A Guide to the New PCI Software Security Framework

Since its formation in 2006, the PCI Security Standards Council (SSC) has greatly evolved. Currently, the PCI SSC manages 12 standards, including the PCI Data Security Standard (DSS), which was unprecedented in its purpose– to protect against sophisticated forms of fraud in the burgeoning e-commerce industry. Since the council’s formation, a number of new technologies have emerged, significantly changing payment solutions and payment data security industries. To keep up with these new payment technologies, the PCI DSS regularly updates their security programs and standards.

On January 16th, 2019, the PCI SSC released 2 new PCI Software Security Standards as part of the new PCI Software Security Framework. The PCI SSC developed the new Software Security Standards by forming a Task Force, including industry experts representing from Security Compass, Microsoft, and other organizations.

The framework represents an effort to create a higher caliber of software security in the payments ecosystem, now supporting validation programs for software products and qualification programs for software vendors. Nearly all other information security standards that have preceded the PCI Software Security Standards have been higher-level and, hence, less focused on particular software security details. Nevertheless, the release of the new standards is much needed. Few companies today describe themselves as being sufficiently mature to adhere to a secure software development lifecycle (SDLC) framework, and other industries with missioncritical applications, like nuclear and IoT, may go on to be dangerously liberal with their software security.

The following guide offers a comprehensive overview of the standards in the new PCI Software Security Framework. We review the new standards and offer our own software security solution for compliance. We also discuss our future plans for helping organizations fully align with the new PCI Software Security Standards.

Download the PDF