The PCI Secure Software Lifecycle (Secure SLC) Standard is part of the PCI Software Security Framework, which addresses security for software operating in payment environments. In this blog, we interview PCI Security Standards Council’s VP, Global Head of Programs, Gill Woodcock, about the Secure SLC Standard, what it is, and the value of adoption.
What is the PCI Secure Software Lifecycle (Secure SLC) Standard?
Gill Woodcock: The PCI Secure SLC Standard is one of two standards that are part of the PCI Software Security Framework. It provides security requirements and assessment procedures for software vendors to validate how they manage the security of their software throughout the software lifecycle.
How does the Secure SLC Standard support a culture of security?
Gill Woodcock: The Secure SLC Standard addresses four main security objectives. Adopting these objectives means that the importance of software security is acknowledged and embraced by an organization’s senior leadership, and that software security policies and strategies are in place. The objectives are outlined as follows:
- Software Security Governance - A formal software security governance program is established to reflect the vendor’s commitment to building secure software and protecting any sensitive data and resources stored, processed, or transmitted by the software.
- Secure Software Engineering - Payment software is designed and developed to protect critical software assets and to be resistant to attacks.
- Secure Software and Data Management - The confidentiality and integrity of the software and its critical assets are maintained throughout the software lifecycle.
- Security Communications - The vendor provides timely information to its stakeholders—including customers, installers, and integrators— regarding security issues affecting its software, and thorough guidance on secure software implementation, configuration, operation, and updates.
What does it mean to be a Secure SLC Qualified Vendor?
Gill Woodcock: Software is evolving quickly with updates implemented at a pace that requires a different approach to validating the process. Implementing the Secure SLC Standard means that security is embedded into the software lifecycle from the outset. Becoming a Secure SLC Qualified Vendor can provide assurance that the software lifecycle used to produce software has been validated for adherence to strong security practices. All organizations can benefit from knowing that the software they use is developed according to an industry standard. To give an example, patches are a critical security control for software. The Secure SLC Standard requires software vendors to have robust processes for fixing newly discovered vulnerabilities in a timely manner and making those fixes available to stakeholders. End users of the software benefit from knowing the vendor has a vulnerability detection and mitigation process in place.
Who is eligible to become a Secure SLC Qualified Vendor?
Gill Woodcock: Right now, the program is open to vendors of payment software, but we’ll soon be expanding eligibility to vendors that produce software and software components that may share resources within a payment environment. We’ll be sharing more information about this expansion later this year.
Why should vendors adopt the Secure SLC standard?
Gill Woodcock: By adopting the Secure SLC standard, software vendors can show their customers that they take security seriously, practice good software security hygiene, and continuously monitor and maintain the security of their software throughout its lifecycle. If the vendor’s software is going to be validated to the Secure Software Standard (which replaces PA-DSS) and listed on PCI SSC’s website, being a Secure SLC Qualified Vendor brings benefits with easier processes to keep listings updated.
How can vendors learn more about the Secure SLC Standard?
Gill Woodcock: Vendors can learn more by reading the Secure SLC Standard and Program Guide, available in the PCI SSC Document Library. Vendors may also consider attending Secure SLC informational training, which is available online from PCI SSC. We recommend reading our two at-a-glance documents, which include an overview of the PCI Software Security Framework and more information on how PA-DSS will be replaced.