Visa rolls out new payment application security mandates

Amid signs of growing frustration in the retail community over the credit card industry's payment card industry (PCI) data security requirements, Visa on Tuesday quietly rolled out an additional set of Payment Application Security Mandates for all companies that handle credit and debit card transactions.

Under the multi-phase initiative, covered entities will three years to ensure that all their payment applications are compliant with a set of security requirements mandated by Visa. The rules apply to any third-party payment software used by companies for storing, processing or transmitting cardholder data.

For many companies, especially large ones using older payment applications, Visa's mandate could mean "tens of millions of dollars" in upgrades to new technologies over the next few years, said Jim Huguelet, an independent consultant. The mandates will also "by proxy" force vendors of payment applications to finally start implementing security features that have been recommended by Visa and others for some time now, he said.

"This is a really major step forward for the industry in asking payment application vendors to step up and support more directly the compliance efforts of their customers," Huguelet said. Until now, adherence to such standards was an "optional sort of thing" for vendors. "Now it has become clear that payment vendors have to make their software support security standards" or risk being cast aside by their customers, he said.

Visa's mandates have been expected for some time and are designed to address long-standing security weaknesses in the applications merchants use to conduct payment card transactions. The biggest concern has been the fact that many payment applications now in use are designed to store data such as the full magnetic-stripe information from the back of cards, card-verification code numbers and PIN data. Storing that data has made payment systems an attractive target for hackers and has long been considered a fundamental security weakness. It is a practice that has been explicitly banned under PCI.

However, it has been hard for many companies to comply with this requirement since certain payment applications currently in use -- especially older applications -- are designed to store the prohibited data by default, sometimes without even the knowledge of the companies using them.

Visa has over the last two years or so been pushing the vendors of such payment applications into making their software more secure. The company has developed a set of so-called Payment Application Best Practices (PABP) to help vendors implement the recommended security features in their software. It maintains a list of validated payment applications that meet the PABP standards and has been urging companies to start using those applications.

At the same time Visa has also been circulating a frequently updated list of vulnerable payment applications with instructions to card-issuing banks to get merchants to stop using such software.

Tuesday's announcement formalizes these efforts into a set of standards that companies need to implement with a specific time frame.

The first phase of Visa's payment application security mandates goes into effect on January 1, 2008. After that date, the so-called acquiring banks that authorize companies to accept payment card transactions will be prohibited from authorizing new merchants that use payment applications known to be vulnerable. According to an October 23 Visa bulletin, the goal in the first phase is to deter software vendors from introducing new vulnerable applications into the payment system.

The next two phases, which go into effect on July 1 and October 1, 2008, respectively, are designed to get payment processors, agents and merchants to start using software that is compliant with the new application security standards.

Starting on October 1, 2009, all merchants will be required to start terminating the use of any non-compliant payment applications that they might still have in their environments. The fifth phase, beginning July 1, 2010 mandates the use of only those payment applications that support the new standards, according to Visa.

The application rules complement a separate set of payment card industry standards (PCI) that are already in place for all entities handling payment cards. Under PCI, merchants are required to implement a set of 12 security controls such as encryption, transaction logging and access management for protecting cardholder data.

Though the requirements went into affect more than two years ago, a large number of big retailers are still noncompliant because of a variety of issues that include legacy system challenges, rules interpretation issues and continuously evolving guidelines.