Security Bytes

May 21 2007   12:41PM GMT

Visa pushes application security

Marcia Savage Marcia Savage Profile: Marcia Savage

Visa USA is making progress on its effort to improve payment application security. As of last month, 155 products across 80 vendors have been validated by qualified assessors as meeting Visa’s Payment Application Best Practices (PABP), said Hap Huynh, Visa USA information security specialist.

Speaking at the CardTech SecurTech 2007 conference in San Francisco last week, Huynh said many more applications are in the process of being reviewed for PABP and two major payment processors require that merchants use validated payment applications.

Visa published its PABP in 2005 to give vendors guidance in developing products that facilitate Payment Card Industry Data Security Standard (PCI DSS) compliance, he said. The focus was on eliminating storage of prohibited credit card information such as full track data, Card Verification Value 2 (CVV2) and PIN blocks by payment applications. Storage of such data was a common security vulnerability Visa identified in reviewing merchant breaches.

“There’s no reason for merchants to be storing this information after the transaction,” Huynh said.

Other common vulnerabilities were: unpatched systems, default settings and passwords, poorly coded Web-facing applications that led to SQL injection attacks, and unnecessary and vulnerable services on servers.

Visa notified its members of vulnerable applications, Huynh said. Validated applications are listed at www.visa.com/cisp.

Technorati Tags: , ,

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: