PCI Secure Software Standard 1.2 released

PCI Security Standards Council (PCI SSC) published version 1.2 of the PCI Secure Software Standard and its supporting program documentation.

The PCI Secure Software Standard is one of two standards that are part of the PCI Software Security Framework (SSF). The PCI Secure Software Standard and its security requirements help provide assurance that payment software is designed, developed, and maintained in a manner that protects payment transactions and data, minimizes vulnerabilities, and defends against attacks.

Version 1.2 of the PCI Secure Software Standard introduces the Web Software Module, a set of supplemental security requirements to address the most common security issues related to the use of internet-accessible payment technologies.

“The PCI Secure Software Standard is designed to offer a more flexible approach to how we test the security and integrity of payment software,” said Emma Sutcliffe, SVP Standards Officer, PCI Security Standards Council. “The Web Software Module was introduced to aid software vendors and developers in identifying and implementing appropriate software security controls to protect against common web software attacks.”

There are four high-level requirement areas included in the Web Software Module:

• Documenting and tracking the use of open-source and third-party software components and APIs in payment software
• Controlling access to payment software web APIs and other critical assets
• Mitigating common web attacks
• Protecting communications between web-based payment software components

“The introduction of the new Web Software Module as part of the Secure Software Standard v1.2 marks the end of our initial efforts to launch the Software Security Framework,” said Andrew Jamieson, VP Solution Standards, PCI Security Standards Council. “The next phase of SSF development will focus on providing additional guidance, enhancing existing requirements, and addressing new and evolving payment technologies, threats, and attack techniques.”

Updates to the Secure Software Report on Validation (ROV) and Attestation of Validation (AOV) associated with the v1.2 release are expected to be published in Q1 2023.