Visa lays down the law of PCI compliance


Visa has released 10 commandments for vendors to follow to ensure their security best practices exceed basic compliance, ahead of new security requirements, set to be applied in the next few weeks.

The Payment Card Industry Security Standards Council (PCI-SSC) outlined proposed changes to payment card industry regulations two weeks ago. Visa has teamed up with the SANS Institute to develop a list of pointers for acquirers, merchants and agents.

The tips promote stronger security processes that reach beyond the Payment Application Data Security Standard (PA-DSS) specified for software compliance and form a set of standards organisations should insist their payment application vendors, integrators and resellers adopt.

The SANS Institute is also partnering with Visa to provide further guidance on how to securely implement point-of-sale solutions through a series of training courses.

The PA-DSS regulations are updated at least every two years to respond to changing methods attackers use to access payment card details. Visa said the latest changes respond to inadvertent errors arising from payment application companies leaving systems and software improperly configured. It was found that many compromised merchants operated with those deficiencies for months, or even years, at a time, Visa explained.

The PCI DSS regulations were created in 2004 by Visa, MasterCard, Discover Card, JCB, and American Express to safeguard cardholder information and protect against theft and fraud. The regulations have to be met or exceeded by any company processing credit card details to a greater or lesser degree according to the number of transactions handled each year.

Any company that fails to implement the standards effectively are liable to pay heafty fines to the PCI-SSC and, in serious cases, can lose the right to process credit card transactions for the council members.

Visa's top 10

1. Perform background checks on new employees and contractors prior to hire.

2. Maintain an internal and external software security training and certification curriculum.

3. Follow a common software development lifecycle across payment applications.

4. Ensure newly released payment application versions are PA-DSS compliant.

5. Conduct application vulnerability detection tests and code reviews against common vulnerabilities and weaknesses prior to sale or distribution.

6. Actively identify payment application versions that store sensitive authentication data and/or retain critical security vulnerabilities, and notify all affected customers.

7. Maintain customer service level agreements stating that only PA-DSS compliant payment application versions will be sold and supported.

8. Implement an installer, integrator and reseller training and certification programme that enforces adequate data security processes when supporting customers.

9. Adhere to industry guidelines for data field encryption and tokenisation across payment applications that use these technologies.

10. Support capability of dynamic data solutions across payment applications.