Visa this week privately issued an updated list of payment applications that store all of the magnetic-stripe data taken from credit and debit cards, as part of its ongoing effort to get retailers and other merchants to stop using such software.
Visa began distributing the list last April and has updated it every three months since then. The company doesn't make the list openly available and hasn't publicly identified any of the vendors whose products are on it. Instead, Visa sends the list to so-called acquiring banks, the financial institutions that authorize merchants to accept payment-card transactions.
A Visa spokesman said today that the company has tried to keep the list under wraps because of concerns that making it public would give hackers "a tip sheet" for identifying retail systems that store sensitive data about cardholders. He noted that Visa expressly asks the recipients of the list, which also include payment processors and software vendors, not to publish it or make it available on publicly accessible Web sites.
Despite that admonition, a copy of a Visa bulletin containing the latest list was posted this week on a payment security Web site operated by software vendor VeriFone. According to the document (download PDF), applications from three more vendors have been added to the list, which now includes more than 50 products from a total of 22 companies. Among the vendors with products on the list are IBM, NCR and -- ironically enough -- VeriFone itself.
Visa said in the bulletin that the applications on the list are known to store each piece of data that can be captured from the magnetic stripes on the back of credit and debit cards. That violates the security rules set out in Visa's operating regulations and the Payment Card Industry Data Security Standard, which is better known by the acronym PCI.
The security rules also ban the storage of personal identification numbers, encrypted PIN blocks and the three-digit card verification numbers that are found on the back of cards. In its bulletin, Visa called on acquiring banks to "ensure that their merchants and agents do not use payment applications known to retain these data elements." It also said that the banks should "take corrective action to address any identified deficiencies, as these applications are at risk of being compromised."
According to Visa's list, almost all of the flagged applications have either been replaced by newer versions that don't retain magnetic-stripe data or patched so that they no longer store the information. The company noted that the names and primary account numbers of cardholders can be retained in systems, as can expiration dates and service codes. But, it said, that information "should be stored only if needed to perform business functions" and must be secured in accordance with the PCI rules.
In addition to the list of problematic applications, Visa maintains a publicly accessible list of products that comply with the security requirements (download PDF). That list, which is considerably longer than the list of products that don't, was last updated on January 15.
The continued storage of magnetic-stripe data, PINs and card verification values by merchants is what has made payment systems such an attractive target for malicious hackers, according to analysts. But the fact that some payment applications store the prohibited data by default -- sometimes without the knowledge of the companies using them -- has made it hard for many retailers to comply with the PCI requirements.
Partly in response to that problem, Visa in October launched a separate Payment Application Security Mandate program, under which it gave companies three years to ensure that all of their third-party payment applications were compliant with a set of 14 security controls. The mandates were seen by some as Visa's way of forcing application vendors to make their software compliant with the PCI rules or risk losing their customers.
The program sets a series of deadlines that merchants need to meet over the next three years. The first deadline took effect on Jan. 1; starting from that date, companies installing new payment applications need to make sure that they are Visa-validated products. And beginning July 1, all VisaNet payment processors and processing agents will have to ensure that new applications they implement are fully compliant with Visa's mandates.