PCI DSS Software Security Framework
Source: pcisecuritystandards.org
Introduction:
Last year PCI DSS SSC has introduced a new framework of certifying payment applications which will work along with PA DSS till year 2022.
PCI DSS Software Security Frameworks (can be called SSF) introduces software practices to be followed to demonstrate the existence of a good application security and supporting newer and evolving platforms and development methods.
SSF outlines security requirements and assessment procedures to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data.
This is different in a way with respect to PA-DSS as SSF expands the overall software security resiliency. The framework provides a new methodology and approach to validating software security and a separate secure software lifecycle qualification for vendors with robust security design and development practices. This will ensure that security practices are followed at all the levels specially during design and development.
Within the Software Security Framework there are two types of standards:
1. Secure SLC Standard:
- Security of the software lifecycle of:
- Payment software vendors
- Secure SLC processes, technology and personnel
- Design, development, deployment, and maintenance
Secure SLC Standard illustrates that the software vendor has mature, and secure, software lifecycle management practices in place.
2. Secure Software Standard:
- Security of payment software:
- Supporting or facilitating transactions
- Storing, processing, transmitting clear-text account data, and
- Commercially available products
- Core requirements and additional modules
Secure Software Standard defines a set of security requirements, and associated test procedures, to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data.