Visa USA is making progress on its effort to improve payment application security. As of last month, 155 products across 80 vendors have been validated by qualified assessors as meeting Visa’s Payment Application Best Practices (PABP), said Hap Huynh, Visa USA information security specialist.
Speaking at the CardTech SecurTech 2007 conference in San Francisco last week, Huynh said many more applications are in the process of being reviewed for PABP and two major payment processors require that merchants use validated payment applications.
Visa published its PABP in 2005 to give vendors guidance in developing products that facilitate Payment Card Industry Data Security Standard (PCI DSS) compliance, he said. The focus was on eliminating storage of prohibited credit card information such as full track data, Card Verification Value 2 (CVV2) and PIN blocks by payment applications. Storage of such data was a common security vulnerability Visa identified in reviewing merchant breaches.
“There’s no reason for merchants to be storing this information after the transaction,” Huynh said.
Other common vulnerabilities were: unpatched systems, default settings and passwords, poorly coded Web-facing applications that led to SQL injection attacks, and unnecessary and vulnerable services on servers.
Visa notified its members of vulnerable applications, Huynh said. Validated applications are listed at www.visa.com/cisp.