Visa lays down the law of PCI compliance

The card company makes the 10 commandments of card security compliance.

Visa

Visa has released 10 commandments for vendors to follow to ensure their security best practices exceed basic compliance, ahead of new security requirements, set to be applied in the next few weeks.

The Payment Card Industry Security Standards Council (PCI-SSC) outlined proposed changes to payment card industry regulations two weeks ago. Visa has teamed up with the SANS Institute to develop a list of pointers for acquirers, merchants and agents.

The tips promote stronger security processes that reach beyond the Payment Application Data Security Standard (PA-DSS) specified for software compliance and form a set of standards organisations should insist their payment application vendors, integrators and resellers adopt.

The SANS Institute is also partnering with Visa to provide further guidance on how to securely implement point-of-sale solutions through a series of training courses.

The PA-DSS regulations are updated at least every two years to respond to changing methods attackers use to access payment card details. Visa said the latest changes respond to inadvertent errors arising from payment application companies leaving systems and software improperly configured. It was found that many compromised merchants operated with those deficiencies for months, or even years, at a time, Visa explained.

The PCI DSS regulations were created in 2004 by Visa, MasterCard, Discover Card, JCB, and American Express to safeguard cardholder information and protect against theft and fraud. The regulations have to be met or exceeded by any company processing credit card details to a greater or lesser degree according to the number of transactions handled each year.

Any company that fails to implement the standards effectively are liable to pay heafty fines to the PCI-SSC and, in serious cases, can lose the right to process credit card transactions for the council members.

Visa's top 10

1. Perform background checks on new employees and contractors prior to hire.

2. Maintain an internal and external software security training and certification curriculum.

3. Follow a common software development lifecycle across payment applications.

4. Ensure newly released payment application versions are PA-DSS compliant.

5. Conduct application vulnerability detection tests and code reviews against common vulnerabilities and weaknesses prior to sale or distribution.

6. Actively identify payment application versions that store sensitive authentication data and/or retain critical security vulnerabilities, and notify all affected customers.

7. Maintain customer service level agreements stating that only PA-DSS compliant payment application versions will be sold and supported.

8. Implement an installer, integrator and reseller training and certification programme that enforces adequate data security processes when supporting customers.

9. Adhere to industry guidelines for data field encryption and tokenisation across payment applications that use these technologies.

10. Support capability of dynamic data solutions across payment applications.

Featured Resources

Security analytics for your multi-cloud deployments

IBM Security QRadar SIEM solution brief

Download now

Five reasons to move to the cloud

Join the enterprises moving their workloads to the cloud

Download now

Architecting hybrid IT and edge for digital advantage

Why business leaders should consider a hybrid IT strategy

Download now

Six reasons to accelerate remote asset monitoring with AI

How to optimise resources, increase productivity, and grow profit margins with AI

Download now

Recommended

Lazarus APT hacking group is targeting the defense industry
Security

Lazarus APT hacking group is targeting the defense industry

26 Feb 2021
Microsoft open sources CodeQL queries used in Solorigate inquiry
Security

Microsoft open sources CodeQL queries used in Solorigate inquiry

26 Feb 2021
CISA warns of ongoing Accellion File Transfer Appliance attacks
hacking

CISA warns of ongoing Accellion File Transfer Appliance attacks

25 Feb 2021
What is a Trojan?
Security

What is a Trojan?

25 Feb 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

26 Feb 2021