By Aaron Lumnah, Senior Manager, Marketing Demand Generation
At the end of 2019, it was reported that 19 major retailers suffered a data breach over the course of just two years, many of which were caused by flaws within their payment systems. It is now common understanding that data breaches are continuing to gain in numbers, and almost any company that is directly supporting or facilitating payment transactions could be at risk of a brand-damaging data breach if they haven’t carefully selected a secure payment software.
To help improve the security of payment applications on the market, and make it easier for merchants to select the most secure solution, the Payment Card Industry Security Standards Council (PCI SSC) released the PCI Software Security Framework (PCI SSF). This new framework is made up of two separate standards: the Secure Software Standard and the Secure Software Lifecycle (Secure SLC) Standard.
In our last post on the topic, we unpacked some of the key components of the PCI SSF overall, what the differences will be from the Payment Application Data Security Standard (PA DSS) certification, and what solution providers and merchants alike must be aware of.
In this post, we will dive in to take a specific look at one of the two standards within the framework — the Secure Software Lifecycle (Secure SLC) Standard.
The Secure Software Lifecycle Standard
What Is It?
The Secure Software Lifecycle (Secure SLC) Standard is a set of security requirements―the Secure Software Lifecycle (SSLC) Requirements― and associated test procedures for software vendors to validate how they properly manage the security of payment software throughout the software lifecycle.
The requirements in this standard apply to the vendor’s SLC processes and technologies, including those applied to the personnel involved in the design, development, deployment, and maintenance of the vendor’s payment software products and services.
Some vendors may have multiple software products covered by different software lifecycle management programs, and prior to assessment, vendors should identify the payment software products and associated software lifecycle management program(s) to be covered under the assessment.
Overall, the scope of the SSLC requirements in this standard will collectively help protect payment transactions and data, minimize vulnerabilities, and defend payment software from attacks throughout the software lifecycle.
Who Does the Secure SLC Standard Apply to?
The Secure SLC Standard applies to any software vendor that develops software for the payments industry. The SSLC requirements defined within this standard expand on traditional software development lifecycle models by introducing security concepts and activities throughout the entire software lifecycle.
Software vendors who have their software lifecycle management practices validated by the Secure SLC Standard will be recognized on the PCI SSC’s list of Secure SLC Qualified Vendors, and will be enabled to perform and self-attest to their own software “delta” assessments with reduced assessor involvement or oversight.
What is the Evaluation Process?
Software vendors themselves must initiate the process of having their secure software lifecycle management practices evaluated and qualified by an SSF-qualified assessor company. The PCI SSC’s list of SSF Assessor Companies can be found on the PCI SSC website.
After the qualification process is initiated, together, the software vendor and the assessor company determine the scope of the assessment (i.e., what elements of the software vendor organization, software development processes, or payment software products are to be covered by the assessment), including identifying all applicable requirements and materials necessary to effectively perform the assessment.
Once the scope has been determined and all necessary materials and evidence have been collected, the assessor begins the Secure SLC Assessment. If the vendor has met all requirements within the Secure SLC Standard, the assessor then prepares and submits a Report on Compliance (ROC) and an Attestation of Compliance (AOC) to the PCI SSC, detailing all of the tests performed and confirming the results from the evaluation.
What Does This Mean for the Software Solution Vendors?
When a software vendor has been validated against the Secure SLC Standard, it means that the vendor has “mature, secure software lifecycle management practices in place to ensure its payment software is designed and developed to protect payment transactions and data, minimize vulnerabilities, and defend against attacks.”
What Does This Mean for Merchants?
After the PCI SSC reviews the ROC and confirms that the testing was performed satisfactorily. withall requirements met, the software vendor is added to the PCI SSC’s list of Secure SLC Qualified Vendors on the PCI SSC website. Having a list of SLC qualified vendors provides an added layer of security, which makes choosing the right payment software much easier for both merchants and businesses.. Do note that the list of Secure SLC Qualified Vendors will become available as the program progresses.
The Differences Between the Secure Software Standard and Secure SLC Standard
While both the Secure Software Standard and Secure SLC Standard address some of the same concepts within the framework, each standard targets a different set of requirements. For example, the Secure Software Standard addresses secure functionality and security features within the software itself, while the Secure SLC Standard takes a broader look at the secure software development processes performed by the software vendors themselves. It is also important to note that achieving validation to one standard does not result in achieving validation to any other PCI standard, including the PA-DSS or Payment Card Industry Data Security Standard (PCI DSS).
Improving the Security of Payment Systems
The Payment Card Industry’s Security Standards Council was created to “enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.” This new PCI Software Security Framework represents a new approach for securely designing and developing both existing and future payment software and addresses overall software security resiliency.
By supporting a broader array of payment software types, technologies, and development methodologies used both today and in future use cases, the PCI SSF provides merchants and other payment industry stakeholders with strong security assurances. PCI SSF validated payment software is developed securely and with security functions to protect the integrity of the software and the confidentiality of sensitive data it stores, processes, and transmits. Within that, the Secure SLC Standard will ultimately help reduce payment data-related fraud overall, which will, in turn, mitigate a merchant’s risk of a brand-damaging data breach.