PCI SSF: Council's New Standards for Software Security

Over the years, the payment card industry has seen an outburst of incidents in card data theft and security incidents. Reporting as such have become so common, that it has ceded to come as a surprise to the masses. While innovations in the payment solutions have grown rapidly in the recent years, concerns about the same have seen a similar fate. Adhering to this need, back in 2014, the PCI Council released a guidance document titled “Information Supplement: Best Practices for Maintaining PCI DSS Compliance”, that outlined guidance for preserving the PCI DSS Compliance.

PCI SSF: New Standards for Software Security

With growing software innovations and the growing software security incidents, the PCI Security council, adhering to this need, decided to form a framework defining guidance and regulations for secure software payment process (PCI SS) and secure software lifecycle development (PCI SLC) that catered to securing the entire software development lifecycle process

Earlier this year, the PCI Software Security Council, published two stated standards i.e.  PCI SSS  and  PCI SLC  as a part of new  PCI Software Security Framework (PCI SSF).  The new framework takes into account the multiple aspects of software development phases required for developing and maintenance of advanced paymentapplications.

The major components are stated as below, each of the components stands as a separate standard with two approach to software security:

i.  PCI Secure Software Standard v1.0  that defines the multiple security requirements and assessment procedures to ensure the integrity and confidentiality of payment transactions and data.

ii. PCI Secure SLC Standard (Secure SLC) v1.0that defines the security and assessment requirements for the software vendors to be followed and validated through the entire process of creating a payment software through its complete development life-cycle. This ensure that best practices in place in the development of the application.

A third component of the new standards, i.e. the  Validation Framework  is expected to be released in the mid-2019, and is speculated to include details for validation program for software vendors and qualification program for assessors.

Though the program for validation framework is optional, it will be highly encouraged as it puts the software vendor on the PCIL SSC’s list of SSLC Qualified Payment Software Vendors., The vendors qualified under this program can self-attest and perform delta assessments, reducing the QSAinvolvement.

Use of applications validated under PCI SSF standards, will not make an entity PCI DSS compliant or qualifies for compliance under any other PCI standard. Upon successful completion of validation under  PCI SLC,  the software vendors will be added to the List of SSLC-Qualified Payment Software Vendors on the PCI SSC website.­­­

When PA-DSS was developed, software development process followed a very traditional approach, this approach for the software development has significantly changed over the years due to availabilityof multiple development platforms and methodologies. Hence, it is vital to the development of payment solutions to follow a secure methodology and procedure to avoid any security fallout.

New PCI SSF standards, address to this need, by specifying secure key requirement of both the payment procedures as well as the entire application development lifecycle of the solution maintaining software resiliency, addressing robust security design and development practices. 

Transition from PA-DSS to PCI SSF

The council had stated that all the materials related to PCI SSF standards i.e. the program guide, the assessor qualification, reporting templates are scheduled to mid-2019.

A three-year adaptation period has been specified as per the validation program, and all the applications will continue to be governed under PA-DSS until its expiration in 2022. At the end of the expiration period, all the PA-DSS applications will be moved to a Pre-Existing Deployments list., and any further updates will need to be assessed under the PCI SSF framework.

Should Vendors Continue with PA-DSS or wait until PCI-SSF
Assessments under PCI SSF will only be initiated until mid-2019, hence application vendors are encouraged to continue to submit changes to currently validated applications via the PA-DSS program.  In case, vendors have already initiated assignments under PA DSS, the council encourages them to complete it under the same.

PCI SSF that will begin in Q3 2019 will have a three-year validation period, thus bringing up the expiry of PA-DSS almost the same time. Components of PA-DSS will then be adapted into PCI SSF in future development and updates in the standard.