Visa adds to its list of apps that improperly hold card data

Update puts three more vendors on the list, according to a copy posted on the Web

Visa this week privately issued an updated list of payment applications that store all of the magnetic-stripe data taken from credit and debit cards, as part of its ongoing effort to get retailers and other merchants to stop using such software.

Visa began distributing the list last April and has updated it every three months since then. The company doesn't make the list openly available and hasn't publicly identified any of the vendors whose products are on it. Instead, Visa sends the list to so-called acquiring banks, the financial institutions that authorize merchants to accept payment-card transactions.

A Visa spokesman said today that the company has tried to keep the list under wraps because of concerns that making it public would give hackers "a tip sheet" for identifying retail systems that store sensitive data about cardholders. He noted that Visa expressly asks the recipients of the list, which also include payment processors and software vendors, not to publish it or make it available on publicly accessible Web sites.

Despite that admonition, a copy of a Visa bulletin containing the latest list was posted this week on a payment security Web site operated by software vendor VeriFone. According to the document (download PDF), applications from three more vendors have been added to the list, which now includes more than 50 products from a total of 22 companies. Among the vendors with products on the list are IBM, NCR and -- ironically enough -- VeriFone itself.

Visa said in the bulletin that the applications on the list are known to store each piece of data that can be captured from the magnetic stripes on the back of credit and debit cards. That violates the security rules set out in Visa's operating regulations and the Payment Card Industry Data Security Standard, which is better known by the acronym PCI.

The security rules also ban the storage of personal identification numbers, encrypted PIN blocks and the three-digit card verification numbers that are found on the back of cards. In its bulletin, Visa called on acquiring banks to "ensure that their merchants and agents do not use payment applications known to retain these data elements." It also said that the banks should "take corrective action to address any identified deficiencies, as these applications are at risk of being compromised."

According to Visa's list, almost all of the flagged applications have either been replaced by newer versions that don't retain magnetic-stripe data or patched so that they no longer store the information. The company noted that the names and primary account numbers of cardholders can be retained in systems, as can expiration dates and service codes. But, it said, that information "should be stored only if needed to perform business functions" and must be secured in accordance with the PCI rules.

In addition to the list of problematic applications, Visa maintains a publicly accessible list of products that comply with the security requirements (download PDF). That list, which is considerably longer than the list of products that don't, was last updated on January 15.

The continued storage of magnetic-stripe data, PINs and card verification values by merchants is what has made payment systems such an attractive target for malicious hackers, according to analysts. But the fact that some payment applications store the prohibited data by default -- sometimes without the knowledge of the companies using them -- has made it hard for many retailers to comply with the PCI requirements.

Partly in response to that problem, Visa in October launched a separate Payment Application Security Mandate program, under which it gave companies three years to ensure that all of their third-party payment applications were compliant with a set of 14 security controls. The mandates were seen by some as Visa's way of forcing application vendors to make their software compliant with the PCI rules or risk losing their customers.

The program sets a series of deadlines that merchants need to meet over the next three years. The first deadline took effect on Jan. 1; starting from that date, companies installing new payment applications need to make sure that they are Visa-validated products. And beginning July 1, all VisaNet payment processors and processing agents will have to ensure that new applications they implement are fully compliant with Visa's mandates.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?