Software Makers Should Adopt Visas Security Standards

Opinion: Security must keep up with increasingly sophisticated fraud.

Chances are that if you drove to work this morning, your commute was uneventful. Automakers work diligently to ensure that your car performs reliably and safely. Still, safety flaws are occasionally discovered. The manufacturer usually responds by correcting the error in future models or by issuing a recall.

Software makers that design applications for the credit card-payments industry face a similar situation. They must stay ahead of increasingly sophisticated fraud by constantly adding new and better security measures.

Criminals have a knack for finding vulnerabilities. Some applications, for example, store a cards full magnetic-stripe data even after the card authorization has been completed. Criminals who get access to this data can counterfeit payment cards. To avoid this vulnerability, payment card applications must protect with strong encryption the names, account numbers and expiration dates that are stored on cards magnetic stripes. All other magnetic-stripe data, which includes PIN information, must be purged.

If this is not done, criminals can obtain the keys to the car, as it were, and your customers can be exposed to penalty fees due to fraudulent charges. If a merchant is storing the full content of the magnetic stripe, which is forbidden by Visas rules, Visa can fine the bank that processes credit card transactions for the merchant. The bank, in turn, may charge the merchant the amount of the fine.

Payment card-transaction processors, financial institutions, service providers, merchants and other participants in the payments chain are committed to data-security standards.

Software developers also play a key role. They can help thwart hackers by designing applications that store only appropriate cardholder data within internal networks.

Applications should also be developed with secure coding techniques, and all system development processes should include security.

In June, Visa officials unveiled security best practices for software makers. If adopted by the software industry, the payment application best practices will stand as a landmark in sustaining the electronic payments era. Although Visa makes no endorsement of applications or products and disclaims all warranties, three software vendors that have independently validated their compliance with the best practices are Radiant Systems, Go Software and TPI Software.

Just as its in the auto industrys best interest to make sure every car is free of safety problems, it is in the best interest of the software industry to take a leading role in the cooperative security effort. Making security standards everybodys business will help ensure continued consumer confidence in the electronic payments system.

John Shaughnessy is senior vice president for fraud control and operations for Visa USA. Free Spectrum is a forum for the IT community and welcomes contributions. Send submissions to


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.