Visa has been phenomenal on providing clarification, tools, guidance, and clarity to secure CHD sensitive data and the payment networks. Visa released on 8/24/2010 the Visa Best Practices document “Visa Top 10 Best Practices for Payment Application Companies, Version 1.o”. The PDF is available here and is a concise 5 pages. While directed towards application providers there are interesting and applicable practices described that all operators should consider.
The Best Practices are broken across several domains that go beyond simple software coding checks, but include:
- Organizational Security (Background Checks, Training, Certifications)
- Mature Software Development (SDLC, upgrade cycles in line with PA-DSS)
- Product Vulnerability Management (App detection tests and Code reviews against common vuln & weaknesses)
- Secure Implementation (Contractual PA-DSS requirements, Enforcement of secure installations)
- Emerging Payment Technologies (Adhere to field encryption, token, and PAN elimination, support future dynamic solutions)
The press release provides a nice breakdown of the document from Visa, and can be found here. In addition, SANS has launched a training series that aligns with the training aspects highlighted in this Best Practice (note this is Best Practice, not a mandate). Finally two sections that should be carefully considered by all operators is section 8 and 10.
Section 8 states, “Implement an installer, integrator and reseller training and certification program that enforces adequate data security processes when supporting customers” – loosely meaning that these technologies should deploy out-of-the-box secure/compliant. This is places the onus on the provider of the technology to address the challenges of security, and appears to set an expectation on the user of such.
Section 10 highlights the need to “Support capability of dynamic data solutions across payment applications”, and suggests that fundamental changes in how the payment transaction environment exists today will flex in the future. Not a severe interpretation given the velocity of changes in this market, but again the imperative is for these providers to be flexible.
A nice set of practices for a specific challenge. Thoughts? Concerns?