Today, the PCI Security Standards Council (PCI SSC) published version 1.2 of the PCI Secure Software Standard and its supporting program documentation. The PCI Secure Software Standard is one of two standards that are part of the PCI Software Security Framework (SSF). The PCI Secure Software Standard and its security requirements help provide assurance that payment software is designed, developed, and maintained in a manner that protects payment transactions and data, minimizes vulnerabilities, and defends against attacks.
Version 1.2 of the PCI Secure Software Standard introduces the Web Software Module, a set of supplemental security requirements to the Secure Software Standard’s Core Requirements for payment software that uses internet technologies, protocols, and languages to support or facilitate electronic payment transactions. The security requirements provided in the Web Software Module identify key software security controls to implement to address the most common security issues related to the use of internet-accessible payment technologies.
There are four high-level requirement areas included in the Web Software Module:
- Documenting and tracking the use of open-source and third-party software components and APIs in payment software
- Controlling access to payment software web APIs and other critical assets
- Mitigating common web attacks
- Protecting communications between web-based payment software components
The following documents are now available in the PCI SSC Document Library:
- PCI Secure Software Standard v1.2
- Summary of Changes from PCI Secure Software Standard v1.1 to v1.2
- PCI Secure Software Program Guide v1.2
- PCI Software Security Framework Qualification Requirements for Assessors v1.2
- PCI Software Security Framework Glossary v1.2
- PCI Software Security Framework Frequently Asked Questions for v1.2 Release
Updates to the Secure Software Report on Validation (ROV) and Attestation of Validation (AOV) associated with the v1.2 release are expected to be published in Q1 2023.
No changes were made to the PCI Secure Software Lifecycle (Secure SLC) Standard or its supporting documentation with this release. The current version of the PCI Secure SLC Standard, Program Guide, Report on Compliance (ROC), and Attestation of Compliance (AOC) remains v1.1.
To support the addition of the Web Software Module, all Secure Software Assessors must undergo training and pass an exam on the Web Software Module within 90 days from the release of the training to remain in good standing with PCI SSC. Training is expected to be made available to all Secure Software Assessors in Q1 2023.
Other parties interested in learning more about the Software Security Framework standards are encouraged to attend SSF Knowledge Training. New this year, Knowledge Training courses are designed to bridge the knowledge gap between organizations and assessors by providing learning opportunities for individuals to take the same training and exam as the Assessor. Knowledge Training is offered for both the Secure Software Lifecycle (Secure SLC) Assessor course as well as the Secure Software Assessor course.
PCI SSC is offering PA-DSS Vendors a special discount for SSF Knowledge Training in 2023. If you are a PA-DSS Vendor, please contact the PA-DSS Program Manager for details on how to take advantage of this special offer.
Also on the blog: Watch and Learn All About Knowledge Training