Visa Inc. has released a set of best practices that it says will help increase data security at companies that install or manage payment software, including at point of sale terminals.
The practices incorporate such routines as performing background checks on new employees and contractors before hiring them, maintaining a security training program and pledging to sell and support only applications that comply with the Payment Card Industry Data Security Standard, Visa said on Tuesday.
It released the best practices because many investigations of data breaches show that vendors who installed payment applications inadvertently left some systems improperly configured, said Eduardo Perez, Visa's head of global payment security.
"The problem today is how vendors, resellers and integrators are installing the [software] that creates other vulnerabilities that hackers are able to exploit," he said in an interview. "There are common vulnerabilities that hackers are leveraging to gain access to card data at" merchant sites, such as remote access and default passwords.
In many cases, these systems have been improperly configured for months or years, Visa said.
The card network's list of best practices focuses on ways to secure the installation and management of payment applications, Perez said. Companies should have policies and procedures for allowing remote access to a network, and they should change the default passwords.