Today, the PCI Security Standards Council (PCI SSC) published version 1.1 of the PCI Secure Software Standard and its supporting program documentation. The PCI Secure Software Standard is one of two standards that are part of the PCI Software Security Framework (SSF). The PCI Secure Software requirements provide assurance that payment software is designed, engineered, developed and maintained in a manner that protects payment transactions and data, minimizes vulnerabilities, and defends itself from attacks.
Version 1.1 of the PCI Secure Software Standard introduces the Terminal Software Module, a new security requirements module for payment software intended for deployment and operation on PCI-approved PIN Transaction Security (PTS) Point-of-Interaction (POI) devices. Software intended for deployment and operation on other platforms are not affected by the new requirements.
The new Terminal Software Module is the third module to be incorporated into the PCI Secure Software Standard’s modular requirements architecture. Modules are groups of requirements that address specific use cases. The two existing modules in the PCI Secure Software Standard are the “Core” module, which includes general security requirements applicable to all payment software, and the “Account Data Protection” module, which includes additional security requirements for payment software that stores, processes or transmits clear-text account data. PCI SSC expects to introduce additional modules in the future.
To support the addition of the Terminal Software Module, as well as future modules, the SSF Assessor Qualification Requirements have also been updated to include module training and exam requirements. The PCI Secure Software Standard v1.1 also addresses errata, adds minor clarifications, and aligns key terms and definitions across the Standard and program documentation.
Vendors and assessors should download the current program documentation and reference v1.1 of the Program Guide when working with v1.1 of the Standard. The following documents can be found in the PCI SSC document library:
- PCI Secure Software Standard v1.1
- Summary of Changes from PCI Secure Software Standard v1.0 to v1.1
- PCI Secure Software Program Guide v1.1
- PCI Secure Software Report on Validation (ROV) template v1.1
- PCI Secure Software Attestation of Validation (AOV) v1.1
The PCI Secure Software Standard will supersede the Payment Application Data Security Standard (PA-DSS) and program when it officially closes on 28 October 2022. Submission of new payment applications for PA-DSS validation will be accepted until 30 June 2021. The PCI Secure Software Standard expands on the key principles of protecting payment applications and data, that were first introduced in PA-DSS, and is designed to support a much larger set of payment software architectures, functions and software development methodologies.
As part of the closing of PA-DSS in October 2022, the PA-QSA program will also be retired. For existing PA-QSAs interested in performing PCI Secure Software Standard validations, PCI SSC has recently announced 2021 dates for Software Security Framework Assessor training. SSF Assessors are independent security organizations that are qualified by PCI SSC to perform assessments to the Secure Software Standard, the Secure SLC Standard, or both.
SSF Assessor Company qualification is open to any company that meets the SSF Assessor Qualification Requirements. Eligible organizations can apply now to become SSF Assessor Companies by visiting the Secure Software Assessor or Secure SLC Assessor pages on the PCI SSC website and following the steps outlined in the registration process. Classes are available for qualification, informational or corporate group training.
Also on the blog: How to Successfully Transition Software from PA-DSS to the PCI Secure Software Standard