The United States has moved into a period when electronic payments now exceed more traditional payment methods, such as personal checks.
Improved technology, faster service at the point of sale, convenience for merchants and consumers—are all obvious benefits related to those electronic payments. However, with new types of technology being used to process these payments, new risks present themselves.
One of those risks may be inherent in the payment application software that merchants use to facilitate the processing of card transactions. That’s because some payment applications may inadvertently store prohibited, sensitive cardholder information that merchants don’t need, such as magnetic-stripe (e.g., track data) and PIN data. In some situations, merchants may not understand that their payment applications are storing this highly sensitive information. But it is exactly this sort of data that fraudsters covet to perpetrate card payment fraud.
Storing the full contents of magnetic-stripe, CVV2 security code or PIN block data is prohibited under the mandatory Payment Card Industry Data Security Standard (PCI DSS). In reaching out to merchants, processors and other entities entrusted with cardholder data, one of Visa’s key security education messages has been, “If you don’t need it, don’t store it.”
Many merchants may not realize that their payment application is storing prohibited sensitive data, nor how to take action against this vulnerability, which today represents a chief cause of data breaches. Fortunately, there are steps that card accepting businesses can take to protect against this risk of fraudsters compromising cardholder data in their trust.
To reinforce the long-standing prohibition against the storage of magnetic stripe data, which predates even the 2001 introduction of our Cardholder Information Security Program (“CISP”), we developed and introduced the Payment Application Best Practices (“PABP”) in 2005. This program assists software vendors in creating secure payment applications. The objective of PABP is to help protect cardholder information from being exposed to security breaches. As stated in the PABP, the retention of full magnetic-stripe data, CVV2 security codes and PIN blocks is prohibited — any such retention would prevent the merchant from achieving PCI DSS compliance. In addition to preventing the retention of prohibited data, the PABP requires payment applications to include security controls in support of a merchant or service provider’s ability to comply with the PCI DSS. The PABP validation process also ensures that payment applications are developed using secure coding procedures to guard against common attack methods.
Proactive outreach efforts include working with hundreds of payment application vendors to ensure their applications adhere to the PABP, and are validated by an independent security assessor. Payment application vendors are being strongly encouraged to validate the conformance of their products to the PABP. In addition, vendors must also provide instructions to all of their product resellers and integrators on how to properly install PABP compliant software.
Financial institutions, merchants, and service providers are also hearing from us about the list of validated payment applications, and how it can help avoid critical vulnerabilities.
In just the time it takes to visit the PABP website at www.visa.com/ cisp, merchants can find a list of PABP-validated payment applications. Just as important, they can determine whether the application they are currently using is missing from the list, which may mean they are potentially at greater risk of a data security breach. Merchants whose payment applications are not on this list should work with their acquirers and vendors to ensure validation is completed as soon as possible, or that their payment applications are otherwise PCI DSS compliant.
Most important, by ensuring prohibited data is not being stored by their payment application, merchants are taking a major step toward compliance with the PCI DSS and preventing potentially costly data breaches that may undermine the confidence and good will of their customers.
Visa expects all payment application vendors to adhere to the PABP.
The recent communication efforts focus on helping payment application vendors better understand the value of PABP compliance and encouraging them to validate the conformance of their products to the PABP. The educational outreach is also an important step as Visa examines incorporating these best practices into its requirements.
Security is a responsibility shared by all the participants in the
payments system. By actively adhering to the Payment Application
Best Practices, software vendors and merchants can best protect their shared customers against the common threat of data compromise. In this way, they can also help ensure the continued convenience, safety and reliability of each electronic payments transaction.
|
