Card industry cracking down on Payment App Security

Well it’s about time! After thefts at CardSystems Solutions and OfficeMax netted credit card data on tens of millions of U.S. cardholders, the payment card industry will be taking a tougher stance on companies that hoard magnetic-strip data on their systems and will strengthen requirements around application security, according to sources familiar with the industry’s plans.

Credit card companies Visa and MasterCard will push large merchants to verify that they do not store magnetic-strip, or “track”, data, and will encourage ISVs to fix payment applications that do store the data, said Martin Elliott, director of corporate risk and compliance at Visa. The industry is also gearing up for changes to its PCI security standard that include application security testing, according to interviews by InfoWorld.

Track data has been the icing on the cake of recent credit card hacks, including the theft of data on tens of millions of Visa and MasterCard members from CardSystems in June 2005. The data is also believed to have been netted in a hack of OfficeMax in December that spawned a rash of card forgeries and debit card reissues.

Track data from magnetic strips isn’t necessary to process credit card transactions but is valuable to hackers and identity thieves because it can be used to make counterfeit cards, said Avivah Litan, an analyst at Gartner.

The data is often automatically saved by payment applications because developers assumed it was needed. In fact, many merchants may be unaware that their payment applications collect and cache the track data, leaving the data unprotected while giving the merchant a misplaced sense of security, Visa’s Elliott said.

The payment card industry will talk directly with ISVs to make sure that they follow best practices and discard the captured track data, Elliott said.

According to Litan and others, the PCI standard will also change to reinforce application security. A section on vulnerability management will be amended to require merchants to protect against application-level attacks such as SQL injection and cross-site scripting attacks using application-firewalls and, possibly, application code scans.

One year after PCI took effect, just 20 percent of level-one merchants, which process 6 million or more credit card transactions a year, are PCI-compliant. More than half have submitted a report and are working on issues that are preventing compliance. With better guidance, Visa’s Elliott hopes that as many as two-thirds of level-one merchants could satisfy the PCI requirements by the end of 2006.