Payment Applications

Visa developed the Payment Application Best Practices (PABP) in 2005 to provide software vendors guidance in developing payment applications that help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) and support overall compliance with the PCI Data Security Standard (PCI DSS). Since 2005, 254 vendors independently validated 555 products against the PABP through a Qualified Security Assessor (QSA) trained in the PABP. In 2008, the PCI Security Standards Council (PCI SSC) adopted Visa's PABP and released the standard as the Payment Application Data Security Standard (PA-DSS). The PA-DSS now replaces PABP for the purpose of Visa's compliance program.

Lists of Validated Payment Applications

The PCI SSC is currently transitioning all 555 products previously validated under the PABP over to a consolidated list located at the PCI SSC website, comprised of the validated PABP applications and newly validated PA-DSS applications. During this migration, both Visa's list and the PCI SSC's list will be available to ensure a smooth transition. All new payment application assessments should undergo PA-DSS validation by a Payment Application Qualified Security Assessor (PA-QSA) and listing with the PCI SSC.

PCI SSC List of PA-DSS Validated Payment Applications
Visa List of PABP Validated Payment Applications

Payment Application Data Security Standard

Visa strongly encourages payment application vendors to develop and validate the conformance of their products to the PA-DSS. PA-DSS compliant applications help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data, and support overall compliance with the PCI DSS. PA-DSS applies only to third-party payment application software that stores, processes or transmits cardholder data as part of an authorization or settlement. PA-DSS does not apply to software applications developed by merchants and agents for in-house use only. These in-house software applications are covered within a merchant or agent's PCI DSS assessment.

The PCI SSC is responsible for maintaining and updating the PA-DSS and all related documentation, Payment Application Qualified Security Assessor (PA-QSA) qualification and training, Reports of Validation (ROV) submissions and quality assurance as well as the listing of PA-DSS validated payment applications.

For more information on the PA-DSS, including validation requirements and a list of PA-DSS validated applications please visit the PCI SSC website at www.pcisecuritystandards.org.

Payment Application Security Mandates

On January 1, 2008, Visa implemented a series of mandates to eliminate the use of vulnerable payment applications from the Visa payment system. These mandates require acquirers to ensure that their merchants and agents do not use payment applications known to retain sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) and require the use of payment applications that are compliant to the PA-DSS.

While the use of PA-DSS validated payment applications is recommended, a payment application need not be included on Visa's list of PABP validated payment applications or PCI SSC's list of PA-DSS validated payment applications in order to comply with Phase 2, Phase 3 and Phase 5 requirements for use of PA-DSS compliant applications. Acquirers may determine the PA-DSS compliancy of a payment application through alternate validation processes, which should confirm that payment applications meet PA-DSS requirements and should facilitate compliance with the PCI DSS.

Outlined below are each of the five mandates, which will take effect over the next three years.

Phase Compliance Mandate Effective Date
1 Newly boarded merchants must not use known vulnerable payment applications, and VisaNet Processors (VNPs) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications 1/1/08
2 VNPs and agents must only certify new payment applications to their platforms that are PA-DSS-compliant 7/1/08
3 Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS-compliant applications* 10/1/08
4 VNPs and agents must decertify all vulnerable payment applications** 10/1/09
5 Acquirers must ensure their merchants, VNPs and agents use only PA-DSS compliant applications 7/1/10

* In-house use only developed applications & stand-alone POS hardware terminals are not applicable

** VisaNet Processors (VNPs) and agents must decertify vulnerable payment applications within 12 months of identification

Best Practices for Payment Application Companies

While many payment application vendors have deployed PA-DSS compliant payment applications, there is growing concern that updates to payment software are not being consistently developed to ensure that known vulnerabilities are not being reintroduced. In addition, there is concern that payment software is not being securely implemented at customer sites. Merchant and agent compromises reveal that a number of payment application companies have poor software practices when installing payment applications and systems, support customers using weak, shared or default access credentials, and manage customer sites using poorly implemented remote management tools. Criminals exploit these poorly guarded entities by gaining easy entry into cardholder environments.

To stay on top of these trends, Visa has developed a set of best practices to help payment application companies address critical software processes. As part of their due diligence, acquirers, merchants and agents should ensure that the payment application companies they use have passed a rigor of mature software processes including the Visa Top Ten Best Practices for Payment Application Companies, Version 1.0 .

To raise awareness of these best practices, Visa is working with the SANS Institute to offer security training courses to payment application companies that are tailored to address Visa's best practices. SANS is one of the most trusted sources for security training, with courses that are developed by industry leaders in numerous fields including network security, forensics, audit, security leadership and application security. For more information on these courses please visit www.sans.org/visatop10.

Notify Visa of Vulnerable Payment Applications

Visa has identified that certain payment applications are designed by software vendors to store sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) subsequent to transaction authorization. Storage of these cardholder data elements is in direct violation of the PCI DSS and Visa rules. Criminals are targeting merchants and agents that use these vulnerable payment applications and are exploiting these security vulnerabilities to find and steal cardholder data.

On a quarterly basis, Visa proactively alerts key stakeholders, including acquirers to help mitigate compromises with an updated list of vulnerable payment applications. If you discover a vulnerable payment application and have specific information as to the payment application vendor, application version, where sensitive cardholder data is stored and vendor contact information, please notify Visa via email at cisp@visa.com. All information provided will be verified through the software vendor, Visa will not reveal to any software vendor the source of information or disclose information that would reveal the source's identity.

For more information

To learn more about Visa's compliance programs, contact Visa via email at AskVisaUSA@Visa.com.