Payment acceptance begins with confidence in the security of transmitting data. As technology advances and new platforms emerge, the security of the software that supports those transactions becomes increasingly critical to safeguarding payment information. Modern software development requires objective-focused security to support more nimble development and update cycles than traditional software development practices. This issue is of growing significance for merchants as more and more businesses rely less on hardware-based functionality and more on software-centric systems to accept payments.
The PCI Software Security Framework (SSF) standardizes and consolidates software security requirements for different types of payment software under a single requirements architecture with supporting validation and listing programs. There are two standards for the software development community that have been developed as part of this framework: a Secure Software Standard for payment software and a Secure Software Lifecycle (Secure SLC) Standard for payment software vendors.
In this blog, we interviewed PCI SSC Senior Vice President, Engagement Officer Troy Leach to introduce the PCI Software Security Framework, and specifically these two standards.
If you’re interested in learning more, RH-ISAC is hosting a Cyber Thursday webinar on April 30 that will explore the issue of software security – why software security is important and what merchants need to know about it with Rich Agostino, CISO of Target and a PCI SSC advisory board member; Troy Leach, senior vice president, engagement officer of the PCI Security Standards Council; Tom McAndrew, CEO of Coalfire; Andrew Valentine, managing director of cyber risk for Kroll Cyber Security; and Carlos Kizzee, vice president, intelligence, RH-ISAC, moderator. Register here
What is the PCI Secure Software Standard?
Troy Leach: PCI Council recognized the need to evolve how we validate software we rely on for safe payments. This is due to changes in software design practices, changes in third-party software dependencies and regularly evolving payment acceptance channels. The Secure Software Standard addresses this with new security requirements and assessment procedures to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data. Key security principles addressed in the Secure Software Standard include critical asset identification, secure default configuration, sensitive data protection, authentication and access control, attack detection, and vendor security guidance. Overall, the goal of the Secure Software Standard is to protect the confidentiality and integrity of payment data and payment software, regardless of the way the software is designed or developed.
How will the PCI Secure Software Standard be used?
Troy Leach: The PCI Secure Software Standard is intended for payment software that is sold, distributed, or licensed to third parties for the purposes of supporting or facilitating payment transactions, but is not intended to be limited in use. We also encourage bespoke products that are developed in-house by large organizations to consider using these same practices. We’ve already heard from several merchants that have expressed interest in adopting these practices as a way for them to demonstrate integrity of their unique development practices to achieve some of the testing validation of Requirement 6 of the PCI DSS.
What is the PCI Secure Software Lifecycle (Secure SLC) Standard?
Troy Leach: One of the most important aspects of the PCI Software Security Framework, and a consistent issue highlighted in recent data compromises, is maintaining good application security as changes are introduced. The Secure SLC Standard helps achieve this by outlining security requirements and assessment procedures for software vendors to validate how they properly manage the security of payment software throughout the entire software lifecycle.
Key security principles addressed in the Secure SLC Standard include governance, threat identification, vulnerability detection and mitigation, security testing, change management, secure software updates, and stakeholder communications. This provides confidence to businesses using the payment application that their software vendor is providing ongoing assurance to the integrity of the software development and confidentiality of payment data as change occurs.
How will the PCI Secure SLC Standard be used?
Troy Leach: The PCI Secure SLC Standard is intended for software vendors that develop software for the payments industry. Validation against the Secure SLC Standard illustrates that a software vendor has robust secure software lifecycle management practices in place to ensure its payment software is designed and developed to protect payment transactions and data, minimize vulnerabilities, and defend against attacks. Achieving this validation demonstrates an understanding and commitment to those continuous changes throughout a payment software’s lifecycle. The goal is that vendors, who can prove the existence of these ongoing controls, can list updates to their software more quickly, demonstrating that revisions have gone through adequate testing.
How do the PCI Software Security Standards differ from the PCI Payment Application Data Security Standard (PA-DSS)?
Troy Leach: PA-DSS was originally designed for the secure development and management of traditional payment software to help merchants maintain PCI DSS compliance. The PCI Software Security Standards expand beyond this to address overall software security resiliency. The framework provides a more flexible methodology and approach to validating software security. Additionally, and what I’m most excited about, is a separate secure software lifecycle qualification for vendors with robust security design and development practices. The opportunity now exists to have a clear set of guidelines for third-party software vendors to achieve PCI DSS Requirement 6 on software design. That is why PA-DSS is transitioning to these two new standards. The efforts are not mutually exclusive but offer a progressive approach that allows for additional alternatives to demonstrating secure software practices.
How is the current COVID-19 pandemic impacting PCI SSC activity, including the timeline for converting to the Software Security Framework?
Troy Leach: PCI SSC is aware of the unprecedented situation caused by the spread of COVID-19. As circumstances evolve, questions have arisen surrounding a variety of issues, including the impact on assessments, trainings and our timelines. Currently, we anticipate Software Security Framework training to commence in the second quarter, however, we are actively monitoring developments and collaborating with our stakeholders and community to adjust as needed. The current climate is forcing more global organizations to a remote-work model. As organizations make this shift, it is important to maintain security practices to protect payment card data. Therefore, we’ve established guidance on working remotely and conducting remote assessments. I believe that the principles in the new requirements provide much-needed support for this remote-work environment.
For the latest information on our timelines and response, we’ve established a COVID-19 web page, which we encourage you to visit often.
Don’t forget to register for the RH-ISAC Cyber Thursday webinar on April 30 exploring software security as it relates to merchants with Rich Agostino, CISO of Target and a PCI SSC advisory board member; Troy Leach, senior vice president, engagement officer of the PCI Security Standards Council; Tom McAndrew, CEO of Coalfire; Andrew Valentine, managing director of cyber risk for Kroll Cyber Security; and Carlos Kizzee, vice president, intelligence, RH-ISAC, moderator Register here today!