One of the topics presented at the Payment Card Industry (PCI) Community Meeting this year in Vancouver was the Software Security Framework (SSF). The newly designed framework focuses specifically on the secure design and development of payment software. As defined by Jake Marcinko, Standards Manager at PCI Security Standards Council, the SSF is “a framework to standardize and consolidate software security requirements for different types of payments software under a single requirement architecture with supporting validation and listing programs and is the next evolution of PA-DSS”.
Introducing the Software Security Framework (SSF)
The SSF will eventually replace the current Payment Application Data Security Standard (PA-DSS). This article covers several aspects of the new SSF, including the perceived benefits, objectives, what it looks like at a macro level, and how it could affect both merchants and vendors.
The Payment Card Industry Security Standards Council (PCI SSC) created this new framework to provide additional flexibility for software vendors and to better align payment software development with industry standards, specifically around software security. As such, this framework allows for a wider pool of software vendors to offer PCI-validated payment software. It also can give merchants more confidence that the software added to their environment facilitates compliance with PCI DSS and adheres to a robust set of security controls.
The SSF will consist of two (2) standards; the Secure Software Standard and the Secure Software Lifecycle (Secure SLC). These two standards provide flexibility for software vendors to have a more efficient validation process. It also allows for the Secure SLC management process to be evaluated separately from the actual payment software product. The Framework will also include validation programs, supporting material such as reporting templates, and the compliant software listings themselves.
PCI SSF modules create more flexibility
The Software Security Framework includes benefits for both merchants and software vendors. For merchants, like PA-DSS, this framework is a way to easily identify software that has undergone a security validation and certification process and therefore provides some level of confidence to merchants. However, unlike PA-DSS, the SSF will support multiple security efforts and initiatives explicitly focused on secure design and development. For vendors, this framework allows for a broader lineup of payment platforms, as well as significantly more flexibility regarding change control to help support agile environments and DevOps teams. In other words, PA-DSS focuses on facilitating PCI DSS compliance. The new SSF addresses broader software security, not just PCI DSS compliance.
Perhaps the most significant and emphasized characteristic of this framework is the levels of flexibility it is intended to provide. Like the many changes in PCI DSS v.4.0, there will be an increased amount of objectiveness to the new framework. Many of the requirements are designed to facilitate certain outcomes, and if they achieve the intended outcome, it will the responsibility of the vendor and/or assessor to document and prove the objective has been met.
The Council designed the SSF to provide a modular assessment architecture and approach, creating more flexibility. The new approach means core security requirements will apply throughout the software, and those requirements can be assessed one time. Modules that address certain function-specific or platform-specific elements can then be assessed separately. To be fully compliant with the PCI SSF, the software must meet the core requirements and the applicable additional requirements within the relevant modules. Currently, one module has been created within the SSF to address Authentication, and others are expected to be added to the framework over time.
SLC process certification offers and lists of vendors
One of the most interesting changes to the new SSF approach is that with the creation of the SLC process certification option, it allows for a vendor that is SLC certified to self-attest for delta changes to its software without the need for re-validation by an assessor. Additionally, the new SSF allows for certification of different types of software that previously was not eligible for certification under PA-DSS. However, while the new SLC certification process is intended to offer additional certification options and flexibility, a software vendor does not have to achieve and demonstrate SLC certification in order to get a payment software Report of Validation completed.
As with the PA-DSS, there will be lists available for vendors and merchants to review validated solutions and to identify qualified PCI SSF assessors that can assist with compliance efforts. Those lists include:
· SSF Assessor Company List – provides a list of qualified organizations to perform assessments
· Validated Payment Software List – used by merchants, acquirers and other payment software users
· Secure SLC Qualified Vendor List – used by merchants, acquirers, and other payment software users to identify payment software assessed under the Secure SLC program
PA-DSS and SSF timeline
Finally, it is essential to understand the timeline of events to allow merchants and software vendors to plan accordingly. The PA-DSS v3.2 is set to expire at the end of October 2022. Once the PA-DSS is retired, it will be completely replaced by the SSF. Until then, both the PA-DSS and SSF programs run concurrently, and software vendors are encouraged to pursue early adoption and certification under the SSF framework. By using the new framework, vendors can avoid falling out of compliance when their PA-DSS certification expires. For existing environments, PA-DSS solutions can still be assessed until the expiration date of the application. At that time, they will be categorized as “Acceptable Only for Pre-Existing Deployment” status, although vendors will have the ability to submit changes to existing approved software until the listed expiration date. Lastly, submissions of new payment applications for PA-DSS validation will be accepted until 30 June 2021, and validation will expire at the end of October 2022. Like PA-DSS, validation for the new SSF will be good for three years, with annual attestation required.
Need help with your PCI compliance program? Have questions about PCI compliance? Contact us. We’re here to help.
- 2019 PCI Community Meeting Presentation provided by Jake Marcinko in Vancouver, Canada.
Content provided by LBMC security professional, Stewart Fey.