Visa Guidance Targets Slipshod Payment Card Software Practices

Recognizing that sloppy payment-processing software installations can lead to data breaches, Visa Inc. on Tuesday issued what it calls the top 10 best practices for secure software management. Visa is aiming the guidance mostly at third-party software vendors, integrators, value-added resellers (VARs), and others that sell or license card-processing applications to merchants and processors. They also apply to merchant acquirers and independent sales organizations because they frequently provide software to their merchants.

Developed with input from the security-education firm The SANS Institute, the guidance reflects the fact that even though an application itself may meet the card networks’ Payment Application data-security standard (PA-DSS), it could become the source of a breach if it isn’t installed and managed properly, according to Eduardo Perez, head of global payment system security at Visa. Many if not most merchants depend in some degree on software vendors and VARs to maintain at least some of their applications that handle payment card data. “The real area where we are focusing is the secure implementation and management of payment applications installed by third parties,” Perez tells Digital Transactions News.

Verizon Business’s latest annual data-breach study reported that 21% of Verizon clients that had a breach in 2009 had passed their most recent validation audits for compliance with the card networks’ main security standard, the Payment Card Industry data-security standard, or PCI (Digital Transactions News, Aug. 5). Post-breach investigations found some of the same software shortcomings Visa is highlighting in its guidance. Some of the 10 best practices Visa lists already are part of the PA-DSS or PCI. “What we’re really focused on is the secure implementation,” Perez says, describing the practices as complementary to the two standards.

Two common problems are insecure remote access and failure to change default settings such as passwords, which hackers can guess with relative ease. Perez suspects the default problem is the result of the continued expansion of the merchant base, with many new card-accepting merchants unaware of what they should look for in card software, and haste by vendors or VARs to finish one job and move on to the next. “I think there’s a lack of knowledge and attention … it’s really a reminder for them,” Perez says.

The best practices are: perform background checks on new employees and contractors before hiring; maintain an internal and external software-security training and certification curriculum; adhere to a common software-development life cycle across payment applications; ensure that newly released versions are PA-DSS compliant; conduct vulnerability detection tests and code reviews against common weaknesses before sale or distribution; actively identify software that stores sensitive authentication data and/or retains critical security vulnerabilities, and notify all affected customers; maintain customer-service agreements stating that only PA-DSS compliant payment software will be sold and supported; implement an installer, integrator and reseller training and certification program that enforces adequate data-security processes when servicing customers; adhere to industry guidelines for data-field encryption and tokenization across payment applications that use those technologies, and support capability of dynamic data solutions across payment applications.

Visa gives more details in a five-page document available on its security Web site. The last two guidelines address emerging payment technologies, and the detailed document mentions as a best practice adoption of software that supports the EMV chip along with Visa’s contactless chip and the so-called 3-D Secure technology. But a spokesperson says Visa isn’t trying to nudge the U.S. card industry into rolling out the EMV chip, an expensive but much more secure technology for protecting card data than the magnetic stripe. The guidelines apply globally, the spokesperson notes, which is why EMV and contactless cards are mentioned at the same time. “Visa’s contactless card, the payWave, is consistent with the EMV standard,” the spokesperson says. Most of the world has adopted or is in the process of adopting the EMV chip, including Canada, while contactless cards have a limited U.S. presence.

Visa isn’t making the best practices mandatory, at least for now. But the PA-DSS originated with Visa’s software best practices, and Visa could encourage the PCI Security Standards Council to adopt the guidance in future standards updates. Or, Visa, which as a payment network enforces PCI and PA-DSS, could make the practices mandatory for Visa acceptors and processors should circumstances warrant. “If we feel that if it is necessary, we can and will take steps to protect the payment system,” says Perez.

The Bethesda, Md.-based SANS Institute will be incorporating the guidelines into its security classes. The full guidelines can be downloaded from usa.visa.com/merchants/risk_management/cisp_payment_applications.html.

In other payment-data security news, the TechCrunch Web site reported this week that fraudsters have charged hundreds of dollars in some cases to an undetermined number of iTunes accounts funded through PayPal, with the vulnerability reportedly on the iTunes side. But the source of the alleged compromise was unclear Wednesday. “I can confirm that iTunes servers have not been compromised,” a spokesperson for iTunes owner Apple Inc. told Digital Transactions News via e-mail.

Earlier in the day, a PayPal Inc. spokesperson said by e-mail that, “We can confirm that the PayPal site itself has not been compromised, and there have been no unauthorized log-ins or takeover of any of the PayPal accounts affected by this issue. Unauthorized payments through PayPal as a result of this issue are being reimbursed.” On Tuesday Apple issued a general statement about its account security policies, which urge iTunes customers to contact their financial institutions about chargebacks or unauthorized charges. Another tech site, Digital Daily, suggested the fraud resulted from phishing, not from an iTunes security flaw.