August 24, 2010 – Visa Inc. today announced global industry best practices for payment application vendors, integrators and resellers that implement, install or manage payment-related systems on behalf of merchants. The best practices developed by Visa in collaboration with the SANS Institute are designed to complement the Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS).
The PA-DSS is a global set of security requirements for software vendors who develop payment applications for merchants who seek business software to manage payment processes. PA-DSS compliant applications do not store prohibited data such as track data, sensitive authentication data, or PIN data, helping guard merchants and agents against compromises and support overall compliance with the Payment Card Industry Data Security Standard (PCI DSS).
„The PA-DSS provides guidance for developing secure software, while Visa’s Best Practices for Payment Application Companies represents a natural companion, providing guidance on how to securely install that piece of software,” said Eduardo Perez, Head of Global Payment System Security, Visa Inc. „We saw from data compromise investigations that while an application may be secure and comply with the PA-DSS, implementation and management missteps can create vulnerabilities.”
In developing the best practices, Visa collaborated with the SANS Institute, a trusted leader in IT security training for the U.S. government, military and private organizations. „Visa’s willingness to share this information with the community is a huge step forward,” said Alan Paller, Director of Research, the SANS Institute. „Organizations that fail to implement these practices are needlessly exposing themselves to the inherent risks found in cyberspace.”
The SANS Institute is also partnering with Visa to provide further guidance to payment application vendors, integrators and resellers on how to securely implement point-of-sale solutions through a series of training courses. More information is available at www.sans.org/visatop10.
Today, a growing number of merchants are using applications that comply with the PA-DSS. Criminals are responding by changing their attack methods and are using tools like memory parsers and key loggers to siphon card data while payments are being processed on merchants’ or agents’ systems. The best practices help meet the challenges of such an evolving security environment.
Investigations of merchant card compromises have found that in many cases, payment application companies inadvertently left their systems and software improperly configured, putting their customers at high risk for data compromise. It was found that many compromised merchants operated with those deficiencies for months or even years at a time.
„Visa is one of the few organizations that actually understands how financial cyber crimes are carried out, because of their extensive investigations and analysis of attacks involving payment card data. The depth of that experience enables them to provide valuable guidance,” said Paller.
Visa’s Top Ten Best Practices for Payment Application Companies is summarized as follows, with more detailed guidance available at www.visa.com/cisp.
„Visa’s best practices can help mitigate security issues that may lead to data compromises, but it’s vitally important to maintain ongoing compliance with the PCI DSS, which remains the best protection against a data compromise,” Perez concluded.
The release of Visa’s Best Practices for Payment Application Companies represents the latest of series of Visa initiatives to secure payment applications as a means of better protecting card data. Visa developed the original payment application security standards, which were later embraced by the industry as the PA-DSS. In 2007, Visa launched a series of phased-in mandates in the U.S. and in Canada requiring, by no later than 1 July 2010, acquirers to ensure that merchants and agents use only compliant payment applications. With the successful adoption of these mandates, Visa launched similar mandates for its remaining global regions, ensuring full compliance by no later than 1 July 2012. More recently, Visa announced best practices for data field encryption, tokenization and card account data elimination to help reduce merchant vulnerabilities caused by storing sensitive information.
Banking 4.0 – „how was the experience for you”
„So many people are coming here to Bucharest, people that I see and interact on linkedin and now I get the change to meet them in person. It was like being to the Football World Cup but this was the World Cup on linkedin in payments and open banking.”
Many more interesting quotes in the video below:
Thank you for another great article. Where else could anyone get that kind of information in such a perfect way of presentation. Congratulations on a job well done.