Companies that install or manage payment-application software, such as that used in integrated point-of-sale terminals, can best protect their information by following a list of best practices Visa Inc. issued today, the payments company contends.
The 10-point best practices incorporate such routines as performing background checks on new employees and contractors before hiring them, maintaining a software-security training program, and pledging to sell and support only applications that comply with the Payment Card Industry Data Security Standard.
Visa released the best practices because many merchant card compromise investigations vendors that installed the payment applications inadvertently left the systems improperly configured, Eduardo Perez, Visa head of global payment security, tells PaymentsSource.
“The problem today is how vendors, resellers and integrators are installing the [software] that creates other vulnerabilities that hackers are able to exploit,” Perez says. “There are common vulnerabilities that hackers are leveraging to gain access to card data at a [merchant] location,” such as remote access and default passwords.
In many instances, these improperly configured systems have operated for months or years, Visa says.
Criminals target payment applications by using tools that can force a computer’s memory banks to divulge information and that can log keystrokes consumers make as they type in their credit and debit card information, Visa says.
Visa’s list of best practices focuses on ways to secure the installation and management of payment applications, Perez says. Companies should have policies and procedures for allowing remote access to a network, and they should change default passwords, he says.
The SANS Institute, which provides free policies and research on security issues to the technology community, is making the best-practices list available. The list also is available on Visa’s website.
What do you think about this? Send us your feedback.
