Beware Beware
PreferredByPete.com Enthusiast
--------------------------------------------------------------------------------
Visa teamed with the SANS Institute to offer best practices for security for payment application vendors. The advice is meant to compliment the Payment Application Data Security Standard.
Visa has released a set of best practices for payment application vendors to help ensure security beyond the requirements of industry compliance.
The document comes roughly two weeks after the Payment Card Industry (PCI) Security Standards Council outlined proposed changes to payment card industry regulations. According to Visa, which developed the guidance (PDF) with the help of the SANS Institute, the document is meant to compliment the PCI Payment Application Data Security Standard (PA-DSS).
“The PA-DSS provides guidance for developing secure software, while Visa’s Best Practices for Payment Application Companies represents a natural companion, providing guidance on how to securely install that piece of software,” said Eduardo Perez, Head of Global Payment System Security at Visa, in a statement. “We saw from data compromise investigations that while an application may be secure and comply with the PA-DSS, implementation and management missteps can create vulnerabilities.”
Among the tidbits: conduct application vulnerability tests and code reviews on new payment application versions prior to sale or distribution and adhere to industry guidelines for data field encryption and tokenization across payment applications using these technologies.
“It is in the best interest for the payment application provider to proactively adopt practices, such as these, so more often than not, merchants will find that these best practices are widely used and vendors are already doing these things,” said Eric Bushman, Vice President of Solutions Engineering at Paymetric. “No single requirement outlined in this document stands out as one that merchants would have challenges ensuring their vendor is adhering to. But that doesn’t mean that they should assume the payment application provider is, in fact, doing these things.”
One of the toughest challenges, especially for large merchants, is the implementation of PA-DSS certified applications, opined Keith Swiat, director of PA-DSS at Trustwave.
“While small merchants can be more agile in this area, merchants with 1000’s of retail outlets can run into serious time and resource issues trying to meet this requirement,” he said. “With the increased exposure to the PCI-DSS by merchants and application vendors, the vast majority are using these Best Practices, successful or not, in some form. The most effective way to propagate this information will be for merchants and application vendors to maintain a good relationship with their banks to keep up-to-date on any new developments that the card brands may push down.”
Visa teamed with the SANS Institute to offer best practices for security for payment application vendors. The advice is meant to compliment the Payment Application Data Security Standard.
Visa has released a set of best practices for payment application vendors to help ensure security beyond the requirements of industry compliance.
The document comes roughly two weeks after the Payment Card Industry (PCI) Security Standards Council outlined proposed changes to payment card industry regulations. According to Visa, which developed the guidance (PDF) with the help of the SANS Institute, the document is meant to compliment the PCI Payment Application Data Security Standard (PA-DSS).
“The PA-DSS provides guidance for developing secure software, while Visa’s Best Practices for Payment Application Companies represents a natural companion, providing guidance on how to securely install that piece of software,” said Eduardo Perez, Head of Global Payment System Security at Visa, in a statement. “We saw from data compromise investigations that while an application may be secure and comply with the PA-DSS, implementation and management missteps can create vulnerabilities.”
Among the tidbits: conduct application vulnerability tests and code reviews on new payment application versions prior to sale or distribution and adhere to industry guidelines for data field encryption and tokenization across payment applications using these technologies.
“It is in the best interest for the payment application provider to proactively adopt practices, such as these, so more often than not, merchants will find that these best practices are widely used and vendors are already doing these things,” said Eric Bushman, Vice President of Solutions Engineering at Paymetric. “No single requirement outlined in this document stands out as one that merchants would have challenges ensuring their vendor is adhering to. But that doesn’t mean that they should assume the payment application provider is, in fact, doing these things.”
One of the toughest challenges, especially for large merchants, is the implementation of PA-DSS certified applications, opined Keith Swiat, director of PA-DSS at Trustwave.
“While small merchants can be more agile in this area, merchants with 1000’s of retail outlets can run into serious time and resource issues trying to meet this requirement,” he said. “With the increased exposure to the PCI-DSS by merchants and application vendors, the vast majority are using these Best Practices, successful or not, in some form. The most effective way to propagate this information will be for merchants and application vendors to maintain a good relationship with their banks to keep up-to-date on any new developments that the card brands may push down.”
