From 14 March to 12 April 2022, eligible stakeholders are invited to review and provide feedback on the Web Software Module for the PCI Secure Software Standard during a 30-day request for comments (RFC) period.
The RFC will be available through the PCI SSC portal, including instructions on how to access the documents and submit feedback. Eligible stakeholders will also receive instructions via email. As a reminder, participants are required to accept a Non-Disclosure Agreement (NDA) to download the document. Please review the RFC Process Guide for more information.
Please note that PCI SSC can only accept comments that are submitted via the PCI SSC portal and received within the defined RFC period.
Background on the Web Software Module for the PCI Secure Software Standard
The Web Software Module is a set of supplemental security requirements to the Secure Software Standard’s Core Requirements for payment software intended for use in e-commerce or other internet-facing payment scenarios.
The Secure Software Standard’s “modules” are groupings of related requirements to address a particular use case or payment platform and have their own applicability criteria. The security requirements within each module are intended to be applied in aggregate where relevant to a given software product.
The Web Software Module security requirements address common security issues related to the use of internet-accessible payment technologies, such as those that expose payment APIs or pages for other entities or sites to access and use. Topics covered in the Web Software Module include the secure use of software components, authentication and access control, the secure handling of input data, and secure communications.
The Web Software Module enhances the existing Core, Account Data Protection, and Terminal Software modules to further expand the scope of payment use cases covered by the PCI Secure Software Standard.
Also on the blog: About the Software Security Framework