In an earlier post, Securing Modern Payment Software with a New Software Security Framework, PCI SSC Chief Technology Officer Troy Leach discussed how PCI SSC is prioritizing secure design and development of modern payment software with the development of a new software security framework. Here we get an update on the development process for this framework and what stakeholders can expect next.
A key discussion topic at the PCI Europe Community Meeting in October was the new PCI Software Security Framework currently under development. What can you tell us about stakeholder reactions to it?
Troy Leach: Stakeholder reactions to the Software Security Framework have been very positive. Assessors, vendors, acquirers and payment brands all recognize the need for application security standards to better support modern payment technologies, innovations and solutions, and are eagerly anticipating the additional flexibility the Software Security Framework is intended to provide.
Remind us, what are the objectives of the Software Security Framework?
Troy Leach: The Software Security Framework is a new set of security requirements as well as new validation programs for the secure design, development and testing of modern payment software.
We have a growing diversity of software that is being developed for new payment platforms and at a frequency that is both too quick for traditional assessments and not practical for vendors to attest each iteration in an effective manner. Our goal is to provide software standards and programs that are more flexible to evolve security practices in parallel with anticipated changes in payment acceptance.
The feedback period for Payment Application Data Security Standard (PA-DSS) ended in November. How does feedback received on PA-DSS factor into the software security framework development process?
Troy Leach: We received approximately 75 comments from the recent PA-DSS feedback period and would like to thank all the organizations that contributed. We truly value the feedback we receive from the industry and will be taking it into consideration as part of the continued development of the Software Security Framework, as well as for a potential PA-DSS errata in 2018 if necessary.
We anticipate that PA-DSS will eventually be incorporated into the Software Security Framework, but this transition will take time. We recognize the investment that stakeholders have made in the PA-DSS program since its inception, and we do not want organizations to lose that investment in security evaluation. The transition strategy will continue to support those organizations’ efforts in securing payment software.
When will the draft software security standards be available for PCI SSC stakeholder review and comment?
Troy Leach: Elements of the new Software Security Framework will be an evolution of our existing approach to application security within other standards and programs, such as PA-DSS. We recognize this will affect stakeholders, and as part of the stakeholder review and comment process for the standards we would like to discuss as a community the potential impact to existing PCI SSC programs.
For example, we will be providing details of how we plan to manage the transition to the new Software Security Framework for stakeholders to review along with the draft software security standards.
Given these considerations, the request for comments (RFC) period for Participating Organizations and assessors is now planned for the first quarter of 2018, instead of this month as previously anticipated.
This will allow us additional time to develop and incorporate a transition strategy into the RFC documents so that stakeholders can review this important aspect of the framework’s rollout and implementation and provide their input on it.
Is the framework still anticipated for 2018?
Troy Leach: We are still in the process of developing the framework, and the feedback we receive from stakeholders may influence timing of final publication. But as of now, anticipated timing is the second half of 2018 for publication of the software security standards, and Q1 2019 for launch of the associated program.
