Visa have published a set of 10 best practices for application vendors, integrators and resellers that implement, install or manage payment-related systems on behalf of merchants. The best practices are set to compliment the Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS). The PA-DSS was originally developed by Visa before being embraced by the industry as the PA-DSS.

"The PA-DSS provides guidance for developing secure software, while Visa's Best Practices for Payment Application Companies represents a natural companion, providing guidance on how to securely install that piece of software," said Eduardo Perez, Head of Global Payment System Security, Visa Inc.

The 10 best practices are as follows:

• Perform background checks on new employees and contractors prior to hire.
• Maintain an internal and external software security training and certification curriculum.
• Adhere to a common software development life cycle across payment applications.
• Ensure that newly released payment application versions are Payment Application Data Security Standard (PA-DSS) compliant.
• Conduct application vulnerability detection tests and code reviews against common vulnerabilities and weaknesses prior to sale or distribution.
• Actively identify payment application versions that store sensitive authentication data and/or retain critical security vulnerabilities, and notify all affected customers.
• Maintain customer service level agreements stating that only PA-DSS compliant payment application versions will be sold and supported.
• Implement an installer, integrator and reseller training and certification program that enforces adequate data security processes when supporting customers.
• Adhere to industry guidelines for data field encryption and tokenization and PAN elimination across payment applications that use these technologies.
• Support capability of dynamic data solutions across payment applications

You can find more information over on the on Visa website.

Dave

--

If you liked this article then you can:

• Subscribe to our Blog RSS feed
• Become a fan of webpayments.ie on Facebook
• Follow us on Twitter

Related Blog Posts:

• iPay API from WorldNet
• Carapay awarded Payment Institution License
• Changes to the MBNA login process

PCI DSS is a security standard that applies to anyone who stores, processes or transmits cardholder data. This includes Payment Service Providers and merchants. I know most of the readers of this blog fall into the latter category. Merchants can approach PCI DSS in a number of different ways such as using in-house expertise, outsourcing PCI Compliance to an external party (more of a checkbox approach in my opinion) or using a PCS DSS solution from a third party.

If you are a small merchant you may not be able to afford any of these options but you still need to be compliant. In that case the best option is to limit the risk and thus reduce the scope for PCI DSS. To begin with you should not store cardholder information under any circumstances. If the storage of cardholder information is a requirement for your business then we recommend you find a Payment Service Provider who can do this for you. The RealEFT service from Realex Payments and the SecureCard service from WorldNet TPS are two services that are designed specifically to meet this requirement.
 
If you want to reduce your risk even further then you can use a hosted payments page integration option so you ensure that cardholder information never comes in contact with your website or server. The customer will enter their card details on the secure hosted payment page provided by your payment service provider. With this option the sensitive cardholder information does not come in contact with your website or server. For more information on PCI DSS you can read our PCI DSS Guide, look at the PCI Councils website or ask a question on our PCI DSS forum.

Dave

--

If you liked this article then you can:

• Subscribe to our Blog RSS feed
• Become a fan of webpayments.ie on Facebook
• Follow us on Twitter

Related Blog Posts:

• PCI Compliance is not a big deal?
• Who cares about PCI DSS?

Related Articles:

• PCI Compliance Resources
• PCI DSS Forum
• PCI DSS Guide