Companies that install or manage payment-application software, such as that used in integrated point-of-sale terminals, can best protect their information by following a list of best practices Visa Inc. issued this week, the payments company contends.
The 10-point best practices incorporate such routines as performing background checks on new employees and contractors before hiring them, maintaining a software-security training program, and pledging to sell and support only applications that comply with the Payment Card Industry Data Security Standard.
Visa released the best practices because many merchant card compromise investigations vendors that installed the payment applications inadvertently left the systems improperly configured, Eduardo Perez, Visa head of global payment security, tells ISO&Agent Weekly.
“The problem today is how vendors, resellers and integrators are installing the [software] that creates other vulnerabilities that hackers are able to exploit,” Perez says. “There are common vulnerabilities that hackers are leveraging to gain access to card data at a [merchant] location,” such as remote access and default passwords.
Criminals target payment applications by using tools that can force a computer’s memory banks to divulge information and that can log keystrokes consumers make as they type in their credit and debit card information, Visa says.
Visa’s list of best practices focuses on ways to secure the installation and management of payment applications, Perez says. The SANS Institute, which provides free policies and research on security issues to the technology community, is making the best-practices list available. The list also is available on Visa’s website.
