In a follow up to a previous blog article on Part One: Conceptual Differences Between SSF and PA-DSS, PCI SSC’s Senior Manager, Public Relations Alicia Malone and Senior Manager, Solution Standards Jake Marcinko discuss some of the technical differences between the now retired Payment Application Data Security Standard (PA-DSS) and Program, and the replacement for PA-DSS effective as of Oct 28, 2022: The PCI Software Security Framework (SSF).
Alicia Malone: In our first discussion, you described some of the key conceptual differences between PA-DSS and SSF. As many payment software vendors are still in the process of transitioning their Validated Payment Applications from PA-DSS to SSF, what are some of the key technical differences between the two standards from a requirements perspective?
Jake Marcinko: Most of the fundamental concepts and requirements in the Secure Software Standard and the Secure Software Lifecycle (Secure SLC) Standard - the two standards comprising the Software Security Framework - were derived and evolved from PA-DSS. For example, both PA-DSS and the two SSF standards cover topics such as secure software development, user authentication, protection of sensitive data during storage and transmission, logging, security roles and responsibilities, and stakeholder guidance. In most cases, the software security controls that were implemented to satisfy PA-DSS requirements can be repurposed to satisfy applicable requirements under the Software Security Framework.
There are, however, a number of requirements in the Secure Software Standard and Secure SLC Standard that expand on fundamental concepts and requirements from PA-DSS. Examples include the requirements within Module C – Web Software Requirements of the Secure Software Standard.
There are also several new requirements in the two SSF standards, such as the attack detection requirements (Objective 9) in the Secure Software Standard, which may require new software security controls above and beyond those required in PA-DSS.
Payment software vendors transitioning from PA-DSS to SSF are encouraged to perform a gap analysis between their existing software security controls and capabilities, and those required by the Secure Software Standard and Secure SLC Standard. Performing a gap analysis can help determine whether controls used to satisfy PA-DSS requirements may be repurposed, and where new controls and practices may be required.
Alicia Malone: Have there been any changes in the way security requirements can be met between PA-DSS and SSF?
Jake Marcinko: Yes. PA-DSS was often explicit in the techniques, methods, or technologies that were required to satisfy a particular PA-DSS requirement. The two standards under the Software Security Framework are different in that their focus is on the expected security outcomes rather than specific techniques, methods, or technologies that must be used.
The SSF approach provides payment software vendors more flexibility than PA-DSS by allowing them to determine how best to meet the security requirements based on their business and technical needs and capabilities. The trade-off is that SSF requires payment software vendors to have a robust risk management process for identifying potential threats and weaknesses and implementing appropriate software security controls to mitigate those risks.
Payment software vendors who need assistance with performing a gap analysis or identifying appropriate security controls and practices to satisfy applicable requirements within the SSF standards are encouraged to engage a PCI SSC-qualified Secure Software Assessor or Secure SLC Assessor to assist with this process. The PCI SSC’s list of Secure Software Assessors and Secure Software Lifecycle Assessors can be found under the PCI Qualified Professionals section of the PCI SSC website.
Alicia Malone: What are some of the other differences between PA-DSS and SSF from a program perspective?
Jake Marcinko: One of the key differences between the PA-DSS program and the programs under the Software Security Framework is the support for compensating controls. Under the PA-DSS program, all applicable requirements had to be met as stated. While that is also the general expectation under SSF, both SSF standards and programs allow for compensating controls to be used in cases where it is impossible to meet a given control objective due to a technical constraint.
While this SSF implementation of compensating controls is similar to that in PCI DSS, the methods for reporting this information in the Reporting Templates are different under the Software Security Framework. In such cases, the technical constraints preventing the control objective from being met must be documented and justified in the reporting template, and additional security controls must be implemented to mitigate any residual risks to a reasonable level. More information on the use of compensating controls can be found in the Secure Software v1.x Technical FAQs document available in the Document Library section of the PCI SSC website.
Another key difference between the PA-DSS program and the programs under the Software Security Framework is the use of Technical Frequently Asked Questions or “Technical FAQs.” The General FAQs under PA-DSS were considered “informative” or guidance only. In addition to General FAQs, the Software Security Framework also includes Technical FAQs which are considered “normative” and are an extension of the SSF standard and program to which they are affiliated.
Technical FAQs provide PCI SSC with a mechanism to provide more timely clarifications regarding the interpretation and application of security and program requirements between major revisions of a PCI standard. Technical FAQs are an integral part of the Software Security Framework and must be fully considered during assessments to the Secure Software Standard and Secure SLC Standard.
Alicia Malone: Where can people find more information about the PCI Software Security Framework?
Jake Marcinko: The Document Library section of the PCI SSC website is one of the best places to find more information on the PCI Software Security Framework. We also have numerous other articles in the PCI Perspectives Blog that may prove helpful as well. Simply select “PCI Software Security Framework” under “Categories” to find relevant articles.
Don’t forget that we also have a great resource available on our website through the Global Content Library. This is a great way to access video presentations from our Community Meetings on many different topics including the Software Security Framework.
For more detailed queries, you can reach out directly to the PCI SSC by emailing your questions to email@example.com. You can also contact a PCI Qualified Secure Software Assessor or Secure Software Lifecycle Assessor to help address questions that you may have with the applicable standard. As we previously noted, the PCI SSC’s list of Qualified Secure Software Assessors and Secure Software Lifecycle Assessors can be found on the PCI SSC website under “PCI Qualified Professionals.”