In January, the Payment Card Industry Security Standards Council (PCI SSC) released a new security framework for software vendors that develop payment applications. The new framework is replacing the current guidelines of the PCI Payment Application Data Security Standard (PCI PA-DSS) which will be retired in the coming years.

Before delving into the particulars of the new guidelines, it should be stated that the PCI Software Security Framework is relevant primarily to those vendors who are developing applications for payment processing and selling them to others. While there are other rules that businesses who take payments will have to concern themselves under the PCI-DSS guidelines, including the oft-cited 6.5, these standards are directly relevant to the developers of software.

Sorting through the new framework can feel like a mouthful, but hopefully, we can highlight the major points that matter to your company and help prepare your team for compliance.

Why Do We Need New PCI Guidelines?

The goal of the PCI Software Security Framework is to provide developers of payment applications better security guidelines while providing the companies using payment applications with better tools to assess the security of the software they are using.

In many ways, this framework is similar in intent to the Payment Application Data Security Standard (PCI PA-DSS) that was first released in 2011. However, the PCI SSC felt that a fresh framework is needed to address new methods and practices adopted by software developers.  

PCI’s CTO Troy Leach explains that, “Software development practices have evolved over time, and the new standards address these changes with an alternative approach for assessing software security.”  

These practices include heavily relying on open source components and integrating security tools into the DevOps pipeline in order to speed up development and meet shorter time to market. Another change (Read more…)