I walked into the office this morning and got this in my RSS feed aggregator:

VISA Provides Guidance on Secure Implementation and Management of Payment Applications [link]

After taking a look at the press release and looking through the actual document that VISA (and SANS apparently) produced [link] I think it’s a pretty interesting move on the part of VISA.  If you haven’t yet taken a look and you work for a retailer or a software vendor that sells to the retail space, I’d advise downloading the document and reviewing.

Basically, this guidance provides VISA’s best-practices regarding the implementation and support of payment applications that are already PA-DSS validated.  It appears that some of the recent breaches that have occurred (as per the post here) where the break-down in security may have happened during the implementation of the software or through after-deployment support processes has created some action

untitled_by_paalia_via_flickr

from VISA.

Now - what does this mean for you?

If you are a retailer - I’d say that it provides you a list of items that you are going to want to discuss with your software vendors and their resellers.  Most of the items in the document are something that your vendors should already be doing already, but some will, most likely, not be in place today (the reseller training program is something that I wouldn’t expect everyone to have in place today for example).  Number 6 in the press release is interesting as well - most of the software vendors that I’ve been working with are trying not to force an upgrade on all their retail clients (you’d expect otherwise, but, really, most of the vendors aren’t being pushy about it with their clients as far as I can tell), but in #6 VISA is basically telling the vendors to tell you that you have to upgrade if you have an older, pre-validation, version of their solution.

If you are a software vendor - get ready to spend more money and good luck not being held responsible for the actions of your resellers…  In all honesty - most of the items shouldn’t be a huge stretch (a lot of this is just good application security stuff), but the specific notes regarding the reseller training program makes this interesting.  I’m sure that you already have some sort of program in place for your resellers, but this might be a bit different from your general training - what happens when a reseller installs your solution incorrectly AFTER going through your newly implemented security training program and there is a breach?  Who’s going to take the blame (legally or otherwise) for the incorrect installation?

If you have any comments or insight that you’d like to add - please feel free to comment or send me a note via the contact page.

Also - I’ll be heading down to the PCI SSC meeting in September - look for a post after that trip highlighting some of the changes coming from the council on the PCI DSS.

Related articles by Zemanta

• Visa Releases Global Best Practices for Card Data Tokenization (newswire.ca)
• PCI SSC releases highlights for 2.0 changes (deurainfosec.com)
• Time to plug the PCI compliance gap (channelweb.co.uk)