Payment Application Security Mandates – VISA

Source: VISA

Beginning January 1, 2008, Visa has implemented a series of mandates to eliminate the use of vulnerable payment applications from the Visa payment system. These mandates require acquirers to ensure that their merchants and agents do not use payment applications known to retain sensitive cardholder data elements data (i.e. full magnetic stripe data, CVV, CVV2 or PIN data) and require the use of payment applications that adhere to the PABP.

Outlined below are each of the five mandates, which will take effect over the next three years.

Phase Compliance Mandate

I Newly boarded merchants must not use known vulnerable payment applications, and VisaNet Processors (VNPs) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications 1/1/08

II VNPs and agents must only certify new payment applications to their platforms that are PABP-compliant 7/1/08

III Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PABP-compliant applications 10/1/08

IV VNPs and agents must decertify all vulnerable payment applications 10/1/09

V Acquirers must ensure their merchants, VNPs and agents use only PABP-compliant applications 7/1/10