Visa rolls out new payment application security mandates

Companies accepting payment cards have three years to comply

Amid signs of growing frustration in the retail community over the credit card industry's payment card industry (PCI) data security requirements, Visa on Tuesday quietly rolled out an additional set of Payment Application Security Mandates for all companies that handle credit and debit card transactions.

Under the multi-phase initiative, covered entities will three years to ensure that all their payment applications are compliant with a set of security requirements mandated by Visa. The rules apply to any third-party payment software used by companies for storing, processing or transmitting cardholder data.

For many companies, especially large ones using older payment applications, Visa's mandate could mean "tens of millions of dollars" in upgrades to new technologies over the next few years, said Jim Huguelet, an independent consultant. The mandates will also "by proxy" force vendors of payment applications to finally start implementing security features that have been recommended by Visa and others for some time now, he said.

"This is a really major step forward for the industry in asking payment application vendors to step up and support more directly the compliance efforts of their customers," Huguelet said. Until now, adherence to such standards was an "optional sort of thing" for vendors. "Now it has become clear that payment vendors have to make their software support security standards" or risk being cast aside by their customers, he said.

Visa's mandates have been expected for some time and are designed to address long-standing security weaknesses in the applications merchants use to conduct payment card transactions. The biggest concern has been the fact that many payment applications now in use are designed to store data such as the full magnetic-stripe information from the back of cards, card-verification code numbers and PIN data. Storing that data has made payment systems an attractive target for hackers and has long been considered a fundamental security weakness. It is a practice that has been explicitly banned under PCI.

However, it has been hard for many companies to comply with this requirement since certain payment applications currently in use -- especially older applications -- are designed to store the prohibited data by default, sometimes without even the knowledge of the companies using them.

Visa has over the last two years or so been pushing the vendors of such payment applications into making their software more secure. The company has developed a set of so-called Payment Application Best Practices (PABP) to help vendors implement the recommended security features in their software. It maintains a list of validated payment applications that meet the PABP standards and has been urging companies to start using those applications.

At the same time Visa has also been circulating a frequently updated list of vulnerable payment applications with instructions to card-issuing banks to get merchants to stop using such software.

Tuesday's announcement formalizes these efforts into a set of standards that companies need to implement with a specific time frame.

The first phase of Visa's payment application security mandates goes into effect on January 1, 2008. After that date, the so-called acquiring banks that authorize companies to accept payment card transactions will be prohibited from authorizing new merchants that use payment applications known to be vulnerable. According to an October 23 Visa bulletin, the goal in the first phase is to deter software vendors from introducing new vulnerable applications into the payment system.

The next two phases, which go into effect on July 1 and October 1, 2008, respectively, are designed to get payment processors, agents and merchants to start using software that is compliant with the new application security standards.

Starting on October 1, 2009, all merchants will be required to start terminating the use of any non-compliant payment applications that they might still have in their environments. The fifth phase, beginning July 1, 2010 mandates the use of only those payment applications that support the new standards, according to Visa.

The application rules complement a separate set of payment card industry standards (PCI) that are already in place for all entities handling payment cards. Under PCI, merchants are required to implement a set of 12 security controls such as encryption, transaction logging and access management for protecting cardholder data.

Though the requirements went into affect more than two years ago, a large number of big retailers are still noncompliant because of a variety of issues that include legacy system challenges, rules interpretation issues and continuously evolving guidelines.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Jaikumar Vijayan

Jaikumar Vijayan

Computerworld
Show Comments

Essentials

Mobile

Exec

Sony WH-1000XM4 Wireless Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?