To stay ahead of the rapid development of payment applications, the Payment Card Industry Security Standards Council is making new software security standards and a validation program for vendors available later this year.
The secure software and lifecycle standards will be part of the new PCI Software Security Framework, including the validation program and a qualification program for assessors.
“Innovation in payments is moving at an incredible pace," Troy Leach, the PCI council's chief technology officer, said in a Wednesday press release. "Each advancement provides the industry the opportunity to develop applications more quickly and efficiently than before and to design software for new platforms for payment acceptance."
The new standards "support this evolution in payment software practices by providing a dynamic way for developers to demonstrate their software protects payment data for the next generation of applications,” Leach added.
The software standards expand the scope of the Payment Application Data Security Standard for traditional payment software to address the overall software security and resiliency for modern payment software. It will replace the PA-DSS when it is retired in 2022.
The secure software standard outlines security requirements and assessment procedures to help ensure payment software protects the integrity and confidentiality of payment transactions and data, while the lifecycle standard outlines requirements and procedures for software vendors to validate how they properly manage the security of payment software throughout its lifecycle.
"We recognize that there is no 'one size fits all' approach to secure software," Leach said. "This new framework provides an ability for software providers to embrace these new capabilities and environments."
The creation of the standards resulted from PCI software security task force input and comments from the council's participating organizations.
The software standard is intended for payment software that is sold, distributed or licensed to third parties for the purpose of supporting or facilitating payment transactions.
"We also encourage products that are developed in-house by large organizations to consider using these same practices," Leach said. "We've already heard from several merchants that have expressed interest in adopting these practices as a way to demonstrate integrity of their unique development practices."
Key aspects of the lifecycle standard include addressing governance, threat identification, vulnerability detection and mitigation, security testing, change management, secure software updates and stakeholder communications.
