Visa announced global industry best practices for payment application vendors, integrators and resellers that implement, install or manage payment-related systems on behalf of merchants. The best practices developed by Visa in collaboration with the SANS Institute are designed to complement the Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS).
The PA-DSS is a global set of security requirements for software vendors who develop payment applications for merchants who seek business software to manage payment processes. PA-DSS compliant applications do not store prohibited data such as track data, sensitive authentication data, or PIN data, helping guard merchants and agents against compromises and support overall compliance with the Payment Card Industry Data Security Standard (PCI DSS).
Today, a growing number of merchants are using applications that comply with the PA-DSS. Criminals are responding by changing their attack methods and are using tools like memory parsers and key loggers to siphon card data while payments are being processed on merchants’ or agents’ systems. The best practices help meet the challenges of such an evolving security environment.
Investigations of merchant card compromises have found that in many cases, payment application companies inadvertently left their systems and software improperly configured, putting their customers at high risk for data compromise. It was found that many compromised merchants operated with those deficiencies for months or even years at a time.
Visa’s top 10 best practices for payment application companies is summarized as follows:
1. Perform background checks on new employees and contractors prior to hire.
2. Maintain an internal and external software security training and certification curriculum.
3. Adhere to a common software development life cycle across payment applications.
4. Ensure that newly released payment application versions are Payment Application Data Security Standard (PA-DSS) compliant.
5. Conduct application vulnerability detection tests and code reviews against common vulnerabilities and weaknesses prior to sale or distribution.
6. Actively identify payment application versions that store sensitive authentication data and/or retain critical security vulnerabilities, and notify all affected customers.
7. Maintain customer service level agreements stating that only PA-DSS compliant payment application versions will be sold and supported.
8. Implement an installer, integrator and reseller training and certification program that enforces adequate data security processes when supporting customers.
9. Adhere to industry guidelines for data field encryption and tokenization across payment applications that use these technologies.
10. Support capability of dynamic data solutions across payment applications.