PCI DSS and Regulatory Compliance Blog

Visa Payment Application Mandates and Deadlines

October 30th, 2007 Posted in Card Associations, Merchant, Payment Applications

As many people have noted, Visa released their Payment Application Security Mandates last week.

Visa will implement a series of mandates, beginning January 1, 2008, to eliminate the use of vulnerable payment applications from the Visa payment system. … These mandates are intended to prevent cardholder data compromises and thereby help mitigate the risk of associated financial losses such as liability from the Account Data Compromise Recovery (“ADCR”) program.

As with many things compliance related they will be phased in starting with the elimination of vulnerable payment payment applications for newly boarded merchants and then the overall requirement for the sole use of validated payment applications.

  1. Newly boarded merchants must not use known vulnerable payment applications, and VisaNet Processors (“VNPs”) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications. Effective date: 1/1/08
  2. VNPs (VisaNet Processors) and agents must only certify new payment applications to their platforms that are PABP-compliant. Effective date: 7/1/08
  3. Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PABP-compliant applications. Effective date: 10/1/08
  4. VNPs and agents must decertify all vulnerable payment applications. Effective date: 10/1/09
  5. Acquirers must ensure their merchants, VNPs and agents use only PABP-compliant applications. Effective date: 7/1/10

There is a list of vulnerable payment applications available via Visa Online (sorry, merchants only.)

It is important to note that the deadline for Phase V is aligned with the Triple Data Encryption Standard (“TDES”) usage mandate for all Point-of-Sale (“POS”) PIN entry devices (“PEDs”) to be using TDES to protect PINs. Additionally, all attended POS PEDs must be evaluated by a Visa-recognized laboratory and approved by Visa prior to this same date.

Also remember that:

The PCI Security Standards Council (“PCI SSC”) will be adopting Visa’s PABP and plans to release the standard as the Payment Application Data Security Standard (“PA-DSS”) in the next year. References to PABP will be modified to reflect PA-DSS upon release.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 4 Trackback(s)

  2. Nov 7, 2007: PCI DSS Compliance Demystified » Blog Archive » PCI SSC adopts PABP as PA-DSS
  3. Nov 7, 2007: www.andrewhay.ca » Suggested Blog Reading - Wednesday November 7th, 2007
  4. Nov 8, 2007: PCI: How to break the piggy bank! « Practical Tactics
  5. Nov 24, 2007: PCI DSS Compliance Demystified » Blog Archive » 5 Steps to Your Next (Secure) POS

Post a Comment