Visa Seeks Security Unanimity

Presses app vendors to follow its lead

Visa U.S.A. Inc. is quietly intensifying its campaign to ensure that vendors of payment processing applications comply with a set of data security guidelines it is pushing as a companion to the PCI standard for securing credit and debit card transactions.

Early last month, Visa sent out a letter listing applications from six vendors that it wants retailers and other merchants to stop using because the products capture and store sensitive card data. That includes information such as personal identification numbers and the card verification value numbers printed on the back of credit and debit cards.

Visa issued the letter to the acquiring financial institutions that grant merchants the approvals they need to accept individual card transactions. The missive urged acquirers to ensure that companies using the listed software upgrade to newer versions that comply with its security guidelines, or switch to different products.

House of Payment Cards

Visas best-practices guidelines for payment applications say that vendors:
•  Must not retain full magnetic stripe data, card verification values or codes, or PIN block data within their software.•  Need to protect stored data by ensuring that no more than the first six and last four digits of card numbers can be displayed.•  Should require the use of unique usernames and complex passwords for all workers who need to access cardholder data.•  Have to ensure that the applications can capture log data whenever end users access them.

Companies that continue to use the targeted applications are in violation of the Payment Card Industry Data Security Standard, Visa said in its letter. The PCI standard, which is backed by all of the major credit card companies, requires any entity that accepts card payments to adopt a set of 12 security controls. In turn, acquiring banks and other institutions are responsible for ensuring that merchants comply with PCI.

Avivah Litan, an analyst at Gartner Inc., said Visas letter shines a spotlight on a big weak point in the PCI proc­ess: the lack of standards that software vendors must follow.

Although efforts are under way to make Visas so-called Payment Application Best Practices part of the PCI mandates, complying with the PABP guidelines is still voluntary, Litan said. But security breaches such as the one that The TJX Companies Inc. disclosed this year emphasize the growing need for software vendors to be held to the same standards as the retailers are under PCI, she added.

Significant Threat

PCI requires merchants to ensure that their payment systems dont capture prohibited data but do support functions such as transaction logging and data encryption, said Chris Noell, CEO of TruComply, an Austin-based consulting firm that focuses on the payment card industry.

But there is no obligation for a payment application vendor to produce PCI-compliant software, Noell said. With its letter, he added, Visa is essentially putting retailers that have installed the listed applications on notice that the software theyre using is not compliant, and thus the merchant is not compliant.

So far, Visa hasnt publicly identified the vendors whose products are on its list of applications that dont comply with the PABP guidelines. But it informed each of the vendors before the April letter was sent to the acquiring banks, according to Eduardo Perez, Visas vice president of payment system risk.

Most, if not all, of the vendors listed provide either a patch or an upgrade that will ensure that their applications do not store prohibited data, Perez said via e-mail. So, hopefully their merchant customers will take the appropriate actions.

This is the first time Visa has sent out a list of software that it wants businesses to avoid. Perez described the storage of prohibited data as one of the most significant threats to payment system security. He added that merchants have been targeted by data thieves because they were storing sensitive payment card data and werent even aware that their systems were storing it.

Visa hopes distributing a list of applications that fail to meet the PABP recommendations will push more vendors to adopt the guidelines, Perez said. As of last week, Visa had certified 155 payment and point-of-sale applications from 83 vendors as complying with its suggested best practices. Many of these vendors view PABP as a competitive differentiator, Perez wrote.

Visa first published a list of noncompliant software in a member bulletin dated Feb. 27 and then put the list in the letters that were sent to the acquiring institutions. The company plans to update the list periodically, Perez said.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon