard and is believed to be the most aggressive at enforcing compliance with the standard.

In the past, several of Visa's best practices and guidelines have ended up being drafted into formal payment industry standard. Even the PA-DSS itself, for instance, was originally proposed by Visa as a set of best practices before it eventually became a formal PCI standard.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon