720-891-1663

Return to the list of client alerts

PCI Council Releases New Secure Software Development Standards

For the last many years the PCI Council “measured” the security of software that processed payment transactions by the PA-DSS or payment application data security standard.

The PA-DSS really only measured the security of the finished application, which is like trying to add security after the fact.

As of this month, the PCI Council has revealed plans to phase out the PA-DSS and replace it with Payment Card Industry Software Security Framework and the Secure Software Lifecycle.

Obviously, they have been listening to me rant over the years about creating a secure software development lifecycle or SSDL.

Probably not, but I can dream.

The idea is that you can’t add security at the end (when you test it to the PA-DSS);  you have to design it in from the beginning.

The framework starts with security governance and includes secure software engineering, secure software and data management and security communications.

Technically, this only applies to software that is commercially released.  In the old model it would cover software that would be validated against the PA-DSS.

BUT, and even they say this (and if they did not, I would say it for them), that it should be used by anyone who is developing payment applications internally.  This includes applications that collect and process data, frame in third party payment processors and applications that capture the data and immediately send it to a processor.

While this is a work in process and will be rolled out this year, for teams that need to develop secure software and don’t already have a methodology, this is a good place to start.

The PCI Council says that the PA-DSS will fade-to-black over the next couple of years.

Given that this is a new process, it will include new assessment procedures and companies can borrow from these procedures for their own quality assurance processes.

The standards are available on the PCI Council web site here.