The PCI Security Standards Council says its new Terminal Software Module, which is part of version 1.1 of the PCI Secure Software Standard introduced last week, offers a more flexible approach to testing the security and integrity of payment software. The Terminal Software Module is the third module to be incorporated into the PCI Secure Software Standard’s modular requirements architecture. Modules are groups of requirements that address specific use cases.
“One primary function [of The Terminal Software Module] is that we want to confirm that the software does not adversely impact the protection mechanisms built into the [point-of-interaction] device or circumvent any protections provided to the confidentiality of account data,” Troy Leach, a senior vice president at PCI Security Standards Council, says by email. “This module builds from existing core software security expectations for design, documentation, etc., with the additional consideration for attack methods that may be used specifically against terminal environments.”
One way the Terminal Software Module can be applied is to validate terminals listed as a PCI PIN Transaction Security device that may rely on third-party software.
“Terminals such as those listed as a PCI PIN Transaction Security (PTS) Point-of-Interaction (POI) validated device, may rely on third-party software that a vendor may wish to have independently tested and recognized for use in specific merchant environments,” Leach says. “Merchants and their acquiring partners have a public record that the software has been validated by a security subject-matter expert for use within that terminal environment.”
The modular nature of the Secure Software Standard allows for broader inclusion to accommodate various software-management approaches and support a larger set of payment-software architectures, functions, and software development methodologies, according to the Council.
The two existing modules in the PCI Secure Software Standard are the core module, which includes general security requirements applicable to all payment software, and the Account Data Protection module, which includes additional security requirements for payment software that stores, processes, or transmits clear-text account data, says Leach. PCI SSC expects to introduce additional modules in the future.
In regard to how the Terminal Software Module and the other modules build upon the Secure Software Lifecycle Standard and Program announced earlier this year, Leach says: “The methodology for use with the SSLC program provides for iterations of the software to be recognized and listed by software vendors that attest and demonstrate adherence to ongoing software security management.”