Visa made a pretty significant announcement today that is aimed at eliminating vulnerable payment applications from the Visa payment system.
The objective is to prevent certain prohibited card holder data from being stored and also reduce the number of breaches. If you're new to this topic, here is some context to what Visa is trying to address.
Over the past few years, certain payment applications (primarily Point of sale systems) used by retailers and restaurants have been a gold mine for criminals stealing credit card. These systems have been targeted because they're were known to be storing prohibited credit card information - the exact data that criminals need to make fraudulent purchases and manufacture duplicate cards. Merchants are usually not aware that their systems are storing such data, but they're still held responsible if breached. Credit card information that cannot be stored includes magnetic stripe data, CVV (three digit codes), PIN's, or encrypted PIN blocks.
To address this security vulnerability, which Visa has cited as the leading cause of breaches among small merchants, they announced that beginning January 1, 2008, the first of five mandates will be implemented to start the process of eliminating non-secure payment applications from processing with Visa. In other words, Visa is announcing to merchants they will be unable to process Visa credit or debit cards if their POS system does not meet required security standards and is still storing prohibited data. You can also check the 2nd pdf posted below to see if you current POS version is compliant.
Read the entire press release here (see second pdf below for Visa's updated list of vulnerable POS applications).
Here is list of POS systems with information about their compliance status and any newly released software update information:
This effort by Visa is targeted towards addressing data security for 'swiped' merchants such as restaurants and retailers, which account for the larger portion of the ~3 trillion credit/debit card processing industry. The 'card not present' portion of the industry that includes merchants such as ecommerce, business to business, and mail/telephone order will will either choose to do the necessary upgrades internally to meet PCI requirements or our outsource the storage of credit card data. Other related posts: PCI DSS Compliance basics for credit card security PCI DSS Compliance and the cost of a credit card breach Braintree solutions: The Smart Approach to PCI DSS Compliance