Visa developed the Payment Application Best Practices (PABP) in 2005 to provide software vendors guidance in developing payment applications that help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) and support overall compliance with the PCI DSS. In 2008, the PCI Security Standards Council adopted Visa’s PABP and released the standard as the PA–DSS. The PA–DSS now replaces PABP for the purpose of Visa’s compliance program.
On January 1, 2008, Visa implemented a series of mandates to eliminate the use of vulnerable payment applications from the Visa payment system. These mandates require acquirers to ensure that their merchants and agents do not use payment applications known to retain sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) and require the use of payment applications that are compliant to the PA–DSS.
Vulnerable payment applications have proved to be the leading cause of compromise incidents, particularly among small merchants. Visa U.S.A. Inc. Operating Regulations prohibit the storage of the full content of any magnetic-stripe, CVV2 or PIN data and require compliance with the PCI DSS. Merchants and agents that use payment applications that store prohibited data or have inherent security weaknesses will not be compliant with the PCI DSS and are at high risk of being compromised.
Visa Top 10 Best Practices for Payment Application Companies
The following best practices should be reviewed by acquirers, merchants and agents to ensure that their payment application vendors, integrators and resellers mitigate security issues leading to data compromises. On their own, these best practices may not be appropriate or sufficient depending on the implementation of an entity’s information technology (IT) infrastructure and business needs.
Domain Best Practice
1. Perform background checks on new employees and contractors prior to hire Organizational Security
2. Maintain an internal and external software security training and certification curriculum
Mature Software Development
3. Adhere to a common software development life cycle across payment applications
4. Ensure that newly released payment application versions are Payment Application Data Security Standard (PA-DSS) compliant
Product Vulnerability Management
5. Conduct application vulnerability detection tests and code reviews against common vulnerabilities and weaknesses prior to sale or distribution
6. Actively identify payment application versions that store sensitive authentication data and/or retain critical security vulnerabilities, and notify all affected customers
7. Maintain customer service level agreements stating that only PA-DSS compliant payment application versions will be sold and supported
8. Implement an installer, integrator and reseller training and certification program that enforces adequate data security processes when supporting customers
Emerging Payment Technologies
9. Adhere to industry guidelines for data field encryption and tokenization and PAN elimination across payment applications that use these technologies
10. Support capability of dynamic data solutions across payment applications
Payment Application Data Security Standard (PA-DSS)
Visa strongly encourages payment application vendors to develop and validate the conformance of their products to the PA–DSS. PA–DSS compliant applications help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data, and support overall compliance with the PCI DSS. PA–DSS applies only to third–party payment application software that stores, processes or transmits cardholder data as part of an authorization or settlement. In–house software applications are covered within a merchant or agent’s PCI DSS assessment.