PCI Software Security Framework: the end of PA-DSS?

PCI Software Security Framework: the end of PA-DSS?
Share on facebook
Share on twitter
Share on linkedin
Share on google

A recent press release from the PCI SSC announced two new validation programs for payment software vendors and products. The new programs seem to overlap with the current PA-DSS program so what exactly are they?

The quick answer is yes, the new programs will replace PA-DSS however the standard will still be “open” until October 2022.

The PCI SSC supports what they call the “PCI Software Security Framework“, which is a collection of standards and programs for the secure design, development and maintenance of existing and future payment software. 

The new framework represents a different approach to secure design and development of payment software. It includes elements of the PA-DSS and it extends beyond the existing standard to address overall software security resiliency.

Whilst PA-DSS specifically addressed payment applications used in a PCI DSS environment, the PCI Software Security Framework is designed to apply to a wider range of payment software types and technologies.

Documentation for the two new programs is now available on the PCI SSC website.

Secure SLC Program

In a nutshell, this first program is designed to validate that the software vendor has mature software lifecycle management practices in place. This would include designing and developing software to protect transactions and data, minimising vulnerabilities and defending against attacks.

Validation against this new standard will allow software vendors to be recognised and listed on the PCI SSC “List of Secure SLC Qualified Vendors”.

One interesting difference with PA-DSS here is that Secure SLC Qualified Vendors will be able to provide self attestations for delta changes of any of their products that are listed as “Validated Payment Software” under the second standard “Secure Software Program”.

Secure Software Program

This second program is designed to validate specific software products against a set of requirements for the protection of transactions and data, the minimisation of vulnerabilities and defending against attacks.

This program is the direct replacement for PA-DSS and the future list of “Validated Payment Software” will eventually replace the current list of PA-DSS Validated Payment Applications.

Next steps?

The PCI SSC announced that the PA-DSS program will be retired in October 2022. Until then, the list of PA-DSS Validated Payment Application will still be maintained, existing validation expiration dates will be honoured and new PA-DSS submissions will be accepted until June 2021.

After that, software vendors will have to use the new framework and associated programs.

What if I need help with my current PA-DSS application?

As you probably noticed, 247 CyberLabs is currently registered as a PCI QSA and a Payment Application Qualified Security Assessor (PA-QSA) on the PCI SSC list of assessors.

Whilst documentation about the new standards is now available from the PCI SSC, new training and qualifications for assessors is not available just yet. The PCI SSC confirmed that this training and qualification process will be available in early 2020, first for PA-QSAs and QSAs, and then for new assessors. From then, vendors will be able to begin the validation process for their software lifecycle practices and payment software.

Feel free to get in touch with the team should you need any additional information about the new programs, we’ve been both QSAs and PA-QSAs for the past 10 years and should be in a very good position to help with the transition to the new programs.

Share on facebook
Share on twitter
Share on linkedin
Share on google

You may also like

What is the OWASP Top 10?

What is the OWASP? The Open Web Application Security Project (OWASP) is a non-profit organization dedicated to providing unbiased, practical information about application security.  What

Read this article »