The Green Sheet Online Edition
May 29, 2007 • Issue 07:05:02
Visa identifies apps storing sensitive data
Visa U.S.A. wants merchants and service providers to stop using payment applications that store sensitive cardholder data, a practice that makes them targets for data breaches. To get the word out, the card Association published a list of those applications, as well as upgrades for preventing data retention.
In April, Visa identified applications from six vendors needing attention: ICVerify Inc., Menusoft Systems Corp., Micros Systems Inc., Posera Software, Radiant Systems Inc. and Southern DataComm Inc.
The products are considered risky because they store prohibited cardholder data - such as full magnetic stripe (tracks 1 and 2), CVV2 (card verification value) and PIN data - after a transaction authorization occurs.
Visa said unscrupulous hackers will seek out such systems and exploit vulnerabilities to access the data.
Noncompliant payment applications are "an unacceptable risk to ... the entire payment system," Visa stated. "When driving merchants toward payment applications, agents should ensure the application has been validated against Visa's PABP [Payment Application Best Practices]."
The PABP, released in 2005, is a set of requirements for developing secure products that support compliance with the Payment Card Industry Data Security Standard and do not store prohibited data.
Visa advised merchants and service providers using any of the applications listed to install a vendor-supplied patch or to upgrade to a Visa-approved application (a list is posted at www.visa.com/cisp).
The card Association also warned that merchants should wipe "from all systems immediately" any stored full track data.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.