PCI SSC Publishes New Software Security Framework
REGIONS: US, AP, Canada, CEMEA, LAC, Europe
17 JAN 2019
To facilitate secure, reliable and accurate payments, the systems and software used as part of the transaction flow must be designed, developed and maintained in a manner that protects the integrity of payment transactions and the confidentiality of all sensitive data that they store, process or transmit.
The Payment Card Industry Security Standards Council (PCI SSC) has published the new Software Security Framework in order to provide software vendors with updated security requirements and assessment procedures for payment software.
In this initial publication, the Software Security Framework includes two standards:
- The Secure Software Standard, intended for software vendors that develop payment software that is sold, distributed or licensed to third parties, outlines security requirements and assessment procedures to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data.
- The Secure Software Lifecycle (Secure SLC) Standard outlines security requirements and assessment procedures for software vendors to validate how they properly manage the security of payment software throughout the software lifecycle.
Both standards are designed for use as part of the PCI Software Security Framework and are intended for software vendors that develop software for the payments industry. Software vendors wishing to validate payment software under the PCI Software Security Framework should use the PCI Secure Software Standard. In addition, software vendors may opt to validate their Secure SLC practices for that payment software using the PCI Secure SLC Standard.
Transition from the Payment Application Data Security Standard
While the PCI Software Security Standards include elements of the Payment Application Data Security Standard (PA-DSS), the standards represent a new approach for securely designing and developing both existing and future payment applications. The overarching PCI Software Security Framework is designed to support a broader array of payment software types, technologies and development methodologies currently in use and also to support future technologies and use cases.
Visa clients, as well as their agents and merchants, must use only secure, validated payment applications that do not retain prohibited data elements. While the PA-DSS and Software Security Framework is intended for payment software that is sold, distributed or licensed to third parties, payment software that is developed in-house or customized for a single customer can also benefit when the requirements are applied as a best practice.