Visa adds to its list of apps that improperly hold card data

Update puts three more vendors on the list, according to a copy posted on the Web

Visa this week privately issued an updated list of payment applications that store all of the magnetic-stripe data taken from credit and debit cards, as part of its ongoing effort to get retailers and other merchants to stop using such software.

Visa began distributing the list last April and has updated it every three months since then. The company doesn't make the list openly available and hasn't publicly identified any of the vendors whose products are on it. Instead, Visa sends the list to so-called acquiring banks, the financial institutions that authorize merchants to accept payment-card transactions.

A Visa spokesman said today that the company has tried to keep the list under wraps because of concerns that making it public would give hackers "a tip sheet" for identifying retail systems that store sensitive data about cardholders. He noted that Visa expressly asks the recipients of the list, which also include payment processors and software vendors, not to publish it or make it available on publicly accessible Web sites.

Despite that admonition, a copy of a Visa bulletin containing the latest list was posted this week on a payment security Web site operated by software vendor VeriFone. According to the document (download PDF), applications from three more vendors have been added to the list, which now includes more than 50 products from a total of 22 companies. Among the vendors with products on the list are IBM, NCR and -- ironically enough -- VeriFone itself.

Visa said in the bulletin that the applications on the list are known to store each piece of data that can be captured from the magnetic stripes on the back of credit and debit cards. That violates the security rules set out in Visa's operating regulations and the Payment Card Industry Data Security Standard, which is better known by the acronym PCI.

The security rules also ban the storage of personal identification numbers, encrypted PIN blocks and the three-digit card verification numbers that are found on the back of cards. In its bulletin, Visa called on acquiring banks to "ensure that their merchants and agents do not use payment applications known to retain these data elements." It also said that the banks should "take corrective action to address any identified deficiencies, as these applications are at risk of being compromised."

According to Visa's list, almost all of the flagged applications have either been replaced by newer versions that don't retain magnetic-stripe data or patched so that they no longer store the information. The company noted that the names and primary account numbers of cardholders can be retained in systems, as can expiration dates and service codes. But, it said, that information "should be stored only if needed to perform business functions" and must be secured in accordance with the PCI rules.

In addition to the list of problematic applications, Visa maintains a publicly accessible list of products that comply with the security requirements (download PDF). That list, which is considerably longer than the list of products that don't, was last updated on January 15.

The continued storage of magnetic-stripe data, PINs and card verification values by merchants is what has made payment systems such an attractive target for malicious hackers, according to analysts. But the fact that some payment applications store the prohibited data by default -- sometimes without the knowledge of the companies using them -- has made it hard for many retailers to comply with the PCI requirements.

Partly in response to that problem, Visa in October launched a separate Payment Application Security Mandate program, under which it gave companies three years to ensure that all of their third-party payment applications were compliant with a set of 14 security controls. The mandates were seen by some as Visa's way of forcing application vendors to make their software compliant with the PCI rules or risk losing their customers.

The program sets a series of deadlines that merchants need to meet over the next three years. The first deadline took effect on Jan. 1; starting from that date, companies installing new payment applications need to make sure that they are Visa-validated products. And beginning July 1, all VisaNet payment processors and processing agents will have to ensure that new applications they implement are fully compliant with Visa's mandates.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?