PCI SSC has published the PCI Secure Software Standard and the PCI Secure Software Lifecycle (Secure SLC) Standard as part of a new PCI Software Security Framework. The framework is a collection of software security standards and associated validation and listing programs for the secure design, development and maintenance of modern payment software. In this post PCI SSC Chief Technology Officer Troy Leach highlights what stakeholders need to know about the new standards.
Why is PCI SSC introducing these new software security standards?
Troy Leach: Software development practices have evolved over time, and the new standards address these changes with an alternative approach for assessing software security. The PCI Software Security Framework introduces objective-focused security practices that can support both existing ways to demonstrate good application security and a variety of newer payment platforms and development practices.
How was the payment card industry involved in the development of these standards?
Troy Leach: We’ve strived to receive as many different perspectives as possible in the development and review of the PCI Software Security Standards. This includes soliciting hundreds of industry participants representing software vendors, assessors, and other payment security experts for their input. For example, much of the expertise to develop these standards came from a dedicated industry PCI Software Security Task Force (SSTF) and multiple request for comments (RFC) periods for PCI SSC stakeholders to review the draft standards and provide comments.
What is the PCI Secure Software Standard?
Troy Leach: The Secure Software Standard outlines security requirements and assessment procedures to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data.
Key security principles addressed in the Secure Software Standard include critical asset identification, secure default configuration, sensitive data protection, authentication and access control, attack detection, and vendor security guidance.
In many ways, this standard is similar in intent to the Payment Application Data Security Standard (PA-DSS). The goal for both standards is to have a way to demonstrate the ongoing protection of payment data by the software that stores, processes or transmits that information, and for software providers to have a way to demonstrate independent security evaluation of the software to achieve that goal.
How then are the PCI Software Security Standards different than the PCI Payment Application Data Security Standard (PA-DSS)?
Troy Leach: PA-DSS focuses on software development and lifecycle management principles for security in traditional payment software to help merchants maintain PCI DSS compliance. The PCI Software Security Standards expand beyond this to address overall software security resiliency. The framework provides a new methodology and approach to validating software security and a separate secure software lifecycle qualification for vendors with robust security design and development practices.
In other words, they’re not mutually exclusive but offer a progressive approach that allows for additional alternatives to demonstrating secure software practices.
What will happen to the PA-DSS and applications currently listed on the PA-DSS List of Validated Payment Applications?
Troy Leach: Ultimately the PA-DSS and listing will be retired, and payment applications will be assessed under the PCI Software Security Framework.
Upon launch of the PCI Software Security Framework Validation Program later in 2019, there will be a gradual transition period to allow organizations with current investments in PA-DSS to continue to leverage those investments. All current PA-DSS validated payment applications will continue to be governed under the PA-DSS program until the expiry date for those applications is reached (i.e., 2022 for payment applications validated to PA-DSS v3.2).
In mid-2020, acceptance of new PA-DSS submissions will end, but current payment application vendors will still be able to submit changes to existing PA-DSS validated payment applications until PA-DSS expiry. Upon expiry of PA-DSS 3.2 in 2022, all PA-DSS validated payment applications will then be moved to the “Acceptable Only for Pre-Existing Deployments” list and the PA-DSS program will be retired. At that point, further updates to PA-DSS validated payment applications will need to be assessed under the PCI Software Security Framework.
How will the PCI Secure Software Standard be used?
Troy Leach: The PCI Secure Software Standard is intended for payment software that is sold, distributed, or licensed to third parties for the purposes of supporting or facilitating payment transactions.
We also encourage bespoke products that are developed in-house by large organizations to consider using these same practices. We’ve already heard from several merchants that have expressed interest in adopting these practices as a way for them to demonstrate integrity of their unique development practices to achieve some of the testing validation of Requirement 6 of the PCI DSS.
What is the PCI Secure Software Lifecycle (Secure SLC) Standard?
Troy Leach: One of the most important aspects of the PCI Software Security Framework and a consistent issue highlighted in recent compromises is maintaining good application security as changes are introduced.
The Secure SLC Standard helps achieve this by outlining security requirements and assessment procedures for software vendors to validate how they properly manage the security of payment software throughout the entire software lifecycle.
Key security principles addressed in the Secure SLC Standard include governance, threat identification, vulnerability detection and mitigation, security testing, change management, secure software updates, and stakeholder communications.
This provides confidence to businesses using the payment application that their software vendor is providing ongoing assurance to the integrity of the software development and confidentiality of payment data as change occurs.
How will the PCI Secure SLC Standard be used?
Troy Leach: The PCI Secure SLC Standard is intended for software vendors that develop software for the payments industry. Validation against the Secure SLC Standard illustrates that a software vendor has mature secure software lifecycle management practices in place to ensure its payment software is designed and developed to protect payment transactions and data, minimize vulnerabilities, and defend against attacks. Achieving this validation demonstrates an understanding and commitment to those continuous changes throughout a payment application’s lifecycle.
Who will assess software and vendors to the new software security standards?
Troy Leach: Assessor programs are being developed to support these standards as part of the PCI Software Security Framework. We will provide more information on these new programs over the next few months.
What resources are available to help stakeholders understand the new standards?
Troy Leach: In addition to the guidance contained within the standards, a separate FAQ document is provided to address key questions stakeholders may have as they review the standards. A dedicated Glossary of Terms, Abbreviations, and Acronyms has also been produced for the Software Security Framework to assist with understanding of software-specific terminology used throughout the standards.