Visa tries new tack with payment app security

It's pushing vendors to comply with best practices

Visa U.S.A. is quietly ratcheting up the pressure on vendors of payment applications and the businesses that use them to make their software compliant with a set of security best practices being pushed by the company.

It recently sent letters listing payment applications from six vendors that it wants companies to stop using because the software captures and stores sensitive card data.

The letters were sent to the "acquiring" financial institutions that grant companies the approval they need to accept payment card transactions. The missive from Visa urged acquirers to ensure that companies using the listed software either upgrade to newer versions or move to a different product altogether. Any company that continues to use the listed software is in violation of Payment Card Industry (PCI) data security rules, Visa said in its letter.

PCI is a data security standard mandated by the major credit card companies, including Visa. All entities that accept credit or debit card payments are required to follow the standards; companies in violation of PCI rules can be fined or banned from accepting payment card transactions.

This is the first time the company has sent out a list of software that it specifically wants businesses to avoid. The letters are part of an effort to deal with a major issue related to payment card security, Eduardo Perez, vice president of payment system risk at Visa, said via e-mail. "One of the most significant threats to payment system security comes from the storage of prohibited data, such as card verification value numbers, PINs and full-track data," Perez said. "We have seen merchants [being] targeted by data thieves because they were storing sensitive payment card data and weren't even aware that their systems were storing it."

To address that and other security issues, Visa has for sometime now established a set of Payment Application Best Practices (PABP) for software vendors, Perez said. Distributing a list of products failing to meet PABP should push more vendors to adopt the best practices, he said.

"We anticipate that marketplace forces will encourage increasingly more vendors to go through the process of ensuring that their applications are compliant" with Visa's PABP standards, he said. "Many of these vendors view PABP as a competitive differentiator."

So far, Visa has certified 155 payment applications from 83 vendors as meeting PABP requirements.

Visa first published its list of noncompliant software in a member bulletin on Feb. 27 and later distributed the list in letters in early April. In the future, Visa plans to update the list of noncompliant products and distribute it periodically, Perez said.

The move shines a spotlight on a "big weak point" in the PCI program, said Avivah Litan, an analyst at Stamford, Conn.-based Gartner Inc. "There are no standards for PCI-compliant software" that vendors must follow, Litan said. And while there are efforts to make Visa's PABP part of the broader set of PCI standards, compliance with it is still voluntary for vendors. However breaches such as the one at TJX Companies Inc. earlier this year emphasize the growing need for software vendors "to be held to the same standards as the retailers are under PCI," Litan said.

Under PCI, merchants are required to ensure that their payment applications do not capture prohibited data while still supporting functions such as transaction logging and data encryption, said Chris Noell, CEO of TruComply, an Austin-based consulting firm that focuses on the payment card industry. "But there is no obligation today for a payment application vendor to produce PCI-compliant software," Noell said.

With its letter, Visa is essentially saying "that this version of software is incapable of supporting PCI compliance" and may no longer be used by merchants, Noell said. The letter "basically puts the merchant on notice that the ... software they are using is not compliant and thus the merchant is not compliant. Hopefully, most of the merchants already were aware of the problem anyway."

Visa has so far not publicly released the names of the vendors on its list of noncompliant products. But it informed each of them in advance of the letter being sent to acquirers, Perez said. "Most, if not all, of the vendors listed provide either a patch or an upgrade that will ensure that their applications do not store prohibited data, so hopefully their merchant customers will take the appropriate actions," Perez said.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon