Visa issued a set of application security best practices for payment application vendors, integrators, and resellers, responsible for installing payment systems.
Most flaws that are exploited by attackers were put there by programmers who don't follow these practices.
director of researchThe SANS Institute
The guidance, established by Visa and SANS Institute, will help to control flaws and protect merchants' systems from attacks, Visa said.
"Most flaws that are exploited by attackers were put there by programmers who don't follow these practices," said Alan Paller, director of research for the SANS Institute. "What's special about Visa is that Visa actually investigates the attacks. If you want to use their credit card, you have to allow them to get all the data about every breach."
The best practices coincide with the Payment Card Industry (PCI) Payment Application Data Security Standard (PA DSS) to help companies securely install certain pieces of payment system software. The goal is to alleviate vulnerabilities and configuration issues, because attackers are discovering ways to exploit the weaknesses, draining card data from pending transactions in merchants' systems.
By complying with both the PA DSS and Visa's best practices, there is more protection for the data and less room for error, ultimately leading to fewer system vulnerabilities, Paller said.
Visa is one of only three or four organizations in the country that is able to track how data breaches occur by tracing security issues to their origin. Generally, these practices are only apparent in governmental agencies.
"It's very rare for a non-governmental agency to have this access to breach data," said Paller. "They're the only ones that document the actual attacks rather than the opinions of people."
The Visa Top Ten Best Practices for Payment Application Companies include adhering to a common software development lifecycle and maintaining an internal and external software security training curriculum.
Taking these extra precautions will make it more difficult for attackers to get into the system and gain access to card data, Paller said. Investigations have found that some merchant companies simply overlook important configurations in their systems, leaving customers open to data compromise.
The use of these practices will help control any security issues that could compromise data if used correctly with the Payment Card Industry Data Security Standard. Paller said the one challenge with Visa's best practices is the issue of change.
"[One of the challenges] is adjusting the behavior of the people who have done something one way for a long time," Paller said. "It's the natural reaction people have to avoiding change."