Friday, August 27, 2010

Visa Best Practices for Payment Applications

Visa has just come out with its latest in what I hope will be a continuing stream of Best Practices documents. This one is Visa Top 10 Best Practices for Payment Application Companies. You can click here to download a pdf copy.

This document is not just for application developers. It also is for any school (or other organization) that buys software applications. As such, I really recommend you read it.

PA-DSS, like PCI DSS, is a baseline. It is the minimum you need to do to protect your application. PA-DSS addresses how the app is developed. It doesn't address things like training users and not storing cardholder data in the first place. This latter point is one I often find that users don't understand. Because an application is PA-DSS validated does NOT mean the application doesn't store cardholder data. It only means that if it does, it treats it securely. Therefore, don't assume because you are looking at a PA-DSS application you are automatically saved from the joys of SAQ D.

As Visa says on it's website:

While many payment application vendors have deployed PA-DSS compliant payment applications, there is growing concern that updates to payment software are not being consistently developed to ensure that known vulnerabilities are not being reintroduced. In addition, there is concern that payment software is not being securely implemented at customer sites. Merchant and agent compromises reveal that a number of payment application companies have poor software practices when installing payment applications and systems, support customers using weak, shared or default access credentials, and manage customer sites using poorly implemented remote management tools. Criminals exploit these poorly guarded entities by gaining easy entry into cardholder environments.

To stay on top of these trends, Visa has developed a set of best practices to help payment application companies address critical software processes.
When you are looking at a payment application, by all means first go to the list of PA-DSS validated applications maintained by the PCI Council. Then as you are assembling your RFP or looking at vendors, use the 10 Best Practices to guide your decision.

PA-DSS is a baseline, and it is a good one. Visa has gone one step beyond this in recommending its 10 Best Practices to software vendors (and resellers and OEMs). You should use these same Best Practices in your evaluations, too.

No comments:

Post a Comment