The growing number of attacks targeting third-party developers’ payment applications, as well as the third-party applications into which the payments capabilities are integrated, is the impetus behind the PCI Security Standards Council’s decision to update the PCI Secure Software Lifecycle standard.
Introduced this month, PCI Secure SLC Standard v1.1 is intended to make it easier for third-party software developers to adhere to the Secure Software Lifecycle standard, especially when issuing application updates, by making sure they have the proper governance and assessment procedures in place throughout the development lifecycle. Once lifecycle security governance is in place, third-party software developers can more easily validate that their applications and updates are secure and will not disrupt merchants’ and processors’ payment data.
Assuring that updates are secure is a key component of Secure SLC Standard v1.1. Developers can issue software updates multiple times per year. Before the update to the standard, software updates had to be certified as in compliance with the standard, which slowed their release. Now, software developers need only demonstrate compliance with the standard annually, which will enable them to issue updates faster.
“We knew we needed an updated standard that provided more flexibility in creating lifecycle security controls around payment data within applications and enables developers to come to market faster with applications and updates even as security threats evolve,” says Troy Leach, senior vice president and engagement officer for the PCI Security Standards Council.
One particularly serious threat the refreshed standard can address is digital skimming, or so-called magecart attacks. Digital skimming steals payment data at the source as the consumer types it into a Web form or a mobile app. Merchants are often unaware of the attack since the information was skimmed from the consumer’s computer or smart phone rather than from the merchant’s server.
“Attacks against payment data are becoming more sophisticated and harder to detect,” Leach says. “The updated standard puts an application through rigorous testing to assure users it is secure. Once that methodology is in place, over time it will become an easier and more robust way for developers to follow the standard.”
The PCI Secure SLC Standard v1.1 also addresses errata, adds minor clarifications, and aligns key terms and definitions across the standard and program documentation.
In a related move, The PCI Security Council plans to retire in October its Payment Application Data Security Standard (PA-DSS), which dates back to 2008 and has undergone several updates. PA-DSS was created to prevent payment applications developed for third parties from storing sensitive payment data, such as magnetic stripe data, card-verification values, and PINs. With many third-party developers contractually required to adhere to PA-DSS, these contracts will need to be changed to reflect compliance with SLC Standard v1.1, according to Leach.
“This update to our Secure SLC Standard and Program is a key step in promoting greater implementation by expanding eligibility to vendors that produce software and software components that may share resources within a payment environment,” Emma Sutcliffe, senior vice president, Standards Officer for PCI Security Standards Council said in a prepared statement.