From 10 July to 11 August, eligible PCI SSC stakeholders are invited to review and provide feedback on the draft PCI Secure Software Standard v2.0 during a 30-day request for comments (RFC) period.
The RFC will be available through the PCI SSC Portal, including instructions on how to access the documents and submit feedback. Eligible stakeholders will also receive instructions via email. As a reminder, participants are required to accept a Non-Disclosure Agreement (NDA) to download the document. Please review the RFC Process Guide for more information.
Please note that PCI SSC can only accept comments submitted via the PCI SSC portal and received within the defined RFC period.
Background on the Secure Software Standard v2.0
PCI SSC has completed the first major revision draft of the Secure Software Standard since it was initially published in January 2019. The PCI Secure Software Standard requirements ensure that software is designed, engineered, developed, and maintained in a manner that protects payment functionality and data, minimizes vulnerabilities, and defends itself from attacks.
This RFC will include two documents for review:
- The draft Secure Software Standard v2.0. Major objectives for this revision effort include:
- Remove the context of ‘payment software’
- Redefine and refine the context of Sensitive Assets
- Remove any language from test requirements that constitutes security requirements
- Improve the objective degree of the security requirements
- Restructure the organization and flow of the Standard
- Significant updates based on stakeholder feedback
- Eliminate overlap and redundancy
- Add a new module for SDKs
- A new document draft – PCI Secure Software Standard – Sensitive Assets - for use with v2.0. This document is intended to be published with the Secure Software Standard, and it is a required companion document to the Standard. It is also used to set context for numerous security requirements. This document has tables of examples of Sensitive Data, Sensitive Resources, and Sensitive Functionality. Your feedback and suggestions are encouraged.
To help with your review, an informational document is being provided that includes a flat outline of all the draft v2.0 security objectives and security requirements, in addition to a mapping guide between Secure Software Standard v1.2.1 to draft v2.0.
The RFC ReadMe document contains important information as part of the RFC beyond the default administrative content. Please take the time to read the entire document.