While many payment application vendors have deployed PA–DSS compliant payment applications, there is growing concern that updates to payment software are not being consistently developed to ensure that known vulnerabilities are not being reintroduced. In addition, there is concern that payment software is not being securely implemented at customer sites.
Merchant and agent compromises reveal that a number of payment application companies have poor software practices when installing payment applications and systems, support customers using weak, shared or default access credentials, and manage customer sites using poorly implemented remote management tools. Criminals can exploit these vulnerable entries and gain access to cardholder environments.
Visa has developed a set of best practices to help payment application companies address critical software processes. As part of their due diligence, acquirers, merchants and agents should ensure that the payment application companies they use have passed the rigor of mature software processes.
Visa Top Ten Best Practices for Payment Application Companies