Visa Inc. Sets Software Security Deadlines

San Francisco - July 14, 2009

Visa Inc. (NYSE: V) today announced global requirements for financial institutions to ensure their merchant customers and agents use secure payment applications that do not store prohibited data elements and adhere to the Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS).

The PA-DSS is a global set of security requirements for software vendors who develop payment applications. PA-DSS compliant applications do not store prohibited data such as track data, sensitive authentication data, or PIN data, helping merchants and agents who use them mitigate compromises and support overall compliance with the Payment Card Industry Data Security Standard (PCI DSS). 

In Asia Pacific (AP); Central and Eastern Europe, Middle East and Africa (CEMEA); and Latin America and the Caribbean (LAC), Visa acquirers must ensure that newly signed merchants use PA-DSS compliant applications by 1 July 2010. By 1 July 2012, those acquirers must ensure existing merchants and agents in the Visa network use PA-DSS compliant applications.

As previously communicated to U.S. and Canada financial institutions, Visa acquirers must ensure that all new and existing merchants and agents in the Visa network use PA-DSS compliant applications by 1 July 2010.

Visa research confirms that vulnerable payment applications are a major cause of compromise incidents, particularly among small merchants. "Criminals are targeting certain versions of software known to have security vulnerabilities," said Eduardo Perez, head of global data security, Visa Inc. "It's essential that every business that handles payment card information adhere to the highest data protection standards to protect the security and privacy of their customers' financial information," Perez said.  

Visa recommends that merchants and agents ask their payment application vendors, resellers or system integrators to confirm that software versions used do not store magnetic-stripe, PIN data or security codes. "Merchants with vulnerable payment applications should move quickly to either patch or upgrade their systems," Perez said. 

A list of products that have been independently validated against Visa's Payment Application Best Practices (PABP) or the PA-DSS can be found at www.pcisecuritystandards.org or www.visa.com/cisp.

About Visa

Visa operates the world's largest retail electronic payments network providing processing services and payment product platforms. This includes consumer credit, debit, prepaid and commercial payments, which are offered under the Visa, Visa Electron, Interlink and PLUS brands. Visa enjoys unsurpassed acceptance around the world and Visa/PLUS is one of the world's largest global ATM networks, offering cash access in local currency in more than 170 countries. For more information, visit www.corporate.visa.com.

Contacts:
Sandra Chu, Visa Inc.
Tel: +1 415 932 2564
E-mail: globalmedia@visa.com