As payments evolve, PCI SSC continues to evolve PCI Security Standards and programs for securing payment transactions and data.
In the area of software security, payment acceptance has changed significantly since the Payment Application Data Security Standard (PA-DSS) was first developed. This evolution requires a security approach that can support both existing as well as emerging payment software practices. To address this challenge the PCI SSC is developing a PCI Software Security Framework, a new set of standards, supporting validation programs and certification listings for the secure design and development of payment software.
Here we provide an update on the development process for the Software Security Framework and what stakeholders can expect in 2018.
1. Industry feedback is shaping the development of the Software Security Framework.
From March through April, we conducted the first of two Request for Comments (RFC) periods on the draft Software Security Framework, asking PCI SSC stakeholders for their input on the Framework Overview document, Software Security Requirements and Secure Software Life Cycle Requirements. We received more than 220 pieces of feedback and are now actively reviewing and working through these comments. Over the next few months, we will work to address this feedback in the next draft of the Software Security documents, with the goal of sharing them again with the PCI SSC community for comment in Q3 of this year.
2. The Software Security Framework will incorporate the Payment Application Data Security Standard (PA-DSS) and listing.
The intent of the Software Security Framework is to provide an approach for securing payment applications that can support both existing as well as future applications and software practices. As PA-DSS focuses on traditional payment applications, we will be incorporating the standard and program into the Software Security Framework. Once the Framework is published, we will transition PA-DSS validated applications to the Software Security listing. Existing validation expiration dates for PA-DSS validated applications will be honored (e.g. PA- DSS version 3.2 validations expire in 2022). A migration path is also being developed to support current PA-QSAs becoming assessors under the Software Security Framework.
3. The Software Security Framework is anticipated for publication by the end of 2018, with the program to follow in 2019.
Anticipated timing is late 2018 for publication of the Software Security Framework and early 2019 for launch of the associated program. As this timing could change based on the feedback we receive from stakeholders, we will continue to keep stakeholders informed on the development process and planned publication timeline.
