Visa adds to its list of apps that improperly hold card data

Update puts three more vendors on the list, according to a copy posted on the Web

Visa this week privately issued an updated list of payment applications that store all of the magnetic-stripe data taken from credit and debit cards, as part of its ongoing effort to get retailers and other merchants to stop using such software.

Visa began distributing the list last April and has updated it every three months since then. The company doesn't make the list openly available and hasn't publicly identified any of the vendors whose products are on it. Instead, Visa sends the list to so-called acquiring banks, the financial institutions that authorize merchants to accept payment-card transactions.

A Visa spokesman said today that the company has tried to keep the list under wraps because of concerns that making it public would give hackers "a tip sheet" for identifying retail systems that store sensitive data about cardholders. He noted that Visa expressly asks the recipients of the list, which also include payment processors and software vendors, not to publish it or make it available on publicly accessible Web sites.

Despite that admonition, a copy of a Visa bulletin containing the latest list was posted this week on a payment security Web site operated by software vendor VeriFone. According to the document (download PDF), applications from three more vendors have been added to the list, which now includes more than 50 products from a total of 22 companies. Among the vendors with products on the list are IBM, NCR and -- ironically enough -- VeriFone itself.

Visa said in the bulletin that the applications on the list are known to store each piece of data that can be captured from the magnetic stripes on the back of credit and debit cards. That violates the security rules set out in Visa's operating regulations and the Payment Card Industry Data Security Standard, which is better known by the acronym PCI.

The security rules also ban the storage of personal identification numbers, encrypted PIN blocks and the three-digit card verification numbers that are found on the back of cards. In its bulletin, Visa called on acquiring banks to "ensure that their merchants and agents do not use payment applications known to retain these data elements." It also said that the banks should "take corrective action to address any identified deficiencies, as these applications are at risk of being compromised."

According to Visa's list, almost all of the flagged applications have either been replaced by newer versions that don't retain magnetic-stripe data or patched so that they no longer store the information. The company noted that the names and primary account numbers of cardholders can be retained in systems, as can expiration dates and service codes. But, it said, that information "should be stored only if needed to perform business functions" and must be secured in accordance with the PCI rules.

In addition to the list of problematic applications, Visa maintains a publicly accessible list of products that comply with the security requirements (download PDF). That list, which is considerably longer than the list of products that don't, was last updated on January 15.

The continued storage of magnetic-stripe data, PINs and card verification values by merchants is what has made payment systems such an attractive target for malicious hackers, according to analysts. But the fact that some payment applications store the prohibited data by default -- sometimes without the knowledge of the companies using them -- has made it hard for many retailers to comply with the PCI requirements.

Partly in response to that problem, Visa in October launched a separate Payment Application Security Mandate program, under which it gave companies three years to ensure that all of their third-party payment applications were compliant with a set of 14 security controls. The mandates were seen by some as Visa's way of forcing application vendors to make their software compliant with the PCI rules or risk losing their customers.

The program sets a series of deadlines that merchants need to meet over the next three years. The first deadline took effect on Jan. 1; starting from that date, companies installing new payment applications need to make sure that they are Visa-validated products. And beginning July 1, all VisaNet payment processors and processing agents will have to ensure that new applications they implement are fully compliant with Visa's mandates.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?