PA-DSS to Software Security Framework: What You Need to Know

The Payment Application Data Security Standard (PA-DSS) developed by the Payment Card Industry Security Standards Council (PCI SSC) applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data and/or sensitive authentication data. The list of various payment applications that are currently validated for software vendors is located on the PCI SSC Website.

Even though the PA-DSS program is coming to an end (PA-DSS submissions acceptance comes to an end mid-2020 and PA-DSS 3.2 listings expire in 2022), it doesn’t mean payment application security within the PCI DSS environment will suffer. PCI SSC announced the Software Security Framework release in Jan 2019. The new framework takes a unique approach to support both traditional and modern payment software, including cloud and mobile platforms. The framework was developed to allow for validation of both modern and traditional payment software and uses an “objective-based” approach to confirm applications security and development practices. The new framework requires granular review through evidence collection, observation, and interviews for the various control objectives defined within the two standards listed below, which have been released.

1. Secure Software Standard: This standard was designed to ensure that payment software protects the integrity and confidentiality of payment transactions and data. The intent of the Secure Software Standard is similar to PA-DSS, which confirms how the software protects payment data. The new Secure Software Standard offers a progressive approach providing additional alternatives to demonstrate secure software practices.
   
   If a software vendor plans to undergo this assessment, full assessments as well as interim or “Delta” assessments will be required.
    
2. Secure Software Life Cycle (Secure SLC) Standard: This standard was developed to determine whether a vendor is properly managing the security of their payment software throughout the entire software lifecycle. It can help demonstrate that the software’s security concepts are mature and that the processes and methodologies leveraged produce secure software.
   
   Secure SLC assessments are optional; however, validation of the software lifecycle process and listing on the PCI SSC portal assures entities planning to utilize software vendors’ payment applications within PCI DSS environments or for any other compliance framework. Secure SLC assessments have a three-year validity period; vendors must re-validate every three years to be listed as an SSLC-qualified software vendor.
   
   Note: These standards can apply to applications beyond just payments software (which store, process, or transmit clear text cardholder data by itself). They can be leveraged to validate other applications that are a part of the payment software suite but do not store, process, or transmit payments data as a part of their own functionality.

Payment software validated to the PCI Secure Software Standard can be used to support the security posture of an organization’s cardholder data environment, but does not make it PCI DSS compliant. This is similar to how PA-DSS applications are reviewed within a PCI DSS environment. Qualified Security Assessors (QSAs) still need to ensure software is configured appropriately and that it meets applicable PCI DSS requirements.

Although the control objectives align with the PA-DSS standards, the new standards require payment software vendors to develop a robust risk management strategy that helps provide sufficient evidence to support risk-based decision-making.

Impact to your organization and transition

Currently, listed PA-DSS applications will remain in effect under the PA-DSS programs until the applications reach their expiration date (for PA-DSS 3.2, the expiration date for payment applications is 2022). However, new PA-DSS submissions will not be accepted starting mid-2020. Admin or low-impact changes can still be submitted for currently valid applications until their expiration date has been reached. When the expiration date for applications is met, all PA-DSS validated payment applications will be moved over to the “Acceptable Only for Pre-Existing Deployments” tab on the PCI SSC website.

PCI SSC is working toward providing a transition plan for migration of current PA-DSS applications to the new security framework validation program.

Coalfire was one of the contributing organizations to provide feedback for the PCI Software Security Framework. As a respected PCI-QSA and PA-QSA company, we would be happy to get the discussion started to help you transition to the new framework.