PCI SSC is developing a new PCI Software Security Framework, a collection of software security standards and associated validation and listing programs for the secure design, development and maintenance of modern payment software. Here’s a brief update on the development process for the PCI Software Security Framework and what stakeholders can expect in 2019.
New Standards Coming in January 2019
The PCI Secure Software Standard and the PCI Secure Software Lifecycle (Secure SLC) Standard will be published in January 2019. Both standards are intended for use by software vendors:
- The Secure Software Standard outlines security requirements and assessment procedures to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data.
- The Secure SLC Standard outlines security requirements and assessment procedures for software vendors to validate how they properly manage the security of payment software throughout the entire software lifecycle.
Validation Framework Anticipated for Mid-2019
The PCI Software Security Framework includes a validation program for software vendors and their software products and a qualification program for assessors. This will include new listings on the PCI SSC website for vendors with validated software development lifecycle processes, validated payment software, and assessors for both new standards. PCI SSC expects the validation programs to be available in 2019.
PA-DSS Transition will be Gradual
The PA-DSS and its validation program will ultimately be incorporated into the PCI Software Security Framework. For the time being, however, PA-DSS and its supporting program will remain in place.
There will be a gradual transition to allow organizations with current investments in PA-DSS to continue to leverage those investments. Upon launch of the Software Security Framework Validation Program, the transition period will begin. All current PA-DSS validated payment applications will continue to be governed under the PA-DSS program until the expiry date for those applications is reached (i.e., 2022 for payment applications validated to PA-DSS v3.2).
In mid-2020, acceptance of new PA-DSS submissions will end, but current payment application vendors will still be able to submit changes to existing PA-DSS validated payment applications until PA-DSS expiry. Upon expiry of PA-DSS 3.2 in 2022, all PA-DSS validated payment applications will then be moved to the “Acceptable Only for Pre-Existing Deployments” list and the PA-DSS program will be retired. At that point, further updates to PA-DSS validated payment applications will need to be assessed under the Software Security Framework.