From 6 March to 6 April, PCI SSC stakeholders have the opportunity to review and provide feedback on the draft PCI Software Security Standard (S3) Framework.
As payments evolve, PCI SSC continues to evolve PCI Standards and programs for securing payment transactions and data. In the area of software security, payment acceptance has changed significantly since the Payment Application Data Security Standard (PA-DSS) was first developed. This evolution requires a security approach that can support both existing as well as emerging payment software practices.
To address this challenge the PCI SSC is developing a PCI Software Security Standard (S3) Framework, a new set of standards, supporting validation programs and certification listings for the secure design and development of payment software. We are developing a transition plan for migrating PA-DSS applications to the new security framework validation program and listing, but in the meantime the PA-DSS and program will continue to exist and function as it does now.
We understand that any changes to the PA-DSS and program impact many different stakeholders, and that is one of the key drivers for this Request for Comment (RFC) period. PCI SSC Participating Organizations (which include Affiliate and Strategic Members), Qualified Security Assessors (QSA), Payment Application Qualified Security Assessors (PA-QSA) and PCI-Recognized Labs are invited to review and provide feedback on the draft standard during this 30-day RFC period.
This feedback will play an important part in the development of the PCI Software Security Standard Framework and the PA-DSS transition plan.
There are three draft documents for review and feedback:
- Software Security Requirements: Requirements for payment software to adequately protect the integrity and confidentiality of payment transactions and data.
- Secure Software Life Cycle Requirements: Requirements for payment software vendors to properly manage their payment software throughout the entire software life cycle.
- S3 Framework Overview: A high-level overview of the proposed S3 Framework and validation program.
The comment period runs from 6 March to 6 April 2018.
For additional background on the framework and its development, read PCI Perspectives Blog post What’s Next for the PCI Software Security Framework?.