The Payment Card Industry Software Security Framework, introduced by PCI SSC, is a relatively new framework that will go into effect in October 2022. The PCI SSF is a collection of various codes and tools created to safeguard payment software. It's a framework that was created to take the position of the Payment Application Data Security Standard (PA-DSS) with more up-to-date standards that support various payment software types, technologies, and development techniques. The framework gives software developers the freedom to combine payment application security with the most up-to-date industry-best SDLC practices and frequent update cycles.
The Secure Software Lifecycle (SLC) Standard and the Secure Software Standard make up the framework. The eligibility requirements determine which standard is used. For a better understanding of the framework, the details of both standards are provided below.
What is a Secure Software Standard?
The PCI Secure Software Standard (PCI SSS) is a set of rules that Payment Software Vendors had to comply with in order to be recognized by the PCI Security Standard Council as a Validated Payment Software or Listed Payment Software. Validating the payment software guarantees that the application is developed securely and in accordance with the best practices and standards available. The validation ensures that the Payment Software was created securely to safeguard both the software's integrity and the privacy of any sensitive data it saves, processes, or transfers.
Validation and listing are required for payment software created by the vendor that is intended to support or assist payment transactions in terms of processing, transmitting, or storing payment data, as well as software that is commercially accessible for sale to various organisations. On the PCI SSC website, there is a list of all the validated payment software that has been identified and listed.
What is the Secure Software Lifecycle standard?
A standard called the PCI Secure Software Lifecycle (SLC) was created with the aim of guaranteeing the security of the software vendor's software development process, methodology, and practices . The ability to build secure payment software is demonstrated by comparing the organization's software lifecycle management procedures to the Secure SLC Standard. By constructing a solid defense against attacks, this increases the assurance that the payment software is secure for supporting all types of payment transactions while also lowering risk exposure or vulnerabilities. Overall, the testing of the vendor's SLC procedures, technology, and design, development, and maintenance of the payment software throughout the course of the whole software lifecycle establishes the level of security of the system against the PCI SLC.
Difference between PCI Secure Software Standard (SSS) and PCI Secure Software Lifecycle (SLC)
Under the Payment Software Security Framework, there are two distinct programme called Secure Software Standard (SSS) and Secure Software Lifecycle (SLC) (PCI SSF). Both curricula concentrate on various facets of software security verification. The PCI SSS evaluates the overall efficacy of the security of the programme whereas the SLC verifies the security policies and procedures used in software design and development. As a result, businesses may be verified for both the Secure Software Lifecycle for their software development process and the Secure Software Standard for any created payment software. Only software developers that create Payment Software that is sold, distributed, or licensed to third parties are subject to the PCI SSS.
This could include payment software that is installed on customers' computers or that is intended for their use, regardless of how the programme is provided. In contrast, PCI Secure SLC is applicable to all software vendors who want to verify and guarantee the security of their Payment Software solutions. Software suppliers should be aware that if they have already been verified for SSS, they do not necessarily need to be validated against Secure SLC. Secure SLC validation, however, can make it simpler to maintain the validation of the payment programme when modifications are made to it.