New FAQs address key questions on the transition from PA-DSS to the PCI Software Security Framework.
When Payment Application Data Security Standard (PA-DSS) v3.2 expires in 2022, the standard and program will be formally retired and replaced by the PCI Software Security Framework.
In the interim, to help minimize disruption and ease the transition process for stakeholders, the PA-DSS and PCI Software Security Framework Programs will run in parallel, with the PA-DSS Program continuing to operate as it does now:
- Existing PA-DSS validated payment applications: The PA-DSS Program remains open and fully supported until October 2022, with no changes to how existing PA-DSS validated applications are handled. They will remain on the List of PA-DSS Validated Payment Applications until their expiry dates, and per the normal process vendors can submit changes to them until PA-DSS v3.2 expiry (28 October 2022).
- New PA-DSS submissions: Vendors will be able to submit new payment software products for PA-DSS validation and listing until 30 June 2021.
To support the rollout of the recently announced Secure Software Lifecycle (Secure SLC) and Secure Software Programs and help stakeholders plan for transitioning to the PCI Software Security Framework, PCI SSC has published a PCI Software Security Framework Frequently Asked Questions (FAQs) document. The resource covers key aspects of the initiative, including its impact to PA-DSS validated applications and how PA-DSS will be phased out over time. We highlight these specific FAQs here.
Q: What is the relationship between the PCI Software Security Framework and PA-DSS?
A: The PCI Software Security Framework is separate and independent from PA-DSS. While the PCI Software Security Framework includes elements of PA-DSS, the Framework represents a new approach for securely designing and developing both existing and future payment software. PA-DSS was designed specifically for payment applications used in a PCI DSS environment. The PCI Software Security Standards extend beyond this to address overall software security resiliency. The PCI Software Security Framework is designed to support a broader array of payment software types, technologies, and development methodologies in use today and also support future technologies and use cases.
Q: How does the PCI Software Security Framework impact PA-DSS validated applications?
A: The PCI Software Security Framework has no immediate impact on PA-DSS validated applications, although PA-DSS will eventually be replaced by the validation programs within the PCI Software Security Framework. Acceptance of new PA-DSS validations will continue until June 30, 2021, and all PA-DSS validated payment applications will remain current and continue to be governed under the PA-DSS program until the expiry date for those applications is reached (October 2022 for payment applications validated to PA-DSS v3.2). Upon expiry, all PA-DSS validated payment applications will be moved to the “Acceptable Only for Pre-Existing Deployments” list.
Q: Should vendors continue using PA-DSS or wait until the PCI Software Security Framework is launched before initiating assessments?
A: Transitioning from PA-DSS to the PCI Software Security Framework may take some software vendors time to adjust to the differences between the two programs. Therefore, software vendors are encouraged to continue to submit changes to currently validated applications via the PA-DSS program. Additionally, software vendors who have initiated PA-DSS assessments for new payment applications are encouraged to complete those assessments under the PA-DSS program. New PA-DSS validations will be accepted through mid-2021 and be valid through late 2022. Assessments against the PCI Software Security Framework are anticipated to begin in Q1 2020 and will have a three-year validity period.
Q: Can merchants continue to use PA-DSS validated applications after October 2022?
A: PA-DSS validated applications are moved to the “Acceptable Only for Pre-Existing Deployment” when the validation expires. For applications validated to PA-DSS version 3.2 this will occur at the end of October 2022 and the PA-DSS program will close. See FAQ 1195 for further information about applications listed as “Acceptable Only for Pre-Existing Deployment”.
More information on the PA-DSS Program transition is available in the Secure SLC and Secure Software Program Guides and the PCI Software Security Framework FAQs.
Also on the blog: New Software Security Framework Programs: Timeline & Key Milestones