Visa adds to its list of apps that improperly hold card data

Update puts three more vendors on the list, according to a copy posted on the Web

Visa this week privately issued an updated list of payment applications that store all of the magnetic-stripe data taken from credit and debit cards, as part of its ongoing effort to get retailers and other merchants to stop using such software.

Visa began distributing the list last April and has updated it every three months since then. The company doesn't make the list openly available and hasn't publicly identified any of the vendors whose products are on it. Instead, Visa sends the list to so-called acquiring banks, the financial institutions that authorize merchants to accept payment-card transactions.

A Visa spokesman said today that the company has tried to keep the list under wraps because of concerns that making it public would give hackers "a tip sheet" for identifying retail systems that store sensitive data about cardholders. He noted that Visa expressly asks the recipients of the list, which also include payment processors and software vendors, not to publish it or make it available on publicly accessible Web sites.

Despite that admonition, a copy of a Visa bulletin containing the latest list was posted this week on a payment security Web site operated by software vendor VeriFone. According to the document (download PDF), applications from three more vendors have been added to the list, which now includes more than 50 products from a total of 22 companies. Among the vendors with products on the list are IBM, NCR and -- ironically enough -- VeriFone itself.

Visa said in the bulletin that the applications on the list are known to store each piece of data that can be captured from the magnetic stripes on the back of credit and debit cards. That violates the security rules set out in Visa's operating regulations and the Payment Card Industry Data Security Standard, which is better known by the acronym PCI.

The security rules also ban the storage of personal identification numbers, encrypted PIN blocks and the three-digit card verification numbers that are found on the back of cards. In its bulletin, Visa called on acquiring banks to "ensure that their merchants and agents do not use payment applications known to retain these data elements." It also said that the banks should "take corrective action to address any identified deficiencies, as these applications are at risk of being compromised."

According to Visa's list, almost all of the flagged applications have either been replaced by newer versions that don't retain magnetic-stripe data or patched so that they no longer store the information. The company noted that the names and primary account numbers of cardholders can be retained in systems, as can expiration dates and service codes. But, it said, that information "should be stored only if needed to perform business functions" and must be secured in accordance with the PCI rules.

In addition to the list of problematic applications, Visa maintains a publicly accessible list of products that comply with the security requirements (download PDF). That list, which is considerably longer than the list of products that don't, was last updated on January 15.

The continued storage of magnetic-stripe data, PINs and card verification values by merchants is what has made payment systems such an attractive target for malicious hackers, according to analysts. But the fact that some payment applications store the prohibited data by default -- sometimes without the knowledge of the companies using them -- has made it hard for many retailers to comply with the PCI requirements.

Partly in response to that problem, Visa in October launched a separate Payment Application Security Mandate program, under which it gave companies three years to ensure that all of their third-party payment applications were compliant with a set of 14 security controls. The mandates were seen by some as Visa's way of forcing application vendors to make their software compliant with the PCI rules or risk losing their customers.

The program sets a series of deadlines that merchants need to meet over the next three years. The first deadline took effect on Jan. 1; starting from that date, companies installing new payment applications need to make sure that they are Visa-validated products. And beginning July 1, all VisaNet payment processors and processing agents will have to ensure that new applications they implement are fully compliant with Visa's mandates.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Show Comments

Most Popular Reviews

Best Deals on Good Gear Guide

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?