A new standard under development by the PCI Security Standards Council aims to shore up a gaping hole in the payments process: vulnerable payment applications.
The Payment Application Data Security Standard (PA-DSS) is based largely on Visa's Payment Application Best Practices (PABP) program, which was introduced in 2005 to help software vendors create secure payment applications. Bob Russo, general manager of the PCI Security Standards Council -- which manages the Payment Card Industry Data Security Standard (PCI DSS) -- said vulnerable applications are often the weak link exploited by thieves.
Visa said its research showed that vulnerable payment applications are the leading cause of compromise, especially among small merchants.
"Criminals are targeting certain versions of software because of their known security gaps," Michael E. Smith, senior vice president of payment system risk at Visa, said in a statement. "Some versions of software in use today are known to store the full content of the magnetic stripe, PIN data or security codes, contrary to Visa rules and the PCI Data Security Standard."
The PA-DSS, which is endorsed by the five major payment card brands (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa Inc.), will ensure payment applications don't store sensitive card data and aren't rife with flaws that can lead to cross-site scripting and SQL injection attacks. Russo said a lot applications are hastily written with little heed paid to security; the standard will make sure developers account for security.
Applications developed internally by merchants and others are subject to PCI DSS, not PA-DSS.
Russo said the council sent out Visa's PABP as the draft PA-DSS standard to its advisors, participating organizations, Qualified Security Assessors (QSAa), and Approved Scanning Vendors for feedback. The council plans to publish a final version of the standard by the end of the first quarter of this year, and then roll out training for QSAs and a list of validated payment applications.
Requiring merchants to use the validated applications is up to the payment card brands, Russo said. In November, Visa announced a series of requirements for U.S. merchants to use secure payment system software. An American Express spokeswoman said in an email that the company doesn't currently have any specific rules regarding what payment applications its merchants use, but "will look to make appropriate adjustments to our merchant agreements to ensure the security of all of our customers." MasterCard did not immediately respond to a request for comment.
Visa's phased-in mandates began Jan. 1 and require U.S. banks that service merchants (acquirers) to ensure they only use versions of payment applications that don't store sensitive card data and that adhere to PABP (Visa said its mandates will be modified to reflect the final PA-DSS). As of Jan. 1, acquirers cannot sign new merchants that use known vulnerable payment software. By July 1, 2010, acquirers must ensure their merchants use only PABP-compliant applications.
Approximately 200 applications have been validated against PABP, according to the council. That represents less than half of the payment applications used by merchants, said Roger Nebel, an independent PCI DSS auditor and director of strategic security at FTI Consulting.
"The majority of payment applications have never been audited and likely don't pass PABP," he said.
Common weaknesses in payment applications include SQL injection flaws and use of default user IDs and passwords for remote software management, Nebel said. The PA-DSS sets a relatively low bar but if followed can dramatically increase security, he added.
While merchants will be forced under Visa's requirement to absorb the cost of obtaining validated applications, acquiring banks will be the primary enforcers of the new mandate, Nebel said.
Diana Kelley, a vice president and service director at research firm Burton Group, said Visa's PABP focused on point-of-sale systems. Now under management of the PCI Security Standards Council, the PA-DSS establishes an industry-wide bar for securing POS systems, and will help raise awareness of application security.
"It's a good baseline," she said.
For ACI Worldwide, a New York-based payment software developer, the PA-DSS is good news. "We're happy that the industry is consolidating around a standard," said Douglas Grote, senior product manager at the company.
ACI Worldwide has been participating in Visa's PABP program and has three products validated as PABP-compliant with about 10 more in the process of being validated. Although PABP validation was not a requirement, the company aimed to be proactive.
"First, we want to make sure we are developing secure software. We consider ourselves a premier supplier in the industry and we want to assure our customers that we take this seriously," Grote said. "Second, we want to make sure our customers can pass their PCI audits. We don't want anything in our product to prevent them from being successful."
Validation is comprehensive process that includes requirements such as monitoring for threats that might affect the application, he said. "Many of the objectives are outside of the actual code that we ship to customers."
With the new PA-DSS, ACI will need to revalidate its applications but Visa already required annual revalidation under PABP, Grote said.