New PCI Software Security Framework Published

The PCI Security Standards Council published its new Software Security framework on Wednesday January 16^th, 2019. The council has stated that the existing standards will be officially retired in 2022.

What is the new Software Security Framework?

There are two parts to the new framework. The first part is the PCI Secure Software Standard. This standard outlines requirements and procedures to follow to ensure applications are protecting payment transactions and data properly. The second part is the PCI Secure Lifecycle Standard.  This standard outlines requirements and procedures for vendors to validate how they are managing the security of payment applications throughout the software’s lifecycle.

Why is this change being implemented?

As software development practices evolve, so must the standards that we use to assess the security of these development practices. This new PCI Software Security Framework provides fresh, new ways of validating software, as opposed to the current methods being used in the PA-DSS today.

What does that mean for us?

Current PA-DSS validated payment applications will still be considered compliant until the current standard is retired in 2022. After the retirement of the old standard, all payment applications must abide by the new Software Security Framework. It will include a validation program for software vendors and their products, as well as a qualification program for assessors to examine those products. According to the council, more information about the actual assessment of the new standard will be released later in 2019.

How can I stay ahead of the curve on this new standard?

The best way to be prepared for this new framework is to be proactive.  Review and update your current Software Development Life Cycle (SDLC) to fold in secure coding techniques. I would suggest implementing these secure coding methods into your process now, rather than later.  These should include the OWASP Top 10 and SANS Top 25. Implementing these practices is a step in the right direction when it comes to software development and abiding by this new standard. Reach out to a QSA company such as Compass IT Compliance for further guidance on this new framework.