An Overview of the PCI Software Security Framework

An Overview of the PCI Software Security Framework

Since the formation of the PCI Security Standards Council (SSC) in 2006, it has evolved significantly. Now, its purpose is to advance the PIN Transaction Security Standard and the PCI Data Security Standard (DSS), which were previously managed by its founding members — Mastercard and Visa Inc., JCB International Credit Card Co. Ltd., Discover Financial Services and American Express Co. As the first of its kind, PCI DSS 1.0 was instituted to guard against sophisticated forms of fraud in the emerging e-commerce industry.

Currently, the PCI SSF manages 12 standards, in addition to certified solutions, online resources, and assessor programs driven by the body’s global participating organization founders and members at the board and committee levels. Since its beginnings, the PCI SSF has witnessed a number of innovative technologies in the payment solutions and payment data security industries. With the development of the PA-DSS (Payment Application Data Security Standard), there have been significant changes in the security of payment acceptance solutions.

The advent of AI and machine learning has also prompted the creation of dynamic security solutions — a welcome development in the payment industry. To keep pace with innovations in payment technology, the PCI DSS continues to update PCI security programs and standards.

It currently has several projects designed to provide greater flexibility to system installers and software developers, as well as to improve the accessibility of payment data security compliance for service providers and merchants.

Introducing the PCI SSF Framework

As part of its 2018 agenda, the PCI DSS raised the bar on payment data security by developing the PCI Software Security Framework. The SSF is a new set of standards that support certification listings and validation programs. This is considered a security improvement in the development and design of payment solutions. PCI’s SSF Software Security Taskforce, including members from Software Assurance Forum for Excellence in Code (SAFECode), Microsoft Corp., and us, Security Compass, is responsible for developing a Framework that is comprised of both Software Security Requirements and Secure Software Life Cycle Requirements. The former will eventually become a modular-type standard containing modules for various kinds of software.

The incorporation of PA-DSS (Payment Applications Data Security Standard)

The primary aim of the S3 Framework is to provide a way to secure payment applications that support existing and future innovations in payment applications and software practices. Since PA-DSS is focused on traditional payment applications, it will be integrated into the Software Security Standard (S3) Framework.

Once it is published, all validated PA-DSS applications will be transferred to the S3 Framework listing. Their validation expiration dates will also be honored. Additionally, development is underway for migration paths that will enable current Payment Applications QSA’s to become assessors under the S3 Framework. In the meantime, the PA-DSS programs and standards will continue to function as usual.

Shaping the Development of the Framework via Industry Feedback

The PCI SSC is taking a different development approach with the S3 Framework. It released a draft document of the Software Security Standard (S3) Framework and declared an RFC (Request for Comment) period for various PCI SSC stakeholders to send in their feedback.

The key driver for the RFC period is the significant impact that changes to the PA-DSS standard and program will have on various industry stakeholders. The PCI SSC called all PCI-Recognized Labs, Payment Application QSAs, and PCI SSC Participating Organizations (including strategic and affiliate members) to review the draft standard and send in their feedback during the RFC period.

The three documents contained in the draft are:

  1. S3 Framework Overview — A high-level overview of the S3 Framework and its validation program.
  2. Secure Software Life Cycle Requirements — Requirements stipulating the proper approach that payment software vendors can use to manage payment software during the entire software lifecycle.
  3. Software Security Requirements — Requirements for ensuring adequate protection of the confidentiality and integrity of payments data and transactions.

The first RFC period was from March through April, and over 220 pieces of feedback were received from stakeholders. After analysis of the feedback, the PCI SSC updated the framework document to include detailed test guidance and requirements to the Secure Software Life Cycle Standard.

Also, more details on the planned validation program, as well as a glossary of terms for the framework document, were added to the Software Security Standard Framework Overview. The second RFC period took place from the 31st of July to the 7th of September 2018. The PCI SSC is currently reviewing and analyzing these comments — with the hope of incorporating useful suggestions into the final draft of the Software Security (S3) documents.

The PCI SSC anticipates that the Software Security Standard Framework will be published by the end of the year, while the launching of the program is billed for 2019. However, the timing isn’t definite and is subject to change. The PCI SSC will continue to provide updates on the development process and publication timeline.

What Does This Mean to Me?

For payment application providers, you can expect an enhanced focus on software security and secure development practices. Other applications in the payment ecosystem should watch to see how the framework will be incorporated into other payments standards.

We also believe that PCI is setting the bar much higher than most other industry standards and frameworks. PCI will raise the standard for addressing the root cause of most vulnerabilities. It’s reasonable to question, now, whether standards and regulations in financial services, healthcare, critical infrastructure, automotive, aviation, and Internet of Things will follow.