Thursday, September 2, 2010
On the heels of its launch of a best practices campaign for storing customer data, Visa Inc. is out with a new best practices effort centered on Payment Application (PA) Data Security Standard (DSS) compliance.
The two campaigns overlap in significant ways, given that the PA DSS is largely devoted to using terminals and software that either avoid the storage of sensitive data or provide adequate protections for such data where it is stored.
And, as with its data storage best practices campaign for which Visa partnered with the National Retail Foundation, the credit card giant is conducting its newest effort with a high-profile partner. This time, Visa is teaming with the SANS institute, an organization that provides virtual security training and education for private businesses and the United States government.
"The PA DSS provides guidance for developing secure software, while Visa's best practices for payment applications companies represents a natural companion, providing guidance on how to securely install that piece of software," said Eduardo Perez, Head of Global Payment System Security for Visa. "We saw from data compromise investigations that while an application may be secure and comply with the PA DSS, implementation and management missteps can create vulnerabilities."
Visa's PA DSS best practices effort also comes in the aftermath of the July 1, 2010, deadline for upgrading to the newest PA DSS provisions. Though the deadline has passed, industry experts say a number of merchants still have yet to upgrade their POS systems to be compliant. Those that haven't upgraded run the risk of liability for losses incurred in the event of a breach.
Among Visa's top 10 best practices for payment applications are the following: that merchants and their service providers "ensure that newly released payment application versions are PA-DSS compliant," and that they "conduct application vulnerability detection test and code reviews against common vulnerabilities and weaknesses prior to sale or distribution."
"I think, especially coming from an organization such as Visa, that it sends a really strong message from the top down," said Ted Svoronos, Vice President of Business Development and Strategic Partnerships for merchant solutions provider Group ISO Inc. "It says, 'yes, we are doing what we should be doing to help with IT data security.' When Visa gets involved with an organization such as SANS, which is a very well respected organization, it really shows a deep initiative."
For more on Visa's data security program, visit www.visa.com/cisp .
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.