The PCI Security Standards Council (PCI SSC) has published version 1.1 of the PCI Secure Software Lifecycle (SLC) Standard and its supporting program documentation. The PCI Secure SLC Standard is one of two standards that are part of the PCI Software Security Framework (SSF). It provides security requirements and assessment procedures for software vendors to integrate into their software development lifecycles and to validate that secure lifecycle management practices are in place.
The version 1.1 update to the PCI Secure SLC Program Guide expands program eligibility beyond payment software vendors. The revised eligibility includes software vendors who develop software products for the payment card industry. This expansion of the program enables more vendors to leverage Secure SLC qualification and facilitates broader vendor adoption and participation in the Secure SLC Program.
“At the rate at which software is evolving, a different approach is required to validate that the development of payment software adheres to strong security practices,” said Emma Sutcliffe, SVP Standards Officer, PCI Security Standards Council. “This update to our Secure SLC Standard and Program is a key step in promoting greater implementation by expanding eligibility to vendors that produce software and software components that may share resources within a payment environment.”
The PCI Secure SLC Standard v1.1 also addresses errata, adds minor clarifications, and aligns key terms and definitions across the standard and program documentation.
“Recent forensic data suggests that software in the hospitality sector has increasingly been the target of cybercriminals. One of the most important aspects of the Secure SLC Standard, and a common issue identified in data breach findings, is maintaining good software security. This includes not only security in the design and revisions but oversight after deployment as threats continue to evolve,” said Troy Leach, SVP Engagement Officer, PCI Security Standards Council.
“This is especially true with the increased dependency on third-party software developers," Leach continued. "Many organizations, including hotels and other hospitality businesses, rely upon these companies to protect payment data against various compromises such as online digital skimming for e-commerce bookings and supply-chain vulnerabilities for on-premise payment environments. The version 1.1 update to our standard allows any software or software component that may be present in a hospitality payment environment, even if the software does not directly handle payment data to be eligible for evaluation as it may share or influence the same resources. Validation against the Secure SLC Standard demonstrates a public commitment to maintain the security posture of the software throughout its entire lifetime.”
Vendors should download the current documentation and reference v1.1 of the Program Guide when working with v1.1 of the standard. The following documents can be found in the PCI SSC document library: