Amid Data Thefts, Visa’s Software Rules Align More Closely with PCI

With five new mandates for merchant acquirers and processors to meet by 2010, Visa Inc.'s Payment Application Best Practices, a set of standards governing payment-processing software, are becoming ever more tightly aligned with the comprehensive Payment Card Industry data-security standard (PCI) promulgated by the major card networks. But mandates may be just what the doctor ordered to eliminate the current plague of cardholder data thefts, according to some observers. “It's a painful spoonful of medicine, but … I applaud Visa,” says Bill Pittman, vice president of payment solutions at Phoenix-based point-of-sale hardware and software maker Hypercom Corp. “There are too many bad applications out there that are doing bad things with data.” The “bad things” Pittman referred to involve the tendency of older payment-processing software applications to store magnetic-stripe track data, so-called Card Verification Value (CVV2) security codes, and PIN blocks from debit cards in violation of network rules. Once in possession of such data, computer hackers can create counterfeit credit and debit cards. The largest-ever hack of card data involved an intrusion into the computer system of retailer The TJX Cos., where the number of affected cards is now believed to exceed 94 million (Digital Transactions News, Oct. 25). Frequently merchants' payment software stores track data without the merchant even knowing of it. “Vulnerable payment applications have proved to be the leading cause of compromise incidents, particularly among small merchants,” says the introduction of a Visa bulletin that announced the new deadlines last week. Visa would not make an executive available for comment on the mandates, whose deadlines Visa calls “phases.” PABP is a set of Visa guidelines for the software merchant acquirers, processors, and independent sales organizations use to process card transactions and link merchants with the VisaNet backbone network. PCI covers the entire payment system, including hardware and telecommunications links. While nominally separate, PCI and PABP clearly are linked and are likely to become more so as data breaches continue to give the card industry and hacked merchants black eyes. “PABP is a way of creating discipline,” says Bill Clark, senior vice president of sales and marketing at Scottsdale, Ariz.-based Apriva, a maker of wireless POS applications and secure e-mail applications for the U.S. Department of Defense. Below is a summary of the upcoming mandates: ? Jan. 1, 2008: Acquirers must not book merchants using known vulnerable payment applications, and processors and ISOs may not certify any software to their platforms that is known to be vulnerable. Visa posts a list of vulnerable software on its Web site. ? July 1, 2008: Processors and ISOs must only certify new payment software to their platforms that is PABP-compliant. ? Oct. 1, 2008: Newly booked Level 3 and Level 4 merchants must be PCI-compliant or use PABP-compliant applications. So-called Level 3 merchants are those that submit 20,000 to 1 million Visa e-commerce transactions annually. Level 4 covers the smallest merchants, those submitting up to 1 million Visa transactions annually regardless of channel, or in the case of Web-only merchants, fewer than 20,000 e-commerce transactions. ? Oct. 1, 2009: Processors and ISOs must decertify all vulnerable payment applications. ? July 1, 2010: Acquirers must ensure that their merchants, processors and ISOs use only PABP-compliant applications. The bulletin says the mandates will be enforced in accordance with PCI's enforcement provisions, which include fines for non-compliance and data breaches and take into account whether a compromised entity was using PABP-compliant applications. Acquirers usually pass on network fines to their affected merchants.