Visa Alerts Acquirers to Payment Applications That Store Sensitive Cardholder Data

Certain payment applications are designed to store sensitive cardholder data --including full magnetic-stripe, Card Verification Value 2 (CVV2) or PIN data – following transaction authorization. Storage of this type of data is in violation of the Payment Card Industry Data Security Standard (PCI DSS) and the Visa International Operating Regulations. It is critical that acquirers: 1) ensure that their merchants and agents do not use payment applications known to retain sensitive cardholder data elements; 2) take corrective action to address any identified deficiencies; and 3) insist that their merchants and agents use payment applications that have been validated against Visa’s Payment Application Best practices (PABP), now known as the Payment Application Data Security Standard (PA-DSS).

[SIZE=4]Payment Applications Storing Sensitive Cardholder Data [/SIZE]

Payment applications often store sensitive cardholder data post-authorization without the merchant’s or the agent’s knowledge. Acquirers, merchants and agents should ask their payment application vendors (or resellers and integrators) to confirm that their software does not store magnetic-stripe data, CVV2 data, PINs or encrypted PIN blocks. This information can be verified by asking the payment application vendor to: 1) disclose a list of files written by the application; and 2) share a summary of the contents of those files. Acquirers, merchants and agents must confirm that all cardholder data storage is necessary and appropriate for the
transaction type.

It is critical for acquirers to ensure that merchants and agents using these applications take appropriate action to eliminate sensitive cardholder data from being stored on their systems. This may be accomplished by implementing an updated application version or patch made available by the vendor or by selecting an alternative PABP or PA-DSS validated application. In addition to upgrading the application, any historical storage of sensitive cardholder data must be securely wiped from all systems immediately. A secure wipe utility should be obtained from the software vendor or a third party vendor. In addition, any merchant intending to purchase “used” equipment should verify that these systems in question are free of sensitive cardholder data.

To further assist with this process, Visa has compiled the following list of applications that have been identified as storing full magnetic-stripe data. In some cases, the product vendor has provided a recommended fix to address the magnetic-stripe data issue; these product versions or patches are also noted. If a PABP or PA-DSS validated product version of the application is available, it is noted as well.

Updates to this list will be made periodically, and changes may be made to the listing of products that affect Visa’s views. This list is not to be published publicly; however, acquirers may share this list with their merchants and agents. When sharing this list, acquirers must not publish the list to a website or to a place where the list may be made publicly available. For detailed information about these products and their respective fixes or upgrades, please contact the product vendors directly.