The PCI Security Standards Council (PCI SSC) released a new framework known as the PCI Software Security Framework (SSF) to secure modern payment software. The new framework is a collection of standards and programs that were built to secure the design and development of payment software. With the introduction of SSF, the existing standard – PA DSS (Payment Application Data Security Standard) will soon fade out. This simply means that the SSF replaces PA-DSS with modern requirements that support a wide range of payment software types, technologies, and development methodologies. It is a new approach that supports both the existing and future payment software and working as an extension to the PA-DSS limits to address overall software security resiliency.
The PCI SSF Standards
The PCI Software Security Framework is based on two standards, namely the Secure Software Standard and Secure Software Lifecycle Standard.
Secure Software Standard
Validation of payment software to Secure Software Standard (S3) assures that the Payment Software that is designed typically protects the integrity of the software and the confidentiality of sensitive data it captures, stores, processes, and transmits. Applicability of this standard typically includes-
- Software products involved in or directly support or facilitate payment transactions that store, process, or transmit data.
- Software products developed by the vendor that are commercially sold to multiple organizations.
Secure Software Lifecycle Standard
Validation of payment software to Secure Software Life Cycle Standard assures that vendor’s software development lifecycle processes, procedures, and practices are compliant with the PCI Secure SLC Standard. Applicability of this standard includes-
- All vendors who develop payment software.
Purpose of Introducing PCI Software Security Framework in Replacement of PA DSS
PCI Software Security Framework is a blend of traditional and modern software security requirements. The latest framework supports evolving technologies, software types, and development methodologies. The new PCI SSF framework was designed and implemented with an aim to promote a highly objective oriented security practices that support both the traditional methods of good application security and the latest development practices. It is a framework introduced to ensure vendors can benefit the best of both worlds and implement measures that best secures systems.
Transition from PA DSS to PCI SSF
For a smooth transition from PA DSS to PCI SSF, PCI Council will continue to support PA DSS validated applications through the end of October 2022. They have clearly stated that the existing PA-DSS validated applications will remain on the “List of Validated Payment Applications” until their expiry dates with the assurance of not having any impact on the users. Further, by the end of October 2022, PCI Software Security Framework will replace PA DSS and its listings. So, with this transition, the payment application will be validated with PCI SSF after the retirement of PA DSS in 2022. The new framework provides flexibility to all the software vendors and facilitates better alignment of secure application development, as per the industry standard.
Benefits of PCI SSF Compliance
The Payment Card Industry Security Standards Council developed the new SSF framework to provide flexibility to software vendors and align payment software development with industry best security standards. Unlike PA-DSS, the SSF will support multiple security efforts and initiatives that focus on secure design and development. Here is how PCI SSF Compliance shall benefit customers, vendors, and merchants in general-
- SSF Compliance facilitates a modular assessment architecture and approach, creating more flexibility.
- Adhering to the PCI Software Security Frame will help reduce the risk associated with penalties and Data Breach Complications.
- Compliance assures appropriate security and protection mechanism are in place to secure the card data environment.
- It will ensure critical assets are protected and further strengthens the implementation of access controls.
- It is an assurance that the organizations are meeting their legal obligations.
- It provides customers the confidence that the organization has put in efforts to secure the environment and protect their data.
- Compliance to SSF means having implemented risk management process and having Business continuity plans in place
- Compliance with SSF Framework ensures protection against emerging security threats and adapting to any changes in the applicable regulatory standards.
While the transition from PA DSS to PCI SSF may seem challenging, in reality, it won’t make a difference or rather impact your compliance efforts. In fact, PCI SSF provides additional flexibility for software developers to incorporate payment application security as per the current industry-accepted practices. Moreover as mentioned earlier, to make it a hassle-free transition for stakeholders, the PA-DSS and SSF Programs will run parallel with the PA-DSS Program continuing to operate as it does till the date of expiry. Having said that, we personally feel the decision of introducing a new framework is for the better of the society and benefit of the customers and vendors. Hence the introduction of PCI SSF should not be taken otherwise and should be taken positively by all stakeholders.
Contributed by Narendra Sahoo, Director, VISTA InfoSec