VISA and Vulnerable Payment Applications
Minneapolis, October 9, 2008 — The story of the Payment Application Data
Security Standard (PA-DSS) begins with VISA. Seeing an increasing number of merchant
compromises in recent years, VISA discovered that certain payment applications were
inappropriately storing prohibited data, including magnetic-stripe, CVV2 or PIN data,
after the transaction had been authorized. Hackers were targeting merchants and agents
that used vulnerable payment applications, exploiting vulnerabilities to capture this
sensitive data. VISA realized that it was critical for acquires to ensure that their
merchants and agents did not use payment applications known to improperly retain
prohibited data elements. Acquirers needed to make sure that corrective actions were taken
to address any identified deficiencies.
To that end, starting in 2005, VISA launched its Payment Application
Best Practices (PABP). PABP spelled out how developers or payment applications can make those
applications secure and compliant with the PCI-DSS standard.
The PABP requirements are:
- Do not retain full magnetic strip, card validation value, or PIN block data.
- Protect stored cardholder data.
- Provide secure password features.
- Log application activity.
- Develop secure applications.
- Protect wireless activity.
- Protect wireless transmissions.
- Test applications to address vulnerabilities.
- Facilitate secure remote software updates.
- Facilitate secure remote access to application.
- Encrypt sensitive traffic over public networks.
- Encrypt all non-console administrative access.
- Maintain instructional documentation and training programs for customers, resellers and integrators. (Source: Visa)
These PABP requirements can be mapped to elements of PCI-DSS. In 2007,
VISA put new urgency into the PABP guidelines by mandating compliance. Merchants and agents that
continued to use payment applications that stored prohibited data, or that had other inherent security
weaknesses, would not be compliant with PABP or PCI-DSS.
PABP and New Payment Application Security Mandates
Beginning on January 1, 2008, VISA issued a schedule of mandates for compliance with PABP, to eliminate the use of non-secure payment applications from the VISA payment system.
Outlined below are the five mandates, scheduled to take effect over the next two years.
|Phase||Compliance Mandates||Effective Date
|I.||Newly boarded merchants must not use known vulnerable payment applications. VISANet Processors (VNP) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications||1/1/08
|II.||VNPs and agent must certify only new payment applications to their platforms that are PABP-compliant||7/1/08
|III||Newly boarded Level 3 & 4 merchants must be PCI DSS compliant or use PABP-compliant applications||10/1/08
|IV.||VNPs and agent must recertify all vulnerable payment applications||10/1/09
|V.||Acquirers must ensure their merchants, VNPs and agents use only PABP-compliant applications||7/1/10
PABP Becomes PA-DSS
Recognizing that data security is a collaborative effort by multiple
entities in the payment chain, the PCI Security Standards Council (PCI SSC) adopted PABP as an
industry-wide standard, calling it the Payment Application Data Security Standard (PA-DSS). The PABP
scheduled mandates became the hard deadlines of an industry standard.
The comprehensive PA-DSS program provides a clear understanding of what
encompasses a secure payment application. PA-DSS also provides:
- Guidance for software vendors – helping them develop payment applications that do not store prohibited cardholder account or transaction data.
- Insurance that payment applications are developed using secure coding procedures to guard against common attack methods.
- Insurance that merchants and agents use software vendors whose payment applications have been validated by a PCI-approved security assessor.
- Help in preventing data compromises and helps payment chain participants comply with the PCI-DSS.
To ensure compliance not just with payment applications but with PCI-DSS as
a whole, it will be more important than ever for organizations in the payment chain to have the requisite
security strategy-ensuring a strong understanding of the PCI requirements, implementing the required major
changes and maintaining compliance through a strong security program. The penalties for non-compliance can
be severe, as pressure increases from acquirers and issuers.
NetSPI’s PCI-DSS and PA-DSS Credentials
NetSPI has made a significant investment in PCI-DSS certifications in order to deliver
services to merchants and service providers that need to comply with the PCI standard. For example, NetSPI is a
Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV), certified to perform both the on-site audit
and the quarterly network scans required of merchants and service providers.
As of September 15, 2008 NetSPI became one of the first eight USA-certified Payment
Application Qualified Security Assessors (PA-QSA). The certification process was a continuation of our experience
and proven methodology as a VISA Qualified Payment Application Security Company (QPASC).
Let NetSPI put that experience and expertise to work for your organization, to ensure
the development and use of secure payment applications that comply with PA-DSS.
NetSPI is a privately held information-security consulting company founded in 2001. By using its consulting team's deep security knowledge and its CorrelatedVM vulnerability management & reporting solution, the company is a trusted advisor to large enterprises. NetSPI provides a range of assessment and advisory services designed to analyze and mitigate risks and ensure compliance with relevant regulations and industry standards. Clients include large financial services firms, retailers, healthcare organizations and technology companies.
More information is available at www.netspi.com.