New validation programs are being developed to support the PCI Software Security Standards. Together, these standards and programs provide payment software vendors with the PCI Software Security Framework for designing, developing and maintaining modern payment software. In this update PCI SSC Senior Director of Certification Programs Gill Woodcock provides new information on the scope and timing of the Secure Software and Secure Software Lifecycle Programs, and how this impacts the PA-DSS program and listing.
What are the new software security programs being developed as part of the PCI Software Security Framework?
Gill Woodcock: The Secure Software and Secure Software Lifecycle (Secure SLC) Programs are designed for use by payment software vendors to demonstrate that their software products and their development practices meet the requirements outlined in the Secure Software Standard and the Secure SLC Standard respectively.
Through the Secure Software Program, assessors will evaluate payment software products against the Secure Software Standard, and the PCI Council will list validated payment software on the PCI SSC website.
Through the Secure SLC Program, assessors will evaluate payment software vendors’ adherence to the Secure SLC Standard, and the PCI Council will list qualified vendors on the PCI SSC website. Secure SLC Qualified Vendors will benefit from enhanced options on self-attestation to their own software “delta” assessments (as part of validation of their software products against the Secure Software Standard).
What types of software products will be eligible for validation under the Secure Software Program?
Gill Woodcock: Payment software products (defined as software involved in or directly supporting or facilitating payment transactions) that store, process, or transmit clear-text account data, and are commercially available and developed by the vendor for sale to multiple organizations will be eligible for validation under the Secure Software Program.
In other words, these are the initial program launch eligibility requirements:
- Software must be involved in or directly supporting or facilitating payment transactions
- Software must store, process or transmit clear-text account data
- Software must be commercially available and developed by the vendor for sale to multiple organizations.
The PCI Council expects to expand the range of software eligible for validation under the Secure Software Program over time as additional modules are added to the Secure Software Standard.
With the Software Security Framework ultimately replacing the Payment Application Data Security Standard (PA-DSS) and program, can you provide an update on how current PA-DSS validated payment applications will be handled?
Gill Woodcock: Upon expiry of PA-DSS 3.2 in 2022, all PA-DSS validated payment applications will be moved to the “Acceptable Only for Pre-Existing Deployments” list, and the PA-DSS program will be retired. At that point, all assessments must occur under the PCI Software Security Framework.
In the interim, all current PA-DSS validated payment applications will continue to be governed under the PA-DSS program until the expiry date for those applications is reached (i.e., 2022 for payment applications validated to PA-DSS v3.2). Current payment application vendors will be able to submit changes to existing PA-DSS validated payment applications until PA-DSS expiry. Additionally, based on feedback from the industry, we are extending the date for acceptance of new PA-DSS submissions from mid-2020 to mid-2021.
When will more information on these programs be available?
Gill Woodcock: In June 2019 we plan to publish the program documentation, which includes the Software Security Framework Qualification Requirements for Assessors, Secure SLC Program Guide, Secure Software Program Guide and Reporting Templates. This will provide payment software vendors with information on the process for validation of their software products and development practices under these new programs, and potential assessors with information on how to qualify to conduct Secure Software and Secure SLC assessments, including details about training required.