Visa issues "Best Practices" for payment application development

by David Ochel

Visa yesterday issued a press release announcing a bulletin describing the "Visa Top 10 Best Practices for Payment Application Companies" and encouraging acquirers, merchants, and agents to review the practices of their payment application vendors.

Of note is that Visa has partnered with the SANS Institute to match these best practices to training courses offered by SANS.

This initiative seems to be geared at both augmenting the requirements of the Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS) with some specific organizational guidance (for example, the recommendation that vendor employees undergo a background check, which is explicit in PCI DSS for the operation of payment infrastructures, but not in PA-DSS for the development of payment applications), and with training resources that will allow vendors to enhance their competence when it comes to building security into their software in line with the PA-DSS.

Visa, Inc. already requires the use of PA-DSS validated payment applications from all merchants and service providers in North America since July of this year, and seems determined to continue to address the evolving threat landscape by providing additional guidance to their payment community.