Dara Security

PCI Council Publishes New Software Security Standards

January 24, 2019

January 2019, the PCI SSC published the PCI Software Security Framework v1.0 (PCI SSF).  Program related materials (Program Guide, Reporting templates, et. al.) and the like are expected to be published mid-2019.  But today, the PCI SSF standards are published and available on the PCI SSC website.  The PCI SSF is composed of two standards:

·        The Secure Software Standard v1.0

·        The Secure Software Lifecycle Standard v1.0

The Secure Software Standard defines a set of security requirements and associated test procedures to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data. The Secure Software Standard includes a set of “core” requirements that apply to all types of payment software submitted for validation under the PCI Software Security Framework, regardless of the software’s functionality or underlying technology along with specific modules to address specific software types, use cases, or technologies. The Secure Software Standard is intended for payment software that is sold, distributed, or licensed to third parties. This includes payment software intended to be installed on customer systems as well as payment software deployed to customers ”as a service” over the Internet.

For those vendors wishing to validate their payment software under the PCI SSF, they may optionally choose to validate the Software Lifecycle (SLC) practices for that payment software to the PCI Secure Software Lifecycle (PCI Secure SLC) standard.  The Secure Software Lifecycle Standard defines a set of security requirements and associated test procedures for software vendors to validate how they properly manage the security of payment software throughout the software life cycle. Validation against the Secure Software Lifecycle Standard illustrates that the software vendor has mature secure software life cycle management practices in place to ensure its payment software is designed and developed to protect payment transactions and data, minimize vulnerabilities, and defend against attacks.

The PCI Secure SLC Standard is intended for software vendors that develop software for the payments industry. Vendors who have their software life cycle management practices validated will be recognized on the PCI SSC’s List of SSLC-Qualified Payment Software Vendors. The benefit to these vendors is they will be able to perform and self-attest to their own software “delta” assessments (as part of validation of their software products to the Secure Software Standard) with reduced assessor involvement or oversight. More information on software delta assessments will be provided when the PCI publishes the additional Program materials.

The Secure Software Standard and Secure Software Lifecycle Standard are two separate, independent standards. While both standards address some of the same concepts, each standard approaches those concepts from a different perspective (i.e., secure software processes in the SSLC standard, secure functionality and security features in the Secure Software standard). Additionally, validation to one standard does not imply or result in validation to the other standard (or to any other PCI standard).

The PCI Software Security Framework is separate and independent from PA-DSS. While the PCI Software Security Framework includes elements of PA-DSS, the Framework represents a new approach for securely designing and developing both existing and future payment applications. Ultimately PA-DSS and its validation program will be incorporated into the PCI Software Security Framework. A gradual transition path will be implemented to ensure continued support for PA-DSS applications until transition is complete.

A three-year transition period will commence upon the launch of the Software Security Framework Validation Program in mid-2019. All PA-DSS validated payment applications will remain current and continue to be governed under the PA-DSS program until the expiry date for those applications is reached (2022 for payment applications validated to PA-DSS v3.2). Upon expiry, all PA-DSS validated payment applications will be moved to the “Acceptable Only for Pre-Existing Deployments” list. At that point, further updates to PA-DSS validated payment applications after PA-DSS expiry will need to be assessed under the Software Security Framework.

Transitioning from PA-DSS to the PCI Software Security Framework may take some vendors time to adjust to the differences between the two programs. Therefore, payment application vendors are encouraged to continue to submit changes to currently validated applications via the PA-DSS program. New PA-DSS validations will be accepted through mid-2020 and be valid through late 2022. Assessments against the PCI Software Security Framework are anticipated to begin in Q3 2019 and will have a three-year validity period, putting the expiry date of those validations at roughly the same expiry date as PA-DSS validations.