Last year, the PCI Security Standards Council published the PCI Secure Software Standard and the PCI Secure Software Lifecycle (Secure SLC) Standard as a part of a new PCI Software Security Framework (SSF), also referred to as PCI S3. The SSF offers objective-focused security best practices that outline what a good application security program looks like, with consideration for both traditional and modern payment platforms and evolving development practices. The framework was developed with input from industry experts within the PCI Software Security Task Force (SSTF) and PCI SSC stakeholders.
The new SSF recognizes that there is no one-size-fits-all approach to software security. Vendors need to determine which software security controls and features best serve their specific business needs. But the outlined security requirements and assessment procedures help vendors ensure that the right steps are taken to protect the integrity and confidentiality of payment transactions and customer data.
The Secure SLC Standard is an important part of the SSF because it helps organizations maintain good application security (AppSec) practices by outlining security requirements and assessment procedures for vendors to ensure that they are managing the security of their payment software throughout the software lifecycle. In order to meet the requirements of the Secure SLC Standard, and in-turn the SSF, vendors need to have AppSec as part of their development process before the first line of code until the product is released.
Previous AppSec requirements – like those laid out in the PCI Payment Application Data Security Standard (PA-DSS), a component of PCI Data Security Standard (PCI DSS) – only focused on software development and lifecycle management principles for security in traditional payment software. But modern payment software is faster and more iterative, so it needs AppSec to be integrated and automated throughout the entire development lifecycle. The new SSF regulations expanded to include the new methodology and approach for validating modern software security as well as a separate secure software lifecycle qualification framework for vendors, so the PA-DSS will be retired at the end of October 2022.
What does this mean for existing PA-DSS validated applications? Existing PA-DSS validated applications will remain on the List of Validated Payment Applications until their expiry dates. At the end of October 2022, PCI SSC will move PA-DSS validated payment applications to the “Acceptable Only for Pre-Existing Deployments” tab. Any new updates to PA-DSS validated payment applications must be assessed under the SSF.
A great way to start your journey to SFF compliance is by enrolling in Veracode Verified. Many of the requirements in Veracode Verified map to PCI requirements. Veracode Verified helps you improve your company’s secure software development practices and shows the maturity of your program through the completion of a three-tier process.
To learn more about the new PCI Software Security Framework, including additional details on migrating from PA-DSS to SSF, check out our recent blog post, The Migration From PA-DSS to SSF: Everything You Need to Know.