Credit card industry set to shake up high tech

For those who know how to read between the lines, the announcement this week by Payment Processing Inc. [PPI] of training courses to meet VISA compliance guidelines for application developers, service providers and merchants, is the first sign of a developing storm that could have repercussions across the entire high-tech industry.

The guidelines target the unique user data found on the magnetic stripe on the back of each credit card or linked to a credit card number when input during an Internet purchase as well as restrictions on storing the data.

It all started with a letter from Visa mailed this summer, above the signature of Eduardo Perez, vice president of Payment Risk and Compliance at Visa, encouraging payment application vendors to "validate the conformance of their products to VISA's Payment Application Best Practice [PABP]."

PABPs are currently suggested guidelines for all but the largest merchants doing 6 million transaction a year or for payment card processors. For those entities it is already a requirement.

While Visa doesn't have a direct relationship with the software industry, most in the industry believe the guidelines for application developers will quickly turn into de facto VISA requirements, as users of the software, such as merchants or card processors, face stiff fines for using noncompliant software.

The biggest impact on any ISV will be on those who include direct support for a debit or credit card front end in their application.

For new companies, such as Adelo Software with a point-of-sale solution for the restaurant industry, the change will be less dramatic, said company president Harry Tu.

"When we developed our system we built our foundation for this kind of credit card security," Tu said, adding, using PPI there were only some minor gaps in their application.

However, Tu said, if an ISV has its software already out in the market it could become a big headache.

"Once the finalized code base is released to the public then they will have to do all of these changes, and the cost is very significant," Tu said.

In essence, the VISA PABP requirements will create a cascading effect that will impact all of the participants in the credit card payment food chain -- not just ISVs with a point of sale package.

Rick Dakin, president and co-founder of Coalfire Systems, an independent auditor accepted by VISA to certify compliance for level one merchants and card processors said in order to validate compliance Coalfire audits the entire payment process system.

"We look at databases, applications, operating system, network, the people, and the processes."

Most analysts say that covers almost the entire high-tech industry. Even database designers such as IBM and Oracle will have to comply with VISA security standards.

Eddie Myers, executive vice president and general manager at PPI said it will affect the entire software industry.

"There are so many different places that this data [on the mag stripe] can get stored and compromised," Myers said.

For example, programmers writing payment applications need to store authorization and approval or decline data for future reporting.

"In a programmers mind, if he says, 'I want to look a month from now so I'll just put it here' without any forethought or encryption, the data can be hacked."

There will be a major effort on the part of auditors such as Coalfire to look inside every system to make sure old practices are still passing the data standard.

Dakin sees the VISA security requirements as part of the ongoing trend to create a totally secure environment. It began with the infrastructure firewall and moved next to the operating system.

"The burden is quickly shifting to the application developers. It is not just the payment card industry," said Dakin.

To that end, PPI announced this week it will offer independent software developers and those in the payment process a Security Education Service, a Diagnostic Readiness Review and a Facilitated Compliance Plan