Visa Provides Guidance on Secure Implementation and Management of Payment Applications
Collaborative effort with the SANS Institute to help improve merchant security
SAN FRANCISCO, Aug. 24 -- Visa Inc. (NYSE:V) today announced global industry best practices for payment application vendors, integrators and resellers that implement, install or manage payment-related systems on behalf of merchants. The best practices developed by Visa in collaboration with the SANS Institute are designed to complement the Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS).
The PA-DSS is a global set of security requirements for software vendors who develop payment applications for merchants who seek business software to manage payment processes. PA-DSS compliant applications do not store prohibited data such as track data, sensitive authentication data, or PIN data, helping guard merchants and agents against compromises and support overall compliance with the Payment Card Industry Data Security Standard (PCI DSS).
"The PA-DSS provides guidance for developing secure software, while Visa's Best Practices for Payment Application Companies represents a natural companion, providing guidance on how to securely install that piece of software," said Eduardo Perez, Head of Global Payment System Security, Visa Inc. "We saw from data compromise investigations that while an application may be secure and comply with the PA-DSS, implementation and management missteps can create vulnerabilities."
In developing the best practices, Visa collaborated with the SANS Institute, a trusted leader in IT security training for the U.S. government, military and private organizations. "Visa's willingness to share this information with the community is a huge step forward," said Alan Paller, Director of Research, the SANS Institute. "Organizations that fail to implement these practices are needlessly exposing themselves to the inherent risks found in cyberspace."
The SANS Institute is also partnering with Visa to provide further guidance to payment application vendors, integrators and resellers on how to securely implement point-of-sale solutions through a series of training courses. More information is available at http://www.sans.org/visatop10.
Today, a growing number of merchants are using applications that comply with the PA-DSS. Criminals are responding by changing their attack methods and are using tools like memory parsers and key loggers to siphon card data while payments are being processed on merchants' or agents' systems. The best practices help meet the challenges of such an evolving security environment.
Investigations of merchant card compromises have found that in many cases, payment application companies inadvertently left their systems and software improperly configured, putting their customers at high risk for data compromise. It was found that many compromised merchants operated with those deficiencies for months or even years at a time.
"Visa is one of the few organizations that actually understands how financial cyber crimes are carried out, because of their extensive investigations and analysis of attacks involving payment card data. The depth of that experience enables them to provide valuable guidance," said Paller.
Visa's Top Ten Best Practices for Payment Application Companies is summarized as follows, with more detailed guidance available at http://www.visa.com/cisp.
1. Perform background checks on new employees and contractors prior to
hire
2. Maintain an internal and external software security training and
certification curriculum
3. Adhere to a common software development life cycle across payment
applications
4. Ensure that newly released payment application versions are Payment
Application Data Security Standard (PA-DSS) compliant
5. Conduct application vulnerability detection tests and code reviews
against common vulnerabilities and weaknesses prior to sale or
distribution
6. Actively identify payment application versions that store sensitive
authentication data and/or retain critical security vulnerabilities,
and notify all affected customers
7. Maintain customer service level agreements stating that only PA-DSS
compliant payment application versions will be sold and supported
8. Implement an installer, integrator and reseller training and
certification program that enforces adequate data security processes
when supporting customers
9. Adhere to industry guidelines for data field encryption and
tokenization across payment applications that use these technologies
10. Support capability of dynamic data solutions across payment
applications
"Visa's best practices can help mitigate security issues that may lead to data compromises, but it's vitally important to maintain ongoing compliance with the PCI DSS, which remains the best protection against a data compromise," Perez concluded.
The release of Visa's Best Practices for Payment Application Companies represents the latest of series of Visa initiatives to secure payment applications as a means of better protecting card data. Visa developed the original payment application security standards, which were later embraced by the industry as the PA-DSS. In 2007, Visa launched a series of phased-in mandates in the U.S. and in Canada requiring, by no later than 1 July 2010, acquirers to ensure that merchants and agents use only compliant payment applications. With the successful adoption of these mandates, Visa launched similar mandates for its remaining global regions, ensuring full compliance by no later than 1 July 2012. More recently, Visa announced best practices for data field encryption, tokenization and card account data elimination to help reduce merchant vulnerabilities caused by storing sensitive information.
About Visa Inc.: Visa Inc. is a global payments technology company that connects consumers, businesses, financial institutions and governments in more than 200 countries and territories to fast, secure and reliable digital currency. Underpinning digital currency is one of the world's most advanced processing networks -- VisaNet -- that is capable of handling more than 10,000 transactions a second, with fraud protection for consumers and guaranteed payment for merchants. Visa is not a bank, and does not issue cards, extend credit or set rates and fees for consumers. Visa's innovations, however, enable its financial institution customers to offer consumers more choices: Pay now with debit, ahead of time with prepaid or later with credit products. For more information, visit http://www.corporate.visa.com.
Source: Visa Inc.
CONTACT: Sandra Chu of Visa Inc., +1-415-932-2564, globalmedia@visa.com,
or Steve Burke, +1-703-683-5004 ext. 108, burkecrc@hotmail.com, for Visa Inc.