Digital Transactions Authoritative, insightful and timely information for payments professionals
Although many U.S. merchants and processors have met Visa Inc.’s July 1 deadline for replacing unapproved point-of-sale software applications with ones that meet requirements of the Payment Application data-security standard, or PA-DSS, many non-compliant card-processing applications remain in the marketplace, Visa says.
While Visa would not release numbers on compliance, it said, “progress is good” in implementing the standard. In a statement, the world’s largest card network also said processors and merchants that aren’t in compliance “should be working with their merchant banks to develop action plans to upgrade to a PA-DSS compliant application.”
The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited card information, such as full magnetic stripe, card verification values (so-called CVV2), or PIN data, and ensure their applications support compliance with the main Payment Card Industry data-security standard, or PCI. Older software programs have been the source of numerous data breaches, with merchants frequently unaware of their vulnerabilities. Visa now maintains an updated list of non-compliant applications on its Web site. The card networks enforce PCI and its related standards, although the PCI Security Standards Council sets the requirements themselves.
Even though many merchants are still using non-compliant applications, “the risk has been dramatically reduced” in recent years, says Branden Williams, director of security consulting for the security practice of EMC Corp.’s RSA security division. “I would speculate to say these devices are still in the system, however, they’re not nearly as prominent,” he says.
July 1 also marked another Visa deadline, that for U.S. merchants to meet the so-called Triple Data Encryption Standard to protect keypads in automated fuel dispensers from skimming devices. Triple DES software encrypts the PIN when entered into the keypad so it cannot be read even if captured by a skimming device. An estimated 750,000 to 800,000 automated fuel pumps in the United States are equipped with card readers and PIN pads. Digital Transactions magazine reported in April that security experts estimate that fewer than half of those pumps meet Triple DES requirements, though they agree that reliable numbers are scarce.
Pump manufacturers were slow in getting upgraded equipment to market, causing fuel retailers to complain that they would have trouble meeting the July 1 deadline. Some even mulled refusing to accept PIN-debit transactions at pumps. While Visa retains the right to fine acquirers processing for non-compliant merchants, experts believe Visa won’t strictly enforce the Triple DES requirement until 2012, the magazine reported.
Meanwhile, Visa continues to add to its list of compromised point-of-sale PIN-entry devices. In May, Visa took the unusual step of revoking the approval of two previously PCI-approved PIN-entry devices after breaches: Ingenico S.A.’s i3070MP01 and i3070EP01. Visa did not provide details about the breaches, and an Ingenico spokesperson could not be reached for comment.
