Visa offers new guidelines on securing payment applications

Visa on Tuesday announced a set of security best practices for vendors of payment applications and for the systems integrators and resellers responsible for implementing and managing them.

The guidelines are designed to address continuing vulnerabilities in the payment chain stemming from insecure implementations of the applications that are used in credit and debit card transactions, according to Eduardo Perez, Visa's head of global payment system security.

The existing Payment Application Data Security Standard (PA-DSS) administered by the PCI Security Council , already requires developers of payment applications to implement specific security controls in their software. For instance, the standard requires application vendors and developers to ensure their applications do not store prohibited cardholder and authentication data.

However, while the software itself may be secure, several vulnerabilities continue to persist because of improper configurations and other implementation errors, Perez said.

Visa's best practices are a natural extension to the PA-DSS requirements, Perez said. "What we have done is to go a bit beyond these requirements. PA-DSS is about secure payment applications and not about their secure implementation and management."

Visa's guidelines were developed in collaboration with the SANS Institute, a Bethesda, Md.-based security training and certification organization. The best practices touch upon 10 different issues and include a mix of technology and process-related advice.

For instance, the best practices urge developers and systems integrators to conduct application vulnerability detection tests and code reviews for detecting common vulnerabilities. It also urges them to adhere to secure software development practices and to actively work at identifying and decommissioning payment applications that store PIN and other prohibited payment card data.

Visa's guidelines are part of a continuing effort by the company to get stakeholders within the payment industry to adopt some fairly fundamental security standards for protecting cardholder data. Tuesday's best practices for instance, are similar to guidance the company has released previously on tokenization and encryption.

The company has also been the most vigorous proponent of the PCI data security standard and is believed to be the most aggressive at enforcing compliance with the standard.

In the past, several of Visa's best practices and guidelines have ended up being drafted into formal payment industry standard. Even the PA-DSS itself for instance, was originally proposed by Visa as a set of best practices, but eventually became a formal PCI standard .