New PCI Regulations Indicate the Need for AppSec Throughout the SDLC

The PCI Security Standards Council (SSC) is a global organization that aims to protect payment transactions and consumer data by developing standards and services for payment software vendors that drive education, awareness, and implementation. Since payment software is constantly changing, the SSC is constantly evolving and adapting its standards to ensure that vulnerabilities and cyberattacks are minimized.

Last year, the PCI Security Standards Council published the PCI Secure Software Standard and the PCI Secure Software Lifecycle (Secure SLC) Standard as a part of a new PCI Software Security Framework (SSF), also referred to as PCI S3. The SSF offers objective-focused security best practices that outline what a good application security program looks like, with consideration for both traditional and modern payment platforms and evolving development practices. The framework was developed with input from industry experts within the PCI Software Security Task Force (SSTF) and PCI SSC stakeholders.

The new SSF recognizes that there is no one-size-fits-all approach to software security. Vendors need to determine which software security controls and features best serve their specific business needs. But the outlined security requirements and assessment procedures help vendors ensure that the right steps are taken to protect the integrity and confidentiality of payment transactions and customer data.ツ?

The Secure SLC Standard is an important part of the SSF because it helps organizations maintain good application security (AppSec) practices by outlining security requirements and assessment procedures for vendors to ensure that they are managing the security of their payment software throughout the software lifecycle. In order to meet the requirements of the Secure SLC Standard, and in-turn the SSF, vendors need to have AppSec as part of their development process before the first line of code until the product is released. ツ?

Previous AppSec requirements ??? like those laid out in the PCI Payment Application Data Security Standard (PA-DSS), a component of PCI Data Security Standard (PCI DSS) ??? only focused on software development and lifecycle management principles for security in traditional payment software. Modern payment software needs AppSec throughout the entire development lifecycle. Since the new SSF regulations are more expansive and include both a new methodology and approach for validating software security as well as a separate

What does this mean for existing PA-DSS validated applications? Existing PA-DSS validated applications will remain on the List of Validated Payment Applications until their expiry dates. At the end of October 2022, PCI SSC will move PA-DSS validated payment applications to the ???Acceptable Only for Pre-Existing Deployments??? tab. Any new updates to PA-DSS validated payment applications must be assessed under the SSF.

How Veracode Can Assist in Reaching PCI Compliance

The Veracode products map to a number of the regulation articles as shown in the table below.

Payment Card Industry Security Council Compliance Frameworks

PCI DSS

Article

Article Description

Veracode Solution

6.5

Address common coding vulnerabilities in software-development processes as follows:

  • Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.ツ?
  • Develop applications based on secure coding guidelines.

Veracode Developer Training

Veracode Application Security Platform

Veracode IDE Scanツ?

ツ?

11.3

Implement a methodology for penetration testing that includes the following:

  • Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115).
  • Includes coverage for the entire CDE perimeter and critical systems.
  • Includes testing from both inside and outside the network.
  • Includes testing to validate any segmentation and scope-reduction controls.
  • Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5.
  • Defines network-layer penetration tests to include components that support network functions as well as operating systems.
  • Includes review and consideration of threats and vulnerabilities experienced in the last 12 months.ツ?
  • Specifies retention of penetration testing results and remediation activities results.

Veracode Manual Penetration Testing

PCI Secure Software Standard Framework

Article

Article Description

Veracode Solution

3.2

Threats to the software and weaknesses within its design are continuously identified and assessed.

Veracode Application Security Platform

Veracode Static Analysis

Veracode Dynamic Analysis

Veracode Software Composition Analysis

Veracode IDE Scan

4.1

Existing and emerging software vulnerabilities are detected in a timely manner.

Veracode Verified Continuous

Veracode Application Security Platform

Veracode IDE Scan

Veracode Software Composition Analysis

Veracode Static Analysis

Veracode Dynamic Analysis

4.2

Newly discovered vulnerabilities are fixed in a timely manner. The reintroduction of similar or previously resolved vulnerabilities is prevented.

Veracode Developer Training

Veracode IDE Scan

Veracode Application Security Platform

Veracode Software Composition Analysis

s

All changes to software are identified, assessed, and approved.

Veracode Application Security Platform

Veracode Static Analysis

Veracode IDE Scan

6.1

The integrity of all software code, including third-party components, is maintained throughout the entire software lifecycle.

Veracode Dynamic Analysis

Veracode Software Composition Analysis

Veracode Static Analysis

ツ?

A great way to start your journey to SFF compliance is by enrolling in Veracode Verified. Many of the requirements in Veracode Verified map to PCI requirements. Veracode Verified helps you improve your company???s secure software development practices and shows the maturity of your program through the completion of a three-tier process.

To learn more about the new PCI Software Security Framework, including additional details on migrating from PA-DSS to SSF, check out our recent blog post, The Migration From PA-DSS to SSF: Everything You Need to Know.

ツ?

*** This is a Security Bloggers Network syndicated blog from Application Security Research, News, and Education Blog authored by hgoslin@veracode.com (hgoslin). Read the original post at: https://www.veracode.com/blog/security-news/new-pci-regulations-indicate-need-appsec-throughout-sdlc