Secure design and development of modern payment software is a key priority for the PCI SSC. Ahead of the PCI Europe Community Meeting in Barcelona, PCI SSC Chief Technology Officer Troy Leach shares insights into how PCI SSC is leveraging advancements in software security and specifically the development of a new software security framework.
Why is secure design and development of modern payment software a focus for PCI SSC right now?
Troy Leach: As the industry innovates to create new opportunities to accept payments, there is more reliance on good software security compared to previous generations of payment acceptance.
Point-of-sale (POS) software, for example, was simple in design, often because the device would have limited memory and secondary features. Additionally, any POS software would have a limited number of releases over a longer period of time.
As the technology advanced, more functions were included that expected the software to protect the transaction from potential attacks. However, due to a variety of reasons, such as the pace of releasing new code or new types of software applications that would not qualify for existing PCI SSC programs, we noticed a trend of basic software security controls not being included in development. Sometimes simple things such as the existence of hard-coded passwords or input validation failures could have been corrected easily before released into production.
In information security we preach about monitoring for new threats and patching when vulnerabilities are discovered, but this is a reactive security practice for users of third-party software already in production. And the number of vulnerabilities can be daunting. If we can be more proactive in addressing payment application security during development, however, then we have the opportunity to reduce overhead for administrators to focus on other aspects of security.
As such, PCI SSC is currently working on several standards that are either specifically dedicated to software or have software as a core element of the security requirements.
First, we are developing a software security framework consisting of two new standards and supporting programs that will address holistic payment application design and software life cycle management.
We’re also in the final stages of a standard for software development kits (SDK) that support 3-Domain Security (3DS), as well as a standard that uses software security as one of the mechanisms to protect a PIN when entered on commercial off-the-shelf (COTS) devices.
What can you tell us about the software security framework currently in development?
Troy Leach: The software security framework is a new set of standards, supporting validation programs and certification listings for the secure design and development of modern payment software.
Payment acceptance has changed significantly since the PCI Payment Application Data Security Standard (PA-DSS) was first developed, and the software security framework is focused on evolving our standards and programs to support both traditional and modern payment software. This framework will ultimately result in a broader range of more secure payment software for merchants.
There are two standards for the software development community that are being developed as part of this framework: a software security standard for payment software and a standard of software life cycle requirements for payment software vendors.
How will the software security framework benefit the industry?
Troy Leach: First, merchants and other users of the payment software will benefit from the confidence that the product is designed and regularly tested with security in mind. The primary reason for developing the software security standards framework is to provide the industry, and especially the merchant community, with better tools for evaluating solutions they use to accept payments. Merchants will be able to make more informed decisions on the security posture and capabilities of the payment solutions they are considering for purchase and know the software was well-tested and capable of maintaining resiliency against new exploits if they’re discovered at a future time.
Software companies will benefit from the ability to push products to market more efficiently while still demonstrating due diligence. The framework is intended to allow software vendors more flexibility in determining the methods they wish to employ to achieve a particular security objective or desired outcome. An added benefit to this approach is that it also provides broader support for modern deployment technologies such as mobile and cloud.
Additionally, the validation program will allow vendors that demonstrate mature software life cycle practices to self-attest to interim application changes, which will help minimize the overhead for organizations that have adopted rapid software development and deployment methodologies such as Agile and DevOps.
How do these two new software security standards differ from the PA-DSS?
Troy Leach: PA-DSS focuses on software development and life cycle management principles for security in traditional payment software to help merchants maintain PCI DSS compliance. As I noted earlier, payment acceptance has changed significantly since PA-DSS was first developed, and modern software requires objective-focused security practices that can support nimble software development practices and more frequent update cycles than traditional design practices.
The software security framework recognizes this evolution in payment acceptance by providing an approach that supports both traditional and modern payment software.
How do you see the software security framework impacting the PA-DSS and program?
Troy Leach: There are no immediate changes planned for the PA-DSS and supporting validation program, but our intent is to incorporate PA-DSS into the software security framework at a future date.
In the meantime, we want to assure PA-DSS and program stakeholders that the PA-DSS and program will continue to exist and function as it does now. As the framework is developed, we will also be developing a transition plan for migrating PA-DSS applications to the new security framework validation program and listing.
We understand that changes to the PA-DSS and program impact many different stakeholders, and that is one of the key drivers for both the PA-DSS feedback period currently running and the upcoming comment period for the software security framework. We encourage PCI stakeholders, and especially PA-DSS vendors and application assessors, to participate in both of these. This feedback will play an important part in the development of the software security framework and how PA-DSS will fit within it.
This will also be a topic of discussion at our Europe Community Meeting next week, and we will continue to keep the industry updated on the development process. I’d also recommend that stakeholders subscribe to our blog to stay up to date on the latest information about this initiative.
When can stakeholders expect the software security framework to be available?
Troy Leach: Before the end of the year we are planning to make drafts of the two software security framework standards available to the PCI community for review and feedback as part of our request for comment (RFC) process. From there we will review the feedback and determine next steps. Depending on the volume and type of feedback we receive, we are aiming to publish the software security framework in mid-2018.