PCI Software Security Framework: The Beginning.
The Payment Card Industry Security Standards Council (PCI SSC) released a new security framework for software vendors that develop payment applications. This new framework will be replacing the current guidelines of the PCI Payment Application Data Security Standard (PCI PA-DSS) which will be retired in the coming years. The  PCI SSF  standards now cover two separate standards namely:
- PCI Secure Software Standard (PCI SSS)
- PCI Secure Software Lifecycle Standard (PCI Secure SLC).
PCI SSF and Open Source
Software products have been using open source components over a while now, in their development process. This practice has also paved a way for malicious players to hack their way into the systems in case the open source components aren’t secure enough. Hence, its necessary to maintain and manage to ensure the security of open source components as equal as that of the proprietary software
The new SLC guidelines emphasize on securing the integrity of the code and hence have included them in the requirements. Previously, the  PCI DSS guideline 6.1 - 6.5  focused more on responding to security vulnerabilities post their discoveries. The guidelines emphasize the responsibility to patch up the vulnerabilities within a month post discovery.
As per the  3.2b in the new PCI Secure SLC  document, the guideline states that :
Where open source software components are utilized as part of the software, the assessor shall examine vendor evidence, including process documentation and assessment results to confirm these components are managed as follows:
- An inventory of open source components used in the software is maintained
- A mature process exists to analyze and mitigate the use of open source components with known vulnerabilities.
- The vendor monitors vulnerabilities in open source components throughout their use or inclusion in the vendor’s software to determine when new vulnerabilities are identified.
An appropriate patching strategy for the open source components is defined.
The new guideline under PCI Secure SLC encourages the vendors to track components they are using and block with the vulnerabilities from the product. The approach ensures that the risks are eliminated before vulnerabilities are shipped to the product.
The vendors would require to convert their open source usage management with Software Composition Analysis (SCA) solutions like Software Composition Analysis (SCA) that can integrate into the SDLC and automate open source components approval processes, initiate damage processes automatically, trigger real-time alerts, and generate on-demand reports along with other features.
Hence, including open source components will now require more stringent policies and security checks.
Will Compliance with the new PCI Software Security Standards be smooth in the future?
Measures have already been taken by the PCI SSC as getting compliance with the necessary regulations is a painful process. The PCI team has taken due effort in making the transition process smooth for vendors planning the implementation and timeline accordingly.
As a PCI QSA company, QRC would enable customers to map out the dependencies in their applications and highlight the current vulnerabilities and testing against a comprehensive vulnerability.