The Payment Card Industry Security Standards Council (PCI SSC) recently announced the new PCI Software Security Framework. The new set of standards aims to improve the security resiliency of applications that accept payments and use payment data in their ecosystems. Learn everything you need to know about the PCI Software Security Framework in this article.
What Is the PCI Software Security Framework?
The framework is a new set of standards for securing payment data against data breaches and fraud. There are standards for the secure design, development, and maintenance of modern payment solutions. The standard applies to payment software that is sold, distributed, or licensed to third parties for the purposes of supporting or facilitating payment transactions.
The updated PCI framework is partly a response to the fact that payment data breaches and credit card fraud are still commonplace in media headlines even though vendors must comply with existing standards. Up to 60 million US payment cards were compromised in the 12 months leading up to November 2018.
The framework also recognizes the evolution of modern software development practices. Since the launch of the original PA-DSS guidelines, practices such as Agile, DevOps, and continuous integration/delivery (CI/CD) have become widespread in development teams. These modern development practices facilitate faster and more frequent software deployments, which create a need for updated security standards.
The PCI SSC wants payment software vendors to embed security earlier into development cycles. The new standards also recognize the need to properly manage the security of payment software throughout the entire software lifecycle.
According to Troy Leach, the Chief Technology Officer at PCI SSC the new framework, “supports this evolution in payment software practices by providing a dynamic way for developers to demonstrate their software protects payment data for the next generation of applications.”
Steve Lipner, who helped develop the standards, was happy with how they emphasize “integrating security into the software development process, rather than attempting to assure security by after-the-fact testing.”
Two main standards under the new framework are:
- PCI Secure Software Standard (PCI SSS) — security requirements and assessment procedures for payment software to protect the integrity and confidentiality of payment data.
- PCI Secure Software Lifecycle Standard (PCI Secure SLC) — security requirements and assessment procedures for software vendors ensure they properly manage the payment software security throughout the software lifecycle.
The PCI SSC listened to the opinions of hundreds of participants in the payment card industry to help create the new standards. These participants included software vendors and payment security experts.
2019 Updates and Implications
In a press release from January 2019, the PCI SSC announced the publication of the new requirements for the secure design and development of modern payment software. This new framework will replace the current PA-DSS global security standard, which was launched in April 2008. The PA-DSS standards will be retired in 2022 and replaced with the PCI Software Security Framework (PCI SSF) after a three-year transition period.
Continuous Testing and Monitoring
A big implication of the new framework is a focus on continuous application security. Vendors of payment software need to continuously test their application security controls and provide evidence of their strength. They also need to show evidence of continuous threat monitoring and adapting security defenses to changing conditions.
Interactive Application Security Testing (IAST) tools are accepted in the new framework. This powerful testing technology provides faster results than legacy static and dynamic testing tools. Using IAST tools can help achieve compliance with the new standards without much compromise in development speed.
Achieving Validation With New Standards
To prove compliance with the Secure Software Standard, a PCI-certified assessor company performs an evaluation of the vendor’s payment software. The assessment looks at all software security functions, features, and capabilities to see if they meet relevant requirements. A validation report is sent to the PCI SSC for review and the council adds the vendor to its list of validated payment software.
A similar procedure is in place for the PCI Secure SLC standard. The difference is that the assessor evaluates the vendor’s secure software lifecycle management practices. Validation to one of the two standards doesn’t imply validation to the other.
Open Source Implications
The Secure Software Standard mentions that the scope of its requirements extends to coverage of all payment software components and dependencies, including open-source libraries and services.
Additionally, the PCI Secure SLC Standard requires vendor evidence of the proper management of open source components. This management includes keeping an open source inventory, being able to find and remove vulnerable components, and having a proper patching strategy to apply updates to components swiftly.
The implication is that if payment software vendors want to achieve validation to either of these standards, they must show close attention to how they manage and use open source components.
Big changes were clearly needed to improve payment software security, particularly in light of the number of high-profile breaches of credit card information and other payment details in recent times. The PCI framework comes with stricter requirements that will hopefully reduce such incidents without compromising development speed or agility.
The three-year transition period gives vendors a fair amount of time to adjust their processes and get in line with the new standards. However, compliance with any new regulation often comes with headaches, so it is advisable to begin implementing any necessary changes early.