Visa mandates that merchants eliminate the use of vulnerable payment applications
Posted on 24 October, 2007 under Credit Card Processing, PCI DSS Compliance, Visa and MasterCard by Bryan Johnson
Visa made a pretty significant announcement today that is aimed at eliminating vulnerable payment applications from the Visa payment system. The objective is to prevent certain prohibited card holder data from being stored and also reduce the number of breaches.
If you’re new to this topic, here is some context to what Visa is trying to address. Over the past few years, certain payment applications (primarily Point of sale systems) used by retailers and restaurants have been a gold mine for criminals stealing credit card. These systems have been targeted because they’re were known to be storing prohibited credit card information - the exact data that criminals need to make fraudulent purchases and manufacture duplicate cards. Merchants are usually not aware that their systems are storing such data, but they’re still held responsible if breached. Credit card information that cannot be stored includes magnetic stripe data, CVV (three digit codes), PIN’s, or encrypted PIN blocks.
To address this security vulnerability, which Visa has cited as the leading cause of breaches among small merchants, they announced that beginning January 1, 2008, the first of five mandates will be implemented to start the process of eliminating non-secure payment applications from processing with Visa. In other words, Visa is announcing to merchants they will be unable to process Visa credit or debit cards if their POS system does not meet required security standards and is still storing prohibited data. You can also check the 2nd pdf posted below to see if you current POS version is compliant.
Read the entire press release here (see second pdf below for Visa’s updated list of vulnerable POS applications).
Here is list of POS systems with information about their compliance status and any newly released software update information:
This effort by Visa is targeted towards addressing data security for ’swiped’ merchants such as restaurants and retailers, which account for the larger portion of the ~3 trillion credit/debit card processing industry. The ‘card not present’ portion of the industry that includes merchants such as ecommerce, business to business, and mail/telephone order will will either choose to do the necessary upgrades internally to meet PCI requirements or our outsource the storage of credit card data.
Other related posts:
PCI DSS Compliance basics for credit card security
PCI DSS Compliance and the cost of a credit card breach
Braintree solutions:
The Smart Approach to PCI DSS Compliance
14 Comments so far
Bryan, Thanks for this. I’ve posted to our Higher Education PCI Blog (www.treasuryinstitute.org/blog).
Great post. Thank you so much for this! I’m glad they are finally dealing with this.
Get Gamestop and Electronics Boutique (EB) to stop entering my VISA number into their system by hand every time I make a purchase there! THAT would be making the card more secure!
“Credit card information that cannot be stored includes magnetic stripe data, CVV (three digit codes), PIN’s, or encrypted PIN blocks.”
I figured the least they would need to store from the mag-stripe is the Track 2 data which includes card number and expiry date, possibly for settlement purposes. Anything more than that would be freaky.
This has been dealt with… These regulations have been in place for some time now. The only difference is that the blame/liability is being shifted from the Point of Sale re-seller (guy who installs the system) to the merchant if un-protected card information is acquired.
The problem is that many of the cash registers can be extremely expensive and if these are not compliant, the merchant has to purchase a new system. If this includes integrated credit card processing, which the good ones do, then this will run well into the thousands. Many merchants aren’t willing to make the leap and subsequently ignore the warnings. Credit card numbers have to be stored in full because the credit card processor can’t be sent truncated information (xxxx-xxxx-xxxx-1234). The P.O.S. has to be up to date so the full card numbers can’t be accessed via the terminal.
It doesn’t matter what the merchants want to do or how much it costs. If someone isn’t meeting your security requirements they they shouldn’t be able to use your services. I imagine Mastercard and Amex have the same security requirements.
I always carry minimal cash and pay for everything with Visa, if a restaurant doesn’t accept Visa I go elsewhere. Its for that reason Visa yields an incredible amount of power in the merchant space.
Dan -
Just came back from a PCI conference.
I was told the number one business that is most susceptible to having credit card information compromised is restaurants.
As someone who is involved in the development of POS applications I simply can’t see how this is going to work. When we deal with credit cards we populate an object from the track data, this is in volatile memory and is never written to nonvolatile storage. However throw in that some stupid US court ruled that having transient data in memory is ’stored’ (bittorrent ruling, MGM vs TorrentFreak i believe) and every POS vendor who has integrated EFT systems is in breach of Visas code.
In addition, for a merchant with a few lanes, the cost is prohibitive to change operating systems. POS systems is usually a niche market, you develop for one or two types of business, thus the software is expensive due to the limited market. I might ask a few of our clients if in their opinion it would be worth to them the $70000+ to change over systems at the risk of alienating a few visa customers.
[…] Visa is taking this measure to eliminate or at least lessen the likelihood of credit card fraud.read more | digg story Bookmark […]
Being an IT executive in the restaurant management industry, I have to say that the PCI standards were not designed with the Mom and Pop Retail shops or Restaurants in mind. Many of the rules are so so technical, that the layperson will not understand what they are supposed to do. Should they look for someone to help them? Of course. Will they, probably not. For that reason, I feel that VISA’s latest move is the right one. They are realizing that the only companies who will have custom built systems, will be the big boys. That’s fine, let them deal with the complexities of compliance. All of the small to mid-sized businesses, will generally have shrink-wrapped applications and rely on their “computer guy” to help them out. It is those shrink wrapped apps that need to be addressed. For credit card security to be achievable at the small-to-midsize business level, there has to be clear cut, bulletproof rules that POS and credit card interface developers are required to follow and get VISA’s stamp of approval on. One that includes the whole of PCI, not just the encryption and login id’s piece. That is going to be the only way that Joe’s Pizza Shop will ever be PCI Compliant.
[…] has been the case because certain POS systems have been designed to store prohibited ……read more | digg story Tags: Share […]
[…] has been the case because certain POS systems have been designed to store prohibited ……read more | digg story Tags: Share This 15 Nov 07 | […]
Thanks for the informative post! The Visa documents you attached are very interesting.
[…] […]