From 31 July to 7 September, PCI SSC stakeholders are invited to review and provide final feedback on the draft PCI Software Security Framework, a new approach to securely designing and developing modern payment software.
Update on PCI Software Security Framework
As previously announced, the PCI SSC is developing a new PCI Software Security Framework to support both existing as well as emerging payment software practices. The framework includes the creation of two new standards, a supporting validation program for software products, and a certification program for software vendors.
The Payment Application Data Security Standard (PA-DSS) and its validation program will be incorporated into the Software Security Framework once the framework is published. Existing validation expiration dates for PA-DSS validated applications will be honored (e.g. PA-DSS version 3.2 validations expire in 2022). A migration path is also being developed to support the transition of current Payment Application Qualified Security Assessors (PA-QSA) to the PCI Software Security Framework.
Payment card industry stakeholder feedback plays an important part in the development of the PCI Software Security Framework and the PA-DSS transition plan. An initial request for comments (RFC) was held in March 2018 that generated more than two hundred comments and suggestions. Every comment and suggestion has been reviewed by PCI SSC, and the draft Secure Software Standard, Secure Software Life Cycle Standard and Software Security Framework documents have been updated to address this feedback.
Participate in the Final Request for Comments Period for the PCI Software Security Framework
PCI SSC Participating Organizations (which include Affiliate and Strategic Members), Qualified Security Assessors (QSA), Payment Application Qualified Security Assessors (PA-QSA) and PCI-Recognized Labs are invited to review and provide feedback on the latest draft PCI Software Security Framework documents during a final RFC period, running from 31 July to 7 September 2018.
In addition to incorporating the feedback received from the first RFC, the following updates have been made to the framework documents:
- Secure Software Standard and Secure Software Life Cycle Standard: Detailed test requirements and guidance added.
- Software Security Framework Overview: Additional details on the proposed validation program and a consolidated glossary of terms and definitions for the framework documents have been incorporated.
Feedback received during this RFC period will play an important part in finalizing the PCI Software Security Framework and the PA-DSS transition plan. PCI SSC plans to publish the two standards by the end of 2018, with the validation program to follow in 2019. PCI SSC will continue to keep stakeholders informed on the development process and publication timeline.
For additional background on the framework and its development, read PCI Perspectives Blog post 3 Things to Know About the PCI Software Security Framework in 2018.