How You Can Comply with The New PCI Software Security Framework

On January 16th, 2019, the Payment Cards Industry Security Standards Council (PCI SSC) announced the release of a new set of PCI Software Security Standards. These new standards treat software security as a critical need, mandating that payment software be secure by design. This means that security protections must be embedded into software early on in the software development lifecycle, to preserve the integrity of payment transactions and the confidentiality of sensitive data. The new framework is presented in 2 documents, and here we’ll flesh out what each document covers, the impact of the standards, and how Security Compass can support your compliance.

The New PCI Software Security Standards

• Secure Software Standard: A rigorous standard that relies on in-depth security testing techniques to validate whether a software release is compliant.

• Secure Software Lifecycle (Secure SLC) Standard: An optional standard that assesses security throughout the software development and operations lifecycle. By complying with the Secure SLC requirements, organizations can forgo the need to have each release assessed by a qualified assessor, enabling better modern agile and continuous delivery software practices.

Mid-year 2019, the PCI SSC expects to release the third component in the software security framework, called the ‘Validation Program.’ This is a program for software vendors to validate how they properly manage the security of payment software throughout the entire software lifecycle.

Who Will the New Standards Affect?

Initially, the new standards will affect vendors or providers of Payment Applications (PA), rather than those companies that procure and deploy PA for their e-commerce needs. Payment processor companies have historically been subject to compliance with the Payment Application Data Security Standard (PA-DSS), and the new standards are an extension of this, being more prescriptive about how the software is secured. Anyone who participates in the credit card ecosystem, including merchants, should take note of these changes.

How Will These Individuals Be Impacted?

The new standards put a stronger focus on implementing a secure software development process for Payment Applications. PA providers will be obliged to drastically improve their application security programs in order to comply. In the future, other payment ecosystem participants may also be required to comply. The Software Security Standards are objective-based, thus offering vendors flexibility in how they go about complying with each specific objective.

How Security Compass Supports Your Compliance with the New Standards

Security Compass, a leader in helping enterprises with their secure development practices, has announced support for the new PCI Software Security Standards. Our COO, Rohit Sethi, participated in the formation of these new standards alongside stakeholders from other organizations in the payments industry. Since we’ve participated in the making of the standard, we were able to derive our own solution for compliance. We’re also in the process of developing more software and eLearning content to offer an even more comprehensive solution for compliance.

1. Policy-to-Execution Platform, SD Elements

The new standards require the implementation of secure development practices, which involves manual activities that slow down business. SD Elements is the most comprehensive software solution for compliance with the PCI Software Security Standards’ software development standards. It helps enterprises by automating the secure development process, from beginning to end. SD Elements offers automated threat modeling and requirements generation, which integrate with automated security testing tools, satisfying the traceability requirement in the Secure SLC standard. Its extensive reporting capabilities, including the verification of controls, allows for a clear demonstration of compliance in the event of an audit.

2. Just-in-Time Training (JITT) and eLearning

Our unique market offering, Just-in-Time Training (JITT), provides secure coding guidance for developers, delivering task-specific instructions at the point of need. We also have a new PCI course coming in 2019, which instructs on how to comply with the new standards, introducing new course content and leveraging our existing content on threat modeling, application security, and more.

3. Implementation Services

We offer a proven implementation methodology to ensure the successful adoption of our software. Working together with your team, we help develop processes and integrate tools, so that you can meet the new PCI compliance standards in a cost-effective manner.

4. Verification Services

Our verification services help to identify vulnerabilities, commensurate with the PCI Software Security Standard Control Objectives. We offer penetration testing, red teaming, vulnerability triaging for Static and Dynamic Application Security Testing tools, and can also help you prepare for a successful security requirement audit.

For a more detailed review of the new PCI Software Security Standards and information on how Security Compass’s solution addresses all Control Objectives, check out our brief PCI overview, access the full guide, or contact us at [email protected]