The PCI Security Standards Council (SSC) is a global organization dedicated to protecting payment transactions and consumer data by developing standards and services for payment software vendors that promote education, awareness and implementation. Because payment software is constantly evolving, the SSC continuously develops and adapts its standards to minimize vulnerabilities and cyber-attacks.
Last year, the PCI Security Standards Board published the PCI Security Software Standard and the PCI Security Lifecycle Standard (Secure SLC) as part of a new PCI Software Security Framework (SSF), also known as PCI S3. The SSF provides objectively targeted best security practices that describe what a good application security program is, taking into account traditional and modern payment platforms and evolving development practices. The framework was developed with the participation of industry experts in the CIP Software Security Task Force (SSTF) and the CIP SSC stakeholders.
The new FSB recognises that there is no single approach to software security. Vendors should determine the controls and functions of the security software that are best suited to their specific business needs. However, the security requirements and assessment procedures outlined above help providers to adequately protect the integrity and confidentiality of payment transactions and customer data.ツ?
The Secure SLC standard is an important part of the SSF because it helps organizations maintain good application security practices (AppSec) by outlining security requirements and evaluation procedures for vendors to ensure that they manage the security of their payment software throughout its lifecycle. To comply with the Secure SLC and SSF requirements, vendors must integrate AppSec into the development process before publishing the first line of code. ツ?
Previous AppSec requirements, such as those in the PCI Data Security Standard (PCI DSS), a component of the PCI Data Security Standard (PCI DSS), focus exclusively on software development and the principles for managing the lifecycle of traditional payment software. Modern payment software requires AppSec throughout the development cycle. Since the new SSF rules are more comprehensive and include both a new methodology and a new approach to software security auditing, and a
What does this mean for existing PA-DSS certified applications? Existing receivables approved by the DSS-PDP remain on the list of approved receivables until their maturity date. At the end of October 2022, the IDP DSC will move PA-DSS approved payment requests to the Acceptable for Pre-deployment Only tab. All new updates of claims confirmed by the PA-DSS should be assessed within the framework of the SSF.
How Veracode can help achieve PCIcompliance
Veracode products are compared with a number of regulations, as shown in the table below.
| Security Council compliance mechanisms for the payment card industry | ||
| PCI DSS | ||
| Article | Description of the item | Veracode solution |
| 6.5 | The elimination of common coding vulnerabilities in software development processes is as follows:
|
Veracode Developer Training Course
Veracode platform for application security Veracode IDE scanツ? ツ? |
| 11.3 | Carry out a penetration testing method which includes the following elements:
|
Veracode Manual Penetration Tests |
| Secure PCI software standard framework | ||
| Article | Description of the item | Veracode solution |
| 3.2 | Threats to the software and design weaknesses are continuously identified and assessed. | Veracode platform for application security
Veracode Static Analysis Dynamic analysis of veracodes Analysis of the composition of the Veracode software Veracode IDE scanner |
| 4.1 | Existing and emerging programmatic weaknesses are identified in a timely manner. | Veracode Continuously Verified
Veracode platform for application security Veracode IDE scanner Analysis of the composition of the Veracode software Veracode Static Analysis Dynamic analysis of veracodes |
| 4.2 | Newly discovered weaknesses are corrected in time. The reintroduction of similar or already resolved vulnerabilities is prevented. | Veracode Developer Training Course
Veracode IDE scanner Veracode platform for application security Analysis of the composition of the Veracode software |
| s | All software changes are identified, evaluated and approved. | Veracode platform for application security
Veracode Static Analysis Veracode IDE scanner |
| 6.1 | The integrity of all software code, including third-party components, is maintained throughout the software lifecycle. | Dynamic analysis of veracodes
Analysis of the composition of the Veracode software Veracode Static Analysis |
ツ?
A good way to start your journey to SFF compliance is by registering with Veracode Verified. Many of the requirements included in the Veracode Verified card are PCI compliant. Veracode Verified helps you improve your organization’s secure software development practices and shows you how mature your program is by following a three-step process.
To learn more about PCI’s new software security framework, including the migration from PA-DSS to SSF, read our latest blog post entitled The Migration From PA-DSS to SSF All You Need to Know.
ツ?
*** This is a syndicated network of security bloggers from the Application Security Research, News, Education Blog, sponsored by [email protected] (hgoslin). The original message can be found at https://www.veracode.com/blog/security-news/new-pci-regulations-indicate-need-appsec-throughout-sdlc.
Related Tags:
pci software security standard,open software security framework,pa-dss,pci ssc,open software security framework samm,software security framework (ssf),pci software security framework,open software security framework simm,cloud security alliance published,pci dss compliance framework,pci dss,pci dss 3.2 policy template,pci compliance,pci compliance checklist 2019,pci dss policy,pci dss 3.2 1 changes
