The PCI Security Standards Council (PCI SSC) has published version 1.1 of the PCI Secure Software Lifecycle (SLC) Standard and its supporting program documentation. The PCI Secure SLC Standard is one of two standards that are part of the PCI Software Security Framework (SSF).
It provides security requirements and assessment procedures for software vendors to integrate into their software development lifecycles and to validate that secure lifecycle management practices are in place.
The version 1.1 update to the PCI Secure SLC Program Guide expands program eligibility beyond payment software vendors. The revised eligibility includes software vendors who develop software products for the payment card industry. This expansion of the program enables more vendors to leverage Secure SLC qualification and facilitates broader vendor adoption and participation in the Secure SLC Program.
“At the rate at which software is evolving, a different approach is required to validate that the development of payment software adheres to strong security practices,” said Emma Sutcliffe, SVP Standards Officer, PCI Security Standards Council.
“This update to our Secure SLC Standard and Program is a key step in promoting greater implementation by expanding eligibility to vendors that produce software and software components that may share resources within a payment environment.”
Maintaining good software security
The PCI Secure SLC Standard v1.1 also addresses errata, adds minor clarifications, and aligns key terms and definitions across the standard and program documentation.
“One of the most important aspects of the Secure SLC Standard, and a common issue identified in recent compromises, is maintaining good software security, even as software is updated and security threats continue to evolve,” said Troy Leach, SVP Engagement Officer, PCI Security Standards Council.
“This is especially true with the increased dependency on third-party software developers. Organizations rely upon these companies to protect payment data against various compromises such as online digital skimming and supply-chain vulnerabilities. Validation against the Secure SLC Standard demonstrates a public commitment to maintain the security posture of the software throughout its entire lifetime.”
Vendors should download the current documentation and reference v1.1 of the Program Guide when working with v1.1 of the standard.