FAQ: What Visa's payment application security mandates mean

The new rules affect all companies accepting payment card transactions

Visa International Inc. last week released a new set of Payment Application Security Mandates (download PDF) that all companies accepting payment card transactions are required to implement. Here's what you need to know about the mandates and what they mean:

What exactly are these mandates? Who's affected? Basically, they require any company that accepts payment card transactions to ensure that all third-party payment applications they use to store, process or transmit cardholder data comply with a set of minimum security requirements from Visa.

How quickly does Visa want companies to put these in place? Visa's giving companies until July 1, 2010, to make sure that all their third-party point-of-sale and payment applications comply with Visa's Payment Application Best Practices (PABP). By that date, all companies are required to have either upgraded their existing software to PABP-complaint versions or migrated to new software.

What is PABP? Visa's PABP is a set of 14 broad-based security controls designed to do a number of things such as preventing payment software from automatically storing certain types of cardholder data while encrypting other types of data; providing for strong password controls; protecting wireless transactions; and logging transaction activity.

Who exactly needs to implement these controls? These are security requirements that the vendors of payment software need to implement if they want customers to keep using their products.

So these are security controls that payment vendors are required to follow then? Yes and no. Contractually, Visa cannot require software vendors to do anything. Vendors of payment software are free to develop their software any old way they choose -- with or without the mandated Visa controls in them. The only problem (for them) is that their customers will be prohibited from buying the software unless it is compliant with the Visa mandates.

How do these application security mandates tie in with payment card industry (PCI) standards? These requirements are designed to help companies comply with PCI. PCI controls relating to payment software specify the minimum security features that must be supported by payment applications if a company wants to be PCI compliant. By the way, the PCI Security Standards Council is expected to take Visa's PABP and incorporate it into a broader Payment Application Data Security Standard that will be mandated by not just Visa, but also by MasterCard, American Express, Discover and JCB.

What are the implementation deadlines for Visa's Payment Application Security mandates? According to a Visa bulletin released on Oct. 23, these are the dates to keep in mind:

  • Jan 1. 2008: Any new merchants that want to be authorized for payment card transactions will have to be using only PABP-validated applications. After this date, VisaNet processors and agents cannot certify new payment applications to their platforms if they are known to vulnerable.
  • July 1, 2008: VisaNet processors and agents must only certify new payment applications to their platforms that are PABP-compliant.
  • Oct. 1, 2008: Level 3 and 4 merchants that have just been authorized to accept card transactions must be PCI DSS compliant or use PABP-compliant applications. Level 3 merchants process between 20,000 and 1 million e-commerce transactions a year through Visa. Level 4 merchants have fewer than 20,000 e-commerce transactions per year -- and all other merchants, regardless of acceptance channel, which process fewer than 1 million Visa transactions annually. Acceptance channels refers to how transactions are conducted, online, in person or by phone, for instance.
  • Oct. 1, 2009: VisaNet processors and agents are required to decertify all vulnerable payment applications, meaning that companies still using them will no longer be PCI compliant.
  • July 1, 2010: After this date, all merchants, VisaNet processors and agents are require to use only PABP-compliant payment applications.

Where can one get more information on PABP? Right here.

How do I know if my payment software is compliant or not? Check with Visa. It maintains a list of payment applications that have already been validated for compliance with PABP requirements. That list is available online.

And if the payment software my company uses is already on that list? Lucky you! Your company is probably already compliant with Visa's new requirements. But don't take our word for it. Definitely check with the company that validates your PCI compliance to be sure.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon