By: Michael Jervis
The Payment Card Industry Security Standards Council (PCI SSC) has issued a new Software Security Framework for secure payment software. The new framework includes both a Secure Software Standard and Secure Software Life Cycle (SLC). A key aspect of the framework focuses on the SLC, which makes security a consideration at all stages of payment software development, rather than simply during the testing phase at the end of the software lifecycle. The new standards result from the work of a Software Security Task Force and request for comment periods reaching out to industry stakeholders.
The Secure Software Standard aspect of the framework offers minimum security requirements for payment software and also provides procedures for ensuring software complies with confidentiality concerns and other requirements. The standard, therefore, is similar to the existing Payment Application Data Security Standard (PA-DSS). However, the new standard addresses broader software security concerns and also offers an updated approach for validating the security of payment software. Over the next three years, the PA-DSS program, including the listing of PA-DSS validated payment applications, will be retired in favor of the new framework for validating payment software intended for use by third parties to facilitate payment transactions.
Perhaps the most significant shift offered by the framework is the SLC’s goal of maintaining application security as changes and updates are made to the software. To that end, PCI SSC has stated that it aims to address the security principles of governance, threat identification, vulnerability detection and mitigation, security testing, change management, secure software updates and stakeholder communication as software development occurs, including during updates and changes rather than only after completion. PCI SSC hopes this will increase confidence that software vendors are addressing integrity and confidentiality concerns as software updates and changes take place. Now that the framework has been released, PCI SSC is working on developing assessor programs. Once these programs are rolled out, certified assessors will be able to validate payment software as complying with the framework.