Amid signs of growing frustration in the retail community over the credit card industry's payment card industry (PCI) data security requirements, Visa on Tuesday quietly rolled out an additional set of Payment Application Security Mandates for all companies that handle credit and debit card transactions.
Under the multi-phase initiative, covered entities will three years to ensure that all their payment applications are compliant with a set of security requirements mandated by Visa. The rules apply to any third-party payment software used by companies for storing, processing or transmitting cardholder data.
For many companies, especially large ones using older payment applications, Visa's mandate could mean "tens of millions of dollars" in upgrades to new technologies over the next few years, said Jim Huguelet, an independent consultant. The mandates will also "by proxy" force vendors of payment applications to finally start implementing security features that have been recommended by Visa and others for some time now, he said.
"This is a really major step forward for the industry in asking payment application vendors to step up and support more directly the compliance efforts of their customers," Huguelet said. Until now, adherence to such standards was an "optional sort of thing" for vendors. "Now it has become clear that payment vendors have to make their software support security standards" or risk being cast aside by their customers, he said.
Visa's mandates have been expected for some time and are designed to address long-standing security weaknesses in the applications merchants use to conduct payment card transactions. The biggest concern has been the fact that many payment applications now in use are designed to store data such as the full magnetic-stripe information from the back of cards, card-verification code numbers and PIN data. Storing that data has made payment systems an attractive target for hackers and has long been considered a fundamental security weakness. It is a practice that has been explicitly banned under PCI.
However, it has been hard for many companies to comply with this requirement since certain payment applications currently in use -- especially older applications -- are designed to store the prohibited data by default, sometimes without even the knowledge of the companies using them.
Visa has over the last two years or so been pushing the vendors of such payment applications into making their software more secure. The company has developed a set of so-called Payment Application Best Practices (PABP) to help vendors implement the recommended security features in their software. It maintains a list of validated payment applications that meet the PABP standards and has been urging companies to start using those applications.
At the same time Visa has also been circulating a frequently updated list of vulnerable payment applications with instructions to card-issuing banks to get merchants to stop using such software.
Tuesday's announcement formalizes these efforts into a set of standards that companies need to implement with a specific time frame.
The first phase of Visa's payment application security mandates goes into effect on January 1, 2008. After that date, the so-called acquiring banks that authorize companies to accept payment card transactions will be prohibited from authorizing new merchants that use payment applications known to be vulnerable. According to an October 23 Visa bulletin, the goal in the first phase is to deter software vendors from introducing new vulnerable applications into the payment system.
The next two phases, which go into effect on July 1 and October 1, 2008, respectively, are designed to get payment processors, agents and merchants to start using software that is compliant with the new application security standards.
Starting on October 1, 2009, all merchants will be required to start terminating the use of any non-compliant payment applications that they might still have in their environments. The fifth phase, beginning July 1, 2010 mandates the use of only those payment applications that support the new standards, according to Visa.
The application rules complement a separate set of payment card industry standards (PCI) that are already in place for all entities handling payment cards. Under PCI, merchants are required to implement a set of 12 security controls such as encryption, transaction logging and access management for protecting cardholder data.
Though the requirements went into affect more than two years ago, a large number of big retailers are still noncompliant because of a variety of issues that include legacy system challenges, rules interpretation issues and continuously evolving guidelines.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Australian Unity minimizes costs and maximizes productivity with single sign-on for 1,400 users
Simplify, Integrate and Safeguard Your Business with Secure Web Business Enablement
Achieving the impossible: Unlimited application scalability
Simplify, Integrate and Secure: Providing Secure Access to Server-based Information and Resources Across Platforms
Simplify and Secure: Managing User Identities Throughout their Lifecycles
Delivering the Power of Choice with Microsoft Dynamics CRM
Everything you need to know about email and web security (but were afraid to ask)
Discover the advantages of an open architecture multi-vendor network solution
Zones provide focussed content from Computerworld and leading technology partners.
Security Management
Protect your critical IT assets, achieve sustainable regulatory compliance, reduce IT administration costs and enable new business opportunities with our IT security solutions.
IT Security as a business enabler?
Download Whitepaper
|
Success Stories
Australian Unity minimises costs and maximises productivity with single sign-on for 1,400 users
Australian Unity needed to address its business and security risks including user management and application security management. The company chose an enterprise single sign-on (ESSO) solution and discovered increased employee productivity, reduced help desk costs and elevated data protection.
Download the full Success Story
BT saves more than £15 million and improves customer services with comprehensive Identity & Access Management
To enable future growth and ensure its services remain competitive, BT needed to build closer relationships with its customers and suppliers. Discover how the company is now performing over 36 million transactions a day with their improved Identity & Access Management Solution.
Download the full Success Story
Identity & Access Management
Simplify and Secure: Managing User Identities Throughout their Lifecycles
Organisations are constantly challenged to keep pace with ongoing changes to users and their roles, responsibilities and requirements. Discover how CA can help you create a unified approach for managing users identities, providing them with timely and appropriate access to applications and information.
Download Whitepaper
Simplify, Integrate and Safeguard Your Business with Secure Web Business Enablement
Modern organisations are required to aggressively expand the number and type of Web applications and services provided to customers, partners and employees. Discover how to automate, delegate and centralise your key processes and services including user administration, access policies, auditing and compliance by reading on.
Download Whitepaper
Simplify, Integrate and Secure: Providing Secure Access to Server-based Information and Resources Across Platforms
Distributed servers are a powerful asset in any company’s infrastructure. Over time, most organisations have acquired a variety of different platforms and are relying on them to house an increased amount of critical applications, processes and data. Read on to discover how you can achieve a consistently higher level of server access security across multiple platforms including virtual hosts and guest operating systems.
Download Whitepaper
Buying Guides
Latest Products
Buying Guides
