Client Login
 Quick Contact
Visa gives best practices for securing global payments
Category : General 26 Aug 2010 09:18 AM | Industry News
The PA-DSS is a global set of security requirements for software vendors who develop payment applications for merchants who seek business software to manage payment processes. PA-DSS compliant applications do not store prohibited data such as track data, sensitive authentication data, or PIN data, helping guard merchants and agents against compromises and support overall compliance with the Payment Card Industry Data Security Standard (PCI DSS).
The best practices developed by Visa in collaboration with the SANS Institute are designed to complement the Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS).
"The PA-DSS provides guidance for developing secure software, while Visa's Best Practices for Payment Application Companies represents a natural companion, providing guidance on how to securely install that piece of software," said Eduardo Perez, Head of Global Payment System Security, Visa Inc. "We saw from data compromise investigations that while an application may be secure and comply with the PA-DSS, implementation and management missteps can create vulnerabilities."
“It is in the best interest for the payment application provider to proactively adopt practices, such as these, so more often than not, merchants will find that these best practices are widely used and vendors are already doing these things,” said Eric Bushman, Vice President of Solutions Engineering at Paymetric. “No single requirement outlined in this document stands out as one that merchants would have challenges ensuring their vendor is adhering to. But that doesn’t mean that they should assume the payment application provider is, in fact, doing these things.”
But following this standard is not enough since some vulnerabilities, configuration problems, and implementation issues continue to persist during the software’s use. The best practices guideline released by Visa is a natural extension to the PA-DSS, according to Perez.
The security guidelines were conceived by Visa together with Bethesda, Maryland-based SANS Institute, which specializes in security training and certification. The best practices include ten issues about technology and process-related advice.
An example is the recommendation to developers to perform application vulnerability detection tests and code reviews to discover vulnerabilities in the software.