Oversight of payment-processing software will change under detailed plans announced by the PCI Security Standards Council. In related news, the EMVCo standards body announced an update to its 3-D Secure standard for protecting card-not-present transactions.
In a Friday blog post, the PCI Council said its pending PCI Secure Software Standard and PCI Secure Software Lifecycle (Secure SLC) Standard will be published next month. Both standards are intended for use by software vendors and are part of what the Council calls its multi-standard PCI Software Security Framework.
The framework eventually will succeed the Payment Application data-security standard (PA-DSS), the current set of rules for software involved in processing general-purpose credit and debit card transactions. The Wakefield, Mass.-based PCI Council oversees the main Payment Card Industry data-security standard (PCI-DSS) and several related standards, including the PA-DSS.
“The Secure Software Standard outlines security requirements and assessment procedures to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data,” a PCI Council spokesperson said in the blog post. “The Secure SLC Standard outlines security requirements and assessment procedures for software vendors to validate how they properly manage the security of payment software throughout the entire software lifecycle.”
The new framework includes a validation program for software vendors and their products, and a qualification program for assessors who vet applications for compliance with PCI Council requirements. This will include new listings on the council’s Web site for vendors with validated software-development lifecycle processes, validated payment software, and assessors for both new standards. The post says the Council expects the validation programs to be available next year.
The existing PA-DSS will be incorporated into the new framework, and a “gradual transition” from it will begin, the post says. All current validated applications will continue to be governed under the PA-DSS program until their expiration is reached, such as 2022 for applications validated under PA-DSS version 3.2.
The PCI Council has been signaling for more than a year that new software standards were coming. Chief technology officer Troy Leach said in an October blog post that the new framework would create a better approval and oversight process than the current one.
“The framework provides developers of payment applications better support for modern software-development techniques, while ensuring greater transparency into the security capabilities of payment software and payment software vendors,” Leach said. “In turn, this should provide the overall payment industry with more consistency in how software can be assessed for security and result in a broader range of secure payment solutions.”
Meanwhile, EMVCo on Friday announced the availability of version 2.2 of its 3-D Secure Standard for protecting card-not-present card transactions. The update includes two new features for various authentication scenarios, including authentication of mail-order/telephone-order transactions. The features enable a merchant to initiate a transaction even if the cardholder is offline, and provide for decoupled cardholder authentication if the cardholder is offline. The update also improves access by merchants and card issuers to certain exemptions available under the Second Payment Services Directive (PSD2), a major regulation governing payments in the European Union, EVMCo said.
The new update and its immediate predecessor, version 2.1, are built on version 2.0. That version represented a major upgrade from the long-standing version 1.0 of 3-D Secure that had received a cold reception from merchants because it took online shoppers away from their sites for checkout, a process merchants said resulted in reduced sales.
Both the PCI Council and EMVCo are standards bodies created by the major general-general-purpose card networks.