For businesses using PA-DSS assessed applications the time is near to start considering the new Software Security Framework that the PCI Council that will be mandated soon. While the PCI Software Security Framework is separate and independent from PA-DSS it includes elements from it. The approach of PA-DSS was to specifically cover payment software being used in a PCI DSS environment. The new PCI Software Security Framework extends beyond PCI environments and addresses overall software security resiliency. The new framework is also designed to support a broader array of payment software types, technologies, and development methodologies in use today and support for future technologies and use cases.
With the new framework coming out a transition process has been created to help companies transition from PA-DSS to the Software Security Framework. Starting in mid-2019 the transition process will start and will end in 2022 with the expiration of any software assessed under PA-DSS 3.2. At that point all PA-DSS validated payment applications will be moved to “Acceptable Only for Existing Deployments” list. New PA-DSS validations under 3.2 will be accepted until mid-2020 giving companies a choice going forward if there is not enough time to get ready to use the new framework. For those wanting to start validating with the new framework it is anticipated that PCI firms will start assessing sometime in Q3 2019. The new validations will have a three year validity before they will have to be reassessed.
Like PA-DSS any piece of software that is validated under PCI Software Security Framework will be listed online for quick reference. Also, like PA-DSS this framework is intended to apply to any software vendor that developed software for the payments industry.
The PCI Software Security Framework breaks down into two pieces, there is the Secure Software Standard and the Secure Software Lifecycle Standard. The SSS defines a set of security requirements and associated test procedures to help ensure payment software adequately protects the integrity and confidentially of payment transactions and data. The SSLC part defines a set of security requirements and associated test procedures for software vendors to validate how they properly manage the security of payment software throughout the software lifecycle. Companies may choose to add the SSLC to their SSS validation because in getting SSLC validated they are able to perform and self-attest to their own software “delta” assessments (as part of a validation of their software products to the SSS) with reduced assessor involvement or oversight. More information on software delta assessments will be provided upon the publication of Software Security Framework Program materials which are expected soon.
For addition information please see the below links for a full PDF of the PCI Software Security Framework and related material available. Although HALOCK is not a PA-QSA, our PCI QSAs provide guidance and support for all PCI related matters and are happy to help organizations understand the implications of PCI SSC standard changes such as these.
Authors: Kenneth Sheldon and Viviana Wesley, PCI QSA, ISO 27001