By Aaron Lumnah, Senior Manager Marketing Demand Generation
The Payment Card Industry Security Standards Council (PCI SSC) has announced that it will be retiring the Payment Application Data Security Standard (PA-DSS) in 2022 and replacing it with a new validation programme, called the PCI Software Security Framework. The PA-DSS certification has been one of the most rigorous validations a payment application can achieve, demonstrating that it meets the most stringent standards for secure software development. Semafone has proudly held the PA-DSS certification since 2012 and has undergone successful re-certification every year since.
With the PCI SSC’s announcement that it will replace the PA-DSS certification with two new validation programmes under Software Security Framework, there will likely be many changes that solution providers and merchants alike need to be aware of. To help, let’s take a look at the anticipated changes and what they mean for software development and vendor selection, respectively.
Let’s begin with a brief overview of both the PA-DSS and the new PCI Software Security Framework, to understand what they do and what the differences are.
What is PA-DSS?
The PA-DSS certification examines the security standards of a payment application, such as Semafone’s Cardprotect Voice+ solution. PA-DSS is a rigorous framework and assessment of payment application software solutions. The certification process includes stringent penetration testing and procedures, controls, and more to ensure that the payment application provides the highest level of data protection. Achieving certification involves an extensive source code review, testing of the installation and deployment of the payment application, and comprehensive penetration testing. This strict assessment process includes secure development requirements, secure authentication, secure remote access and encrypting sensitive internet traffic, a formal assessment by a Qualified Security Assessor (PA-QSA) and validation by the PCI SSC assessor quality management (AQM) team.
What is the PCI Software Security Framework?
The PCI Software Security Framework (SSF) is a collection of software security standards for the secure design, development and maintenance of payment software solutions. It is a new programme, designed for payment software vendors, like Semafone, to demonstrate that both their development practices and their payment software products address overall software security resiliency to protect payment data. While the SSF includes elements of PA-DSS, the new framework expands beyond the scope of the PA-DSS. Additionally, whereas the PA-DSS was designed specifically for payment applications used in an environment that is compliant with the PCI Data Security Standard (PCI DSS), the new SSF is designed to support a broader array of payment software types, technologies and development methodologies being used by businesses today. The framework is also better suited to supporting future technologies and use cases that have not yet emerged.
Why Has the PCI Security Standards Council Made this Change?
Payments solutions have evolved dramatically in recent years. From mobile payments, to peer-to-peer (P2P) payment applications, contactless payments, QR codes and many other emerging digital commerce solutions, there are wide variety of new technologies and methods that businesses now use to accept payments from customers. As technology advances and new payment technologies and platforms emerge, it is critical for merchant businesses to ensure that their customers’ sensitive payment data is safeguarded during all transactions. The new standards are designed to better address the evolving nature of the payments landscape and ensure that new payment applications and software solutions adequately protect the integrity and confidentiality of consumers’ sensitive data.
What Payments Solution Providers Should Know
The new PCI SSF provides payment solution providers with security standards for developing and maintaining their software so that it protects payment transactions and data, minimises vulnerabilities, and defends against attacks. Validation under this programme provides vendors with a way to demonstrate the ongoing protection of payment data transacted through their solutions.
Vendors that are PA-DSS certified will need to transition to the SSF by October 2022, at which point the PA-DSS certification programme will be ended. To achieve certification under the SSF, vendors will need to have their solutions evaluated by an approved SSF Assessor against the Secure Software Lifecycle (Secure SLC) and Secure Software Standards. Upon successful evaluation, their validated solutions will be listed on the PCI SSC List of Validated Payment Software on the PCI SSC website.
What Merchant Businesses Should Know
Any business that accepts, manages or transmits consumer payment card data and the personal information contained in that card, must ensure that data security is one of their top priorities. There were more than 3,800 data breaches in 2019, with the average cost of a data breach for U.S. businesses topping $8.1 million. That price tag does not even include the costs associated with damage to an organisations’ brand reputation in the event of a breach.
To reduce their risk of suffering a brand damaging data breach, and to better protect their customers’ sensitive payment card data and personally identifiable information (PII), merchant businesses should follow the PCI Data Security Standard (PCI DSS) and always make sure they are using solutions that are assessed and successfully validated against the new PCI SSF. This will help ensure that their people, processes and technologies are all operating at the highest standard for strong data security.
When evaluating new payments technologies to integrate into your organisation, or new partners to work with, merchant businesses should plan to always refer to the PCI SSC list of Secure SLC Qualified Vendors, which will be hosted on the PCI SSC website as the new framework is launched. This list will identify those payment solutions vendors with software lifecycle development practices that have been evaluated and meet the new Secure SLC Standard.
Ultimately, the simplest way to ease compliance and strengthen data security is to, as much as possible, keep sensitive payment card data out of your network infrastructure in the first place. That is why payment solutions like Cardprotect Voice+ and Cardprotect Relay+ are able to help merchant businesses dramatically reduce the scope of compliance, minimise the number of controls they must validate against and save money – all while better protecting their customers’ important data.
To learn more about PCI DSS compliance, relevant certifications for payments solutions and how they help organisations strengthen data security and privacy, visit the blog posts below for additional reading: