Visa announced global industry best practices for software vendors who develop payment applications

August 24, 2010 – Visa Inc. today announced global industry best practices for payment application vendors, integrators and resellers that implement, install or manage payment-related systems on behalf of merchants. The best practices developed by Visa in collaboration with the SANS Institute are designed to complement the Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS).

The PA-DSS is a global set of security requirements for software vendors who develop payment applications for merchants who seek business software to manage payment processes. PA-DSS compliant applications do not store prohibited data such as track data, sensitive authentication data, or PIN data, helping guard merchants and agents against compromises and support overall compliance with the Payment Card Industry Data Security Standard (PCI DSS).

„The PA-DSS provides guidance for developing secure software, while Visa’s Best Practices for Payment Application Companies represents a natural companion, providing guidance on how to securely install that piece of software,” said Eduardo Perez, Head of Global Payment System Security, Visa Inc. „We saw from data compromise investigations that while an application may be secure and comply with the PA-DSS, implementation and management missteps can create vulnerabilities.”

In developing the best practices, Visa collaborated with the SANS Institute, a trusted leader in IT security training for the U.S. government, military and private organizations. „Visa’s willingness to share this information with the community is a huge step forward,” said Alan Paller, Director of Research, the SANS Institute. „Organizations that fail to implement these practices are needlessly exposing themselves to the inherent risks found in cyberspace.”

The SANS Institute is also partnering with Visa to provide further guidance to payment application vendors, integrators and resellers on how to securely implement point-of-sale solutions through a series of training courses. More information is available at www.sans.org/visatop10.

Today, a growing number of merchants are using applications that comply with the PA-DSS. Criminals are responding by changing their attack methods and are using tools like memory parsers and key loggers to siphon card data while payments are being processed on merchants’ or agents’ systems. The best practices help meet the challenges of such an evolving security environment.

Investigations of merchant card compromises have found that in many cases, payment application companies inadvertently left their systems and software improperly configured, putting their customers at high risk for data compromise. It was found that many compromised merchants operated with those deficiencies for months or even years at a time.

„Visa is one of the few organizations that actually understands how financial cyber crimes are carried out, because of their extensive investigations and analysis of attacks involving payment card data. The depth of that experience enables them to provide valuable guidance,” said Paller.

Visa’s Top Ten Best Practices for Payment Application Companies is summarized as follows, with more detailed guidance available at www.visa.com/cisp.

1. Perform background checks on new employees and contractors prior to hire
2. Maintain an internal and external software security training and certification curriculum
3. Adhere to a common software development life cycle across payment applications
4. Ensure that newly released payment application versions are Payment Application Data Security Standard (PA-DSS) compliant
5. Conduct application vulnerability detection tests and code reviews against common vulnerabilities and weaknesses prior to sale or distribution
6. Actively identify payment application versions that store sensitive authentication data and/or retain critical security vulnerabilities, and notify all affected customers
7. Maintain customer service level agreements stating that only PA-DSS compliant payment application versions will be sold and supported
8. Implement an installer, integrator and reseller training and certification program that enforces adequate data security processes when supporting customers
9. Adhere to industry guidelines for data field encryption and tokenization across payment applications that use these technologies
10. Support capability of dynamic data solutions across payment applications

„Visa’s best practices can help mitigate security issues that may lead to data compromises, but it’s vitally important to maintain ongoing compliance with the PCI DSS, which remains the best protection against a data compromise,” Perez concluded.

The release of Visa’s Best Practices for Payment Application Companies represents the latest of series of Visa initiatives to secure payment applications as a means of better protecting card data. Visa developed the original payment application security standards, which were later embraced by the industry as the PA-DSS. In 2007, Visa launched a series of phased-in mandates in the U.S. and in Canada requiring, by no later than 1 July 2010, acquirers to ensure that merchants and agents use only compliant payment applications. With the successful adoption of these mandates, Visa launched similar mandates for its remaining global regions, ensuring full compliance by no later than 1 July 2012. More recently, Visa announced best practices for data field encryption, tokenization and card account data elimination to help reduce merchant vulnerabilities caused by storing sensitive information.