Visa Takes Aim at Data Compromises

Andrew Miller • August 4, 2006

Visa is mounting a full-scale blitz to encourage merchants to use payment software that doesn't compromise consumer passwords. The card company has asked merchants to ensure that the software they use to process card transactions doesn't store the full contents of "track data", which contains passwords and other sensitive information.

Last year, a breach at CardSystems, a processor of card transactions, led to the exposure of 40 million payment records, setting off a firestorm that's led to a crackdown on data security vulnerabilities by regulators and lawmakers.

Visa's Cardholder Information Security Program prohibits the storing of full track data by merchants. Account numbers, expiration dates, and names are the only elements of track data that may be retained once a transaction has been authorized. In addition, Visa requires compliance with the Payment Card Industry Data Security Standard (PCI DSS) by all merchants and any entity that stores, transmits or processes cardholder data.

Visa classifies merchants into one of four levels by transaction volume; validation requirements with PCI are determined by the merchant's category. For example, Level One merchants (those with the highest number of transactions or who've been compromised) must conduct annual onsite audits and quarterly network scans. Level Two merchants are required to conduct annual self-assessments and quarterly network scans; Visa has expanded the Level Two category to include a greater number of merchants.

Visa has a set of Payment Application Best Practices (PABP), which assists software vendors in creating secure payment applications, thereby helping to protect their customers from being exposed to a security breach. Visa publishes a list of PABP-compliant vendors at http://www.visa.com/cisp and encourages software vendors to follow the practices. It's considering making PABP compliance mandatory for all software vendors.

Visa recommends that merchants choose payment software from its list of PABP-compliant vendors. "The best thing merchants can do to ensure they're not storing track data is to use payment software that's compliant with PABP," says Martin Elliott, VP of emerging risk at Visa USA. As part of its campaign, Visa has alerted small to midsize restaurants of a security vulnerability die to improperly installed credit card transaction systems, known as point of sale or POS systems. Visa says that misconfigured POS systems can contribute to the compromise of cardholder account information and other sensitive data. Because POS systems are often installed by third-party software resellers, they may be vulnerable to compromise upon installation. Visa urges retail establishments to ask POS vendors whether their systems store track data, and if so, to disable that feature.

Visa is also asking merchants to encrypt online PIN-based transactions processed within POS systems. Effective July, 2010, all PIN-based transactions must encrypt PINs using the Triple Data Encryption Standard. To prevent PIN skimming at vulnerable POS locations, Visa has implemented a POS device evaluation program to ensure that all merchants use fully-compliant devices that support triple DES. Effective July, 2010, all POS devices must be triple DES-capable and Visa-approved.

Eleven Ways To Minimize PIN Data Theft

1. Build a well-aimed defense against PIN data theft and compromise by fully adhering to applicable PCI PIN Security.

2. Talk to employees about the potential for PIN compromise when POS devices are missing or when there are any noticeable signs of device tampering. Inspect POS device inventories regularly.

3. Make sure you use only authorized personnel to service deployed terminals. Properly manage inventories and physically secure PIN encryption devices at all locations so they cannot be easily removed, modified, or replaced.

4. Immediately contact your merchant bank and law enforcement if you suspect tampering of any PIN devices.

5. Confirm the security of your payment applications using Payment Application Best Practices (PABP), which can be downloaded from the CISP web site at http://www.visa.com/cisp

6. This site also lists all software vendors whose payment applications have been validated by a Visa-approved security assessor.

7. The full contents of track data, which is read from the magnetic stripe, must not be retained on any system once a transaction has been authorized. If held in a CISP-compliant manner, the account number, expiration date, and name are the only elements of track data that may be retained. Do a thorough review of all payment applications to ensure non-storage of magnetic-stripe data, then confirm the review findings with your service providers.

8. When asking a cardholder for CVV2 as part of an Internet or telephone order, do not document this information on any kind of paper order form or store it on any database after transaction authorization.

9. PIN block data must never be retainedâ€”even if it is encryptedâ€”after transaction authorization. Examine all transaction journals and logs to verify that PIN blocks are not present.

10. Visa offers educational workshops for personnel involved in any aspect of secret encryption-key management or PIN security compliance. Ask your merchant bank for a Visa workshop schedule and registration details.

11. Many merchants use third-parties for the generation, storage, distribution and loading of keys for POS PIN devices. Because these are classified as agents, they must be registered with Visa by your merchant bank before you can use their services.