Visa tries new tack with payment app security

Visa USA is quietly ratcheting up the pressure on vendors of payment applications and the businesses that use them to make their software compliant with a set of security best practices being pushed by the company.

It recently sent letters listing payment applications from six vendors that it wants companies to stop using because the software captures and stores sensitive card data.

The letters were sent to the "acquiring" financial institutions that grant companies the approval they need to accept payment card transactions. The missive from Visa urged acquirers to ensure that companies using the listed software either upgrade to newer versions or move to a different product altogether. Any company that continues to use the listed software is in violation of Payment Card Industry (PCI) data security rules, Visa said in its letter.

PCI is a data security standard mandated by the major credit card companies, including Visa. All entities that accept credit or debit card payments are required to follow the standards; companies in violation of PCI rules can be fined or banned from accepting payment card transactions.

This is the first time the company has sent out a list of software that it specifically wants businesses to avoid. The letters are part of an effort to deal with a major issue related to payment card security, Eduardo Perez, vice president of payment system risk at Visa, said via e-mail. "One of the most significant threats to payment system security comes from the storage of prohibited data, such as card verification value numbers, PINs and full-track data," Perez said. "We have seen merchants [being] targeted by data thieves because they were storing sensitive payment card data and weren't even aware that their systems were storing it."

To address that and other security issues, Visa has for some time now established a set of Payment Application Best Practices (PABP) for software vendors, Perez said. Distributing a list of products failing to meet PABP should push more vendors to adopt the best practices, he said.

"We anticipate that marketplace forces will encourage increasingly more vendors to go through the process of ensuring that their applications are compliant" with Visa's PABP standards, he said. "Many of these vendors view PABP as a competitive differentiator."

So far, Visa has certified 155 payment applications from 83 vendors as meeting PABP requirements.

Visa first published its list of noncompliant software in a member bulletin on Feb. 27 and later distributed the list in letters in early April. In the future, Visa plans to update the list of noncompliant products and distribute it periodically, Perez said.

The move shines a spotlight on a "big weak point" in the PCI program, said Avivah Litan, an analyst at Stamford, Conn.-based Gartner. "There are no standards for PCI-compliant software" that vendors must follow, Litan said. And while there are efforts to make Visa's PABP part of the broader set of PCI standards, compliance with it is still voluntary for vendors. However, breaches such as the one at TJX Companies earlier this year emphasize the growing need for software vendors "to be held to the same standards as the retailers are under PCI," Litan said.