PCI SSC is in the process of finalizing new PCI Security Standards for the secure design and development of modern payment software. Speaking at the PCI Europe Community Meeting, Chief Technology Officer Troy Leach shares an update on this effort and why it’s important to the future of payment security.
When does PCI SSC expect to publish the new PCI Software Security Standards?
Troy Leach: We are on track to publish both the Secure Software Standard and the Secure Software Life Cycle (Secure SLC) Standard by the end of 2018. After completing a final request for comments (RFC) period in September, we are reviewing the 200+ comments received and updating the standards to address this feedback. These standards are part of the PCI Software Security Framework, which includes a validation program for software products and a qualification program for software vendors, to be available in 2019.
Will these standards replace the PCI Payment Application Data Security Standard (PA-DSS)?
Troy Leach: Ultimately, the PA-DSS and its validation program will be incorporated into the Software Security Framework. But for the time being, PA-DSS and its supporting program will remain in place.
Stakeholders can be assured that existing validation expiration dates for PA-DSS-validated applications will be honored (e.g. PA- DSS version 3.2 validations expire in 2022). More information on this will be made available when the PCI Software Security Framework validation and qualification programs are released in 2019.
When published later this year, the PCI Software Security Standards will include elements of PA-DSS in a new approach for securely designing and developing both existing and future payment applications. Whereas PA-DSS was designed specifically for payment applications used in a PCI DSS environment, the PCI Software Security Standards expand beyond this to address overall software security resiliency. The framework provides a new methodology and approach to testing software security and a separate secure software life cycle qualification for vendors with robust security design and development practices.
How will the PCI Software Security Framework benefit the industry?
Troy Leach: The framework provides developers of payment applications better support for modern software development techniques, while ensuring greater transparency into the security capabilities of payment software and payment software vendors. In turn, this should provide the overall payment industry with more consistency in how software can be assessed for security and result in a broader range of secure payment solutions.
How have payment innovations influenced the development of the PCI Software Security Standards?
Troy Leach: Several factors have helped change our approach to security of software used for accepting payments. Most significant is that software developers are adopting more aggressive software life cycle management techniques with much faster to market releases. Another factor is the global prevalence of dynamic data associated with many types of transactions, especially card present, which helps to minimize using stolen payment data in other payment channels.
Additionally, modern-day monitoring and real-time analytics provide improved layers of security controls that are much more responsive than just a few years ago. That is, in part, due to the significant global growth in network speed and accessibility to protect all types of payment transactions remotely.
Even the software has become smarter at protecting itself against evolving threats. All of this collectively allows us to embrace faster development with more intelligent layers of defense.
Why are the PCI Software Security Standards important for the next generation of payments?
Troy Leach: Innovation in payments moves at an incredible pace. Every few years, it seems, there is a more popular software platform to design from, or entrepreneurs discovering new ways to accept payments. For example, 10 years ago, we were just becoming familiar with the term ‘smartphone’, let alone the idea that billions of dollars might someday be processed through this type of device.
Each significant breakthrough requires that generation of software developers to have guiding principles for how to test their software and protect users from being a victim of a data compromise. I’ve heard from several developers that our standards and best practices are the best starting point for understanding their role in protecting payments, even if the technology is not yet mainstream.
The PCI Software Security Standards provide increased flexibility and transparency for software vendors to achieve common sense software security objectives, while also supporting a more agile approach to software development techniques and release cycles.