VISA has released new security mandates regarding the use of Point of Sale systems.

” Beginning January 1, 208, Visa will implement a series of mandates to eliminate the use of non-secure payment applications from the Visa payment system.”

The basic idea is to require new application security requirements around point of sale systems. While VISA can not force these requirements on software vendors, it can limit what software merchants can use. It is expected that these requirements will be rolled into the PCI DSS.

The compliance timelines released by VISA on Oct 23, 2007 are:

  • Jan 1. 2008: Any new merchants that want to be authorized for payment card transactions will have to be using only PABP-validated applications. After this date, VisaNet processors and agents cannot certify new payment applications to their platforms if they are known to vulnerable.
  • July 1, 2008: VisaNet processors and agents must only certify new payment applications to their platforms that are PABP-compliant.
  • Oct. 1, 2008: Level 3 and 4 merchants that have just been authorized to accept card transactions must be PCI DSS compliant or use PABP-compliant applications. Level 3 merchants process between 20,000 and 1 million e-commerce transactions a year through Visa. Level 4 merchants have fewer than 20,000 e-commerce transactions per year — and all other merchants, regardless of acceptance channel, which process fewer than 1 million Visa transactions annually. Acceptance channels refers to how transactions are conducted, online, in person or by phone, for instance.
  • Oct. 1, 2009: VisaNet processors and agents are required to decertify all vulnerable payment applications, meaning that companies still using them will no longer be PCI compliant.
  • July 1, 2010: After this date, all merchants, VisaNet processors and agents are require to use only PABP-compliant payment applications.

Read the CISP Bulletin here, or visit the VISA Payment Applications page.