The PCI Software Security Council initiated work on the new Software Security Framework in collaboration with our team at Security Compass, Microsoft Corporation, and other stakeholder organizations.
This resulted in the new PCI Software Security Standards which treat software security as a critical need. As a result, they are more comprehensive than ever before in their instructions related to software security.
The new PCI Software Security Standards, part of the new PCI Software Security Framework, were built with the understanding that, in order for payment software to be considered secure, it must first be designed, developed, and maintained in a way that protects the integrity of payment transactions and the confidentiality of all sensitive data collected in association with payment transactions. Hence, the software security standards are comprised of both software security requirements and secure software lifecycle (SLC) requirements. Their primary goal is to provide a way to secure payment applications that supports current as well as future industry technologies and best practices.
The PCI Software Security Standards’ coverage is comprehensive, addressing all payment software functionality and identification and implementation of security controls. The new standards outline the responsibility of outside vendors in guiding customers’ security practices. They also detail the necessary tools and functions that are used by the software to access critical assets, while discussing execution environments, code libraries, requirements, and dependencies.
As payments evolve, PCI SSC continues to transform the PCI Security Standards and programs for securing payment transactions and data.
PCI Software Security Framework provides payment applications developers better support for modern software development techniques, ensuring greater transparency into the security capabilities of payment software and payment software vendors.
*Source: PCI SSC Blog
Ultimately, the PA-DSS and its validation program will be incorporated into the PCI Software Security Standards. But for the time being, PA-DSS and its supporting program will remain in place.
More information on this will be made available when the PCI Software Security Standards validation and qualification programs are released in 2019.
*Source: PCI SSC Blog
The new PCI Software Security Standards represent the payment card industry’s effort to create an elevated standard pertaining to software security in the payments ecosystem, supporting validation programs for software products and qualification programs for software vendors.
The new standards also focus on a more agile approach to software development techniques and release cycles.
Software developers are adopting more competitive software lifecycle management techniques with faster release cycles, and the PCI Software Security Standards were designed to better support this development environment. In the advent of the new framework, the payment industry will see more consistency in how software is evaluated for security. To help organizations comply with the PCI Software Security Standards, we offer our own solution: our flagship policy-to-procedure platform, SD Elements.
Using our policy-to-procedure platform, SD Elements, helps with: