Visa Developer Center Security and Penetration Testing Terms, Version: April 19, 2018
Security. Based on Company’s use of and access to VDP, Company agrees to the following security tests, that Visa may request from time to time:
1. Penetration Testing. Company shall cooperate with Visa to conduct penetration test(s) (“PenTest”) as described in this Section 1.
1.1. Scope of PenTest. The scope of the PenTest must encompass applications and infrastructure that are accessing, using, benefitting from or otherwise storing information, credentials or data resulting from accessing or using the Visa Developer Platform (“In-Scope Aspects”) and be jointly defined and approved by Visa’s PenTest team and Company’s subject matter experts. All application PenTests must be performed in a pre-production environment that mimics production and all infrastructure PenTested must be performed in production environment encompassing the production infrastructure following an industry standard methodology. Visa will require application PenTesting on an annual basis.
1.2. PenTest Provider.
1.2.1. For applications owned by or developed exclusively for Visa, Visa or an industry standard PenTest provider (“PenTest Provider”) of Visa’s choice will perform all PenTests;
1.2.2. If a PenTest Provider conducts the PenTest, Company shall provide Visa with an unaltered copy of the attestation report for Visa’s review. Such PenTest report or attestation will highlight the scope, methodology, results, finding summary, status of the findings and an outline of Company’s remediation timeline and policies within 14 days of the PenTest’s conclusion;
1.2.3. If Visa will perform the PenTest, Company hereby authorizes Visa to perform the PenTest on the In-Scope Aspects including the systems and services that Company owns, manages or accesses (collectively the “Tested Systems”). Company certifies that it owns or has the exclusive right to and use of the Tested Systems and that Company has notified appropriate Personnel within its organization and any third parties including without limitation any host master, systems administrator, technical manager, and security manager prior to commencement of the PenTest. Company acknowledges that a PenTest, including testing, assessing, scanning, or monitoring the Tested Systems, including implementation and deployment, may disclose or create problems in the operation of such Tested Systems. Company acknowledges and accepts the risks involved with the Tested Systems, which may include without limitation, down time, loss of connectivity or data, system crashes or performance degradation (collectively “Claims”). Visa shall not be liable for any such Claims. During the duration of the PenTest, Visa will not perform intentional denial of service (DoS) or social engineering testing.
1.3. Findings. Any findings identified as a part of the Pen Test will be addressed in a timely fashion prioritized by severity in accordance with industry best practices, such that any matters categorized as high priority will be resolved prior to matters categorized as lower priority.
2. Security Testing
2.1. All In-Scope Aspects as defined in Section 1.1 must be subject to a security review. At Company’s discretion, such applications can be optionally enrolled in Visa’s Vendor Application Security Testing (VAST) program to meet this security review requirement. Company can meet Visa’s VAST requirements by complying with one of the following options in 2.2.1 or 2.1.2:
2.1.1. Company may use their own internal source code scanning tools to perform static and dynamic code scanning and submit results via an alternate attestation document provided by the Visa VAST program. Company agrees to work with Visa to remediate findings according to industry guidelines based on severity of findings; or
2.1.2. Company may choose to enroll in the Visa third party VAST program. As part of the VAST Review, Visa utilizes a third party vendor (“Scanning Vendor”) to conduct the secure coding activities (“Code Scans”). Visa will, at its cost, provide Company with static code scanning licenses so that the Scanning Vendor may perform Code Scans during the development lifecycle. In addition, the Scanning Vendor will act as an intermediary between the Company and Visa SSDLC team to ensure clear communication of Code Scan results to Visa. Company agrees to work with Visa to remediate findings according to industry guidelines based on severity of findings.
2.2. The following are the requirements that Company, when applicable, will need to meet as part of the Visa Secure Code Program:
2.2.1. Company will perform a static application security test scan, and all findings of such scan will be remediated according to criticality; and
2.2.2. Company will perform dynamic security testing for applications with API interfaces and/or web services (“DAST Scan”). Company will remediate all findings from the DAST Scan according to criticality.
2.2.3. Upon request by Visa, Company will perform an audit, at Company’s expense, of all software, Applications and any content created by or on behalf of Company in connection with the VDP API Agreement to identify any free and open source software code that may be present in such materials. Company will provide Visa with results of such audit within 14 days of Company completing the audit;
2.2.4. Upon request by Visa, Company will provide Visa with written documentation detailing the applications development, patch management and update processes. The written documentation will clearly identify the measures that will be taken by Company to securely develop, maintain and manage the application;
2.2.5. Upon request by Visa, Company will provide Visa with written secure configuration guidelines describing all relevant security configurations and the implications of such configurations on the overall security of the application (“Security Guidelines”). The Security Guidelines will include a full description of dependencies on the supporting platform, including web service, and application server, and how they should be configured for security. Company shall ensure that the application’s default configuration will be secure;
2.2.6. Upon request, Company will disclose to Visa what tools are used in the applications development environment to encourage secure coding;
2.2.7. Upon request, Company will provide and follow a security test plan that (a) defines an approach to testing or establish that Company has met each of the security requirements identified in test plan and (b) set forth the level of rigor of the testing process. Company will implement the test plan set forth in this Section 2.2.7 and provide Visa a written report of the results within 14 days of Company completing such test plan.