In December 2004, the Payment Card Industry (PCI) Data Security Standard (PCI DSS) was launched to help regulate the software security of the global payment card industry. Any organization that handles sensitive payment card data must comply with these standards to ensure privacy and protect against data breaches and credit card fraud.
What Is PCI Software Security Framework?
PCI DSS helps businesses form security governance policies to reduce software vulnerabilities that attackers can exploit to access cardholder data. However, despite the implementation of the PCI DSS, data breaches have continued to affect a number of industries, and have even been increasing. Companies often fail to keep track of the sensitive data they store, allowing hackers to extract unencrypted data as it is processed, transmitted, or stored.
Although PCI standards have been around for years, they have not always managed to prevent major data breaches. For example, the Home Depot data breach exposed the information of 56 million credit cards, illustrating the need for additional security measures. A partial answer has come in the form of the updated PCI Software Security Framework.
The Current 2019 Updates and Their Implications
On January 16th, 2019, the PCI Security Standards Council (PCI SSC) announced new standards for designing and developing payment application software. This was the Council’s first major upgrade in over a decade. The new framework is intended to improve the security evaluation of payment ecosystems and to promote the creation of more secure software solutions.
The new standards build on the existing framework and require payment applications to be developed and maintained to protect all payment transactions and associated sensitive data. They define a stringent security process for vendors and developers. This involves continuously monitoring threats and defences and adapting to changing conditions.
The Secure Software Standard (S3) confirms the compliance of a software release candidate through in-depth security testing. Organizations must continuously test application security controls and demonstrate that they are effective. A qualified security assessor will review the evidence procured by the organization to confirm that it is accurate and complete.
The S3 addresses issues such as sensitive data protection, authentication and access control, secure default configuration, critical asset identification, and attack detection. It will replace the existing Payment Application Data Security Standard (PA DSS) by 2022, with a three-year transition period allowing organizations to adapt. While PA DSS addresses security issues affecting traditional payment software, S3 expands this to cover overall software security resiliency.
You might be interested | GDPR for mobile apps: 5 steps to meet the new regulation
Aiming for a Secure Software Lifecycle
In addition to the S3, there is an optional Secure Software Lifecycle (Secure SLC) Standard, which outlines requirements to help assess security throughout the Software Development Lifecycle (SDLC). Secure SLC provides an option to avoid having to rely on a qualified assessor to validate each software release, allowing organizations to implement more agile and seamless software development practices. This standard may encourage more organizations to embed security earlier into the development lifecycle.
A third component of the software security framework, the Validation Program, is slated for release in mid-2019. It will allow software vendors to validate whether they have adequately managed their payment software security throughout the SDLC.
To comply with the new standards, companies will need to use more tools to mitigate security threats and take additional measures to ensure the integrity and confidentiality of payment data. The new standards will primarily affect Payment Application (PA) vendors or providers, rather than the companies who use these PAs, but they are also relevant to anyone involved in the payment card ecosystem. PA providers may need to consult a payment facilitation expert to help implement the new standards.
A Look to the Future
Software security will continue to grow in importance as we transfer more of our sensitive data to payment applications. It has taken some time for regulations to catch up to the needs of various industries and consumers, but security standards have taken a great leap with the new PCI security framework, becoming significantly more stringent.
The transition to the new regulations will be gradual, so most industries won’t feel immediate pressure to comply. However, it is advisable to make a start on implementing the changes to your software security policy as soon as possible, as it takes time to adjust. This will help you ensure the security of your applications and safeguard the confidentiality and integrity of customer data.