The PCI SSC’s new software security standards – what you need to know

On 16 January, the PCI SSC (Payment Card Industry Security Standards Council) published the PCI Secure Software Standard and the PCI Secure Software Lifecycle (Secure SLC) as part of a new PCI Software Security Framework designed to ensure secure design, development and maintenance of modern payment software.

Both of these standards are intended for use by software providers, and they expand the scope of the existing PA-DSS (Payment Application Data Security Standard) to address overall security and resilience of payment software.

The two standards in brief

The PCI SSC describes them as such:

The Secure Software Standard outlines security requirements and assessment procedures to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data.

The Secure SLC Standard outlines security requirements and assessment procedures for software vendors to validate how they properly manage the security of payment software throughout the entire software lifecycle.

Troy Leach, chief technology officer at the PCI SSC, said:

Innovation in payments is moving at an incredible pace. Each advancement provides the industry the opportunity to develop applications more quickly and efficiently than before and to design software for new platforms for payment acceptance. The new PCI Secure Software Standard and PCI Secure SLC Standard support this evolution in payment software practices by providing a dynamic way for developers to demonstrate their software protects payment data for the next generation of applications.

A gradual implementation

Although the standards have been published, implementation is going to be gradual – in fact, the qualification programme for assessors and the validation programme for software vendors and their products aren’t set to be released until later this year. That said, the PCI SSC has stated that these standards will replace the current PA-DSS in 2022 and, at that point, payment applications will be assessed under the PCI Software Security Framework.

In the interim, all current payment applications will continue to be governed under the PA-DSS programme until the expiry date for those applications is reached. The PCI SSC has confirmed that new PA-DSS submissions will no longer be accepted from mid-2020, and that all PA-DSS validated payment applications will be moved to the “Acceptable Only for Pre-Existing Deployments” list in 2022 before the PA-DSS programme is retired.

Make sure you’re taking payment security seriously

The PCI SSC is the governing organisation responsible for the development, management and awareness of all PCI security standards, including the PCI DSS (Payment Card Industry Data Security Standard) which exists to decrease payment card fraud across the internet and increase payment card security.

IT Governance offers a range of support services to help organisations comply with the requirements of the PCI SSC. Visit our website to find out how we can help you.