Visa Releases Security Advice for Payment Application Vendors

Visa has released a set of best practices for payment application vendors to help ensure security beyond the requirements of industry compliance.

The document comes roughly two weeks after the PCI (Payment Card Industry) Security Standards Council outlined proposed changes to payment card industry regulations. According to Visa, which developed the guidance with the help of the SANS Institute, the document is meant to compliment the PCI PA-DSS (Payment Application Data Security Standard).

“The PA-DSS provides guidance for developing secure software, while Visa’s Best Practices for Payment Application Companies represents a natural companion, providing guidance on how to securely install that piece of software,” Eduardo Perez, head of global payment system security at Visa, said in a statement. “We saw from data-compromise investigations that while an application may be secure and comply with the PA-DSS, implementation and management missteps can create vulnerabilities.”

The best practices include conducting application vulnerability tests and code reviews on new payment application versions prior to sale or distribution and adhering to industry guidelines for data field encryption and tokenization across payment applications using these technologies.

“It is in the best interest for the payment application provider to proactively adopt practices, such as these, so more often than not, merchants will find that these best practices are widely used and vendors are already doing these things,” said Eric Bushman, vice president of solutions engineering at Paymetric. “No single requirement outlined in this document stands out as one that merchants would have challenges ensuring their vendor is adhering to. But that doesn’t mean that they should assume the payment application provider is, in fact, doing these things.”

One of the toughest challenges, especially for large merchants, is the implementation of PA-DSS-certified applications, said Keith Swiat, director of PA-DSS at Trustwave.

“While small merchants can be more agile in this area, merchants with thousands of retail outlets can run into serious time and resource issues trying to meet this requirement,” he said. “With the increased exposure to the PCI-DSS by merchants and application vendors, the vast majority are using these best practices, successful or not, in some form. The most effective way to propagate this information will be for merchants and application vendors to maintain a good relationship with their banks to keep up-to-date on any new developments that the card brands may push down.”