Visa Raises The Bar For PA-DSS Applications And Vendors

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Do you want to know if the people who wrote your payment application have criminal records or whether your reseller actually knows this? What about implementing tokenization without paying for an expensive upgrade? Do retailers want to know that, too? Visa thinks so, and the company spelled it all out in its recently issued Top 10 Best Practices for Payment Application Companies.

This document should be required reading for retailers. Although it is aimed at software developers, resellers and system integrators, the document has just as much relevance for any merchant who uses a third-party payment application (which is just about all of them). What I hear Visa telling retailers is: "You should expect more than just a PA-DSS validation." And the result is, everybody benefits, including smart vendors and resellers (who now have a basis to differentiate themselves) and their merchant customers.

The PCI Council's Payment Application Data Security Standard (PA-DSS, and don't ask me why it is hyphenated and PCI DSS is not) is a minimum standard. It is the Mendoza Line of application security in that it is designed only to "facilitate and support" PCI compliance. To be truly secure, you need to go beyond the requirements.

For example, using a PA-DSS validated application by itself does not make you PCI compliant. Rather, you still need to implement the application according to the vendor's implementation guide (which is sometimes an issue when resellers are involved), and you have to implement it in a PCI-compliant environment. Remember, too, that PA-DSS does not address the application's functionality. A particular application may or may not meet your needs; all PA-DSS says is that it is compliant when properly implemented.

Here are some of the more important Best Practices Visa recommends for software application vendors, system integrators and resellers, and why they matter to every merchant, too.

  • Perform background checks on new employees. Wouldn't you like to know that the programmer who built your POS system at least didn't come from a criminal gang? The idea is to reduce the likelihood of your getting bonuses like a backdoor or malware with your payment application or suffering a data breach because customer support did more than just upgrade your system when they accessed it for maintenance. Because PCI Requirement 12.7 requires merchants to conduct background checks for their new employees, it seems only reasonable to ask the same of their application vendors.
  • Train programmers in secure coding techniques. Programmers learn to program quickly and efficiently but not necessarily securely. Smart application developers already train their staff in secure coding techniques and/or send them to training (e.g., OWASP's AppSec USA) so they won't accidentally add vulnerabilities in their code.
  • Implement a training program for installers, system integrators and resellers. This Best Practice means having a formal training program, not just sending E-mail advisories. The goal is to make sure merchants get what they pay for. That is, implementation, maintenance and support staff are expected to enforce all data security requirements (including the customer's PCI DSS compliance) when they work on a customer installation. For example, I've heard of one vendor that hosts an annual meeting for all its resellers, complete with detailed training and some golf. Visa further suggests an interesting enforcement mechanism whereby vendors monitor their installers, integrators and resellers, dismissing them if they fail to comply or if through their negligence they cause a data breach at a customer's site.
  • Support tokenization or point-to-point encryption. In particular, Visa is recommending vendors adopt Visa's previously issued Best Practices documents dealing with data field encryption, tokenization and truncating PANs.

Visa makes no claim that these are the only Best Practices vendors should follow or that they cover everything. Therefore, I would like to suggest adding a couple more items to the list.

I would like to see vendors state explicitly whether their POS application stores cardholder data, even if only briefly (e.g., during authorization). Too many merchants mistakenly believe that because the payment application is PA-DSS validated, it does not store electronic cardholder data. Some smaller merchants are under the mistaken impression that using a PA-DSS application will automatically qualify them to use a simplified Self-Assessment Questionnaire (SAQ). Unfortunately, PA-DSS validation only means the application is compliant, not that the application does not store cardholder data.

Another Best Practice I would like to see on the list is to provide training for customers, too. That is, I agree that all vendors should provide secure implementation and use training for installers and resellers, but how about encouraging those vendors to provide that knowledge to the customers, as well? (Note: The golf can be optional.)

Visa didn't develop its Top 10 Best Practices out of altruism. As the company states in the document, "Recent payment card data compromises have demonstrated the critical need for payment application companies to maintain mature software processes for their customers that go beyond PA-DSS compliant software."

Smart vendors know this, and they already go beyond PA-DSS. They implement internal practices to maintain their own security and support their customers during implementation and afterward. My guess is that with this document, Visa is trying to make good software vendors, integrators and resellers better, while raising the bar for those that may need a little, let us say, encouragement.

Every retailer evaluating or considering a POS software application should read this document carefully and apply it to their procurement decision process. On a related note, I would like to see every processor and acquirer have their account reps send it to each of their merchants. Because acquirers and processors are ultimately responsible for their merchants' PCI compliance, anything that will help merchants--especially small and midsize businesses--be secure benefits everyone.

Some good news for application vendors is that Visa is working with the SANS Institute to develop a series of training courses targeted at helping vendors meet its Best Practices. I'm sure the courses will cost something, but at least vendors are not being left on their own to implement Visa's suggestions.

What do you think? I'd like to hear your thoughts. Either leave a comment or E-mail me at [email protected].