The PCI Council Unveils Its New Software Security Standards

The PCI Security Standards Council on Wednesday published its new software security standards and said the existing standard will be retired in 2022.

The new set of requirements actually has two major components—The PCI Secure Software Standard and the PCI Secure Lifecycle Standard—and is under the umbrella of what the Wakefield, Mass.-based PCI Council calls its new Software Security Framework. The Council has been working on updating software security for more than a year, and indicated last month that new standards would be published in early 2019.

“Innovation in payments is moving at an incredible pace,” PCI Council chief technology officer Troy Leach said in a news release. “The new PCI Secure Software Standard and PCI Secure SLC Standard support this evolution in payment-software practices by providing a dynamic way for developers to demonstrate their software protects payment data for the next generation of applications.”

The Secure Software Standard outlines security requirements and assessment procedures to assure that applications adequately protect the integrity and confidentiality of payment transactions and data, according to the release. The Secure SLC Standard outlines security requirements and assessment procedures for vendors to validate how they manage the security of payment applications throughout the entire software lifecycle.

In addition to the rules spelled out in the two new standards, the Software Security Framework will include a validation program for software vendors and their products, and a qualification program for assessors who examine the products for compliance with PCI standards. Those programs will get underway later in 2019.

The Council said it developed the new standards with input from software developers, security assessors, and other payments-industry organizations.

“We recognize that there is no ‘one size fits all’ approach to secure software,” Leach said in a blog post. “This new framework provides an ability for software providers to embrace these new capabilities and environments. Correspondingly, it gives security assessors additional ways to effectively test the security of the application. Most importantly, it provides assurance to users of the software that as development practices evolve, the payment applications they rely upon will remain independently evaluated for security vulnerabilities.”

The Council, a creation the major general-purpose credit card networks, administers the main Payment Card Industry data-security standard and its affiliated standards, including the current Payment Application data-security standard (PA-DSS), which governs software that processes or touches payment card data. That standard will be retired in 2022. In the meantime “there will be a gradual transition period for organizations with investments in PA-DSS,” the release says.

“We recognize that there is no ‘one sizes fits all’ approach to secure software,” says the PCI Council’s Leach.