Visa Takes Aim at Data Compromises

Visa is mounting a full-scale blitz to encourage merchants to use payment software that doesn't compromise consumer passwords. The card company has asked merchants to ensure that the software they use to process card transactions doesn't store the full contents of "track data", which contains passwords and other sensitive information.

Last year, a breach at CardSystems, a processor of card transactions, led to the exposure of 40 million payment records, setting off a firestorm that's led to a crackdown on data security vulnerabilities by regulators and lawmakers.

Visa's Cardholder Information Security Program prohibits the storing of full track data by merchants. Account numbers, expiration dates, and names are the only elements of track data that may be retained once a transaction has been authorized. In addition, Visa requires compliance with the Payment Card Industry Data Security Standard (PCI DSS) by all merchants and any entity that stores, transmits or processes cardholder data.

Visa classifies merchants into one of four levels by transaction volume; validation requirements with PCI are determined by the merchant's category. For example, Level One merchants (those with the highest number of transactions or who've been compromised) must conduct annual onsite audits and quarterly network scans. Level Two merchants are required to conduct annual self-assessments and quarterly network scans; Visa has expanded the Level Two category to include a greater number of merchants.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Visa has a set of Payment Application Best Practices (PABP), which assists software vendors in creating secure payment applications, thereby helping to protect their customers from being exposed to a security breach. Visa publishes a list of PABP-compliant vendors at http://www.visa.com/cisp and encourages software vendors to follow the practices. It's considering making PABP compliance mandatory for all software vendors.

Visa recommends that merchants choose payment software from its list of PABP-compliant vendors. "The best thing merchants can do to ensure they're not storing track data is to use payment software that's compliant with PABP," says Martin Elliott, VP of emerging risk at Visa USA. As part of its campaign, Visa has alerted small to midsize restaurants of a security vulnerability die to improperly installed credit card transaction systems, known as point of sale or POS systems. Visa says that misconfigured POS systems can contribute to the compromise of cardholder account information and other sensitive data. Because POS systems are often installed by third-party software resellers, they may be vulnerable to compromise upon installation. Visa urges retail establishments to ask POS vendors whether their systems store track data, and if so, to disable that feature.

Visa is also asking merchants to encrypt online PIN-based transactions processed within POS systems. Effective July, 2010, all PIN-based transactions must encrypt PINs using the Triple Data Encryption Standard. To prevent PIN skimming at vulnerable POS locations, Visa has implemented a POS device evaluation program to ensure that all merchants use fully-compliant devices that support triple DES. Effective July, 2010, all POS devices must be triple DES-capable and Visa-approved.

Eleven Ways To Minimize PIN Data Theft

1. Build a well-aimed defense against PIN data theft and compromise by fully adhering to applicable PCI PIN Security.

2. Talk to employees about the potential for PIN compromise when POS devices are missing or when there are any noticeable signs of device tampering. Inspect POS device inventories regularly.

3. Make sure you use only authorized personnel to service deployed terminals. Properly manage inventories and physically secure PIN encryption devices at all locations so they cannot be easily removed, modified, or replaced.

4. Immediately contact your merchant bank and law enforcement if you suspect tampering of any PIN devices.

5. Confirm the security of your payment applications using Payment Application Best Practices (PABP), which can be downloaded from the CISP web site at http://www.visa.com/cisp

6. This site also lists all software vendors whose payment applications have been validated by a Visa-approved security assessor.

7. The full contents of track data, which is read from the magnetic stripe, must not be retained on any system once a transaction has been authorized. If held in a CISP-compliant manner, the account number, expiration date, and name are the only elements of track data that may be retained. Do a thorough review of all payment applications to ensure non-storage of magnetic-stripe data, then confirm the review findings with your service providers.