The PCI Security Standards Council (PCI SSC) has published version 1.1 of the PCI Secure Software Standard and its supporting program documentation. The PCI Secure Software Standard is one of two standards that are part of the PCI Software Security Framework (SSF). The PCI Secure Software requirements provide assurance that payment software is designed, engineered, developed, and maintained in a manner that protects payment transactions and data, minimizes vulnerabilities, and defends itself from attacks.
Version 1.1 of the PCI Secure Software Standard introduces the Terminal Software Module, a new security requirements module for payment software intended for deployment and operation on PCI-approved PIN Transaction Security (PTS) Point-of-Interaction (POI) devices. Software intended for deployment and operation on other platforms is not affected by the new requirements.
“The PCI Secure Software Standard is designed to offer a more flexible approach to how we test the security and integrity of payment software,” said Emma Sutcliffe, SVP Standards Officer, PCI Security Standards Council. “The modular nature of the Standard allows for broader inclusion to accommodate various software management approaches and support a larger set of payment software architectures, functions, and software development methodologies.”
The new Terminal Software Module is the third module to be incorporated into the PCI Secure Software Standard’s modular requirements architecture. Modules are groups of requirements that address specific use cases. The two existing modules in the PCI Secure Software Standard are the “Core” module, which includes general security requirements applicable to all payment software, and the “Account Data Protection” module, which includes additional security requirements for payment software that stores, processes, or transmits clear-text account data. PCI SSC expects to introduce additional modules in the future.
The PCI Secure Software Standard v1.1 also addresses errata, adds minor clarifications, and aligns key terms and definitions across the Standard and program documentation.
“As the industry innovates to create new opportunities to accept payments, there is more reliance on good software security,” said Troy Leach, SVP Engagement Officer, PCI Security Standards Council. “Software for payment acceptance has changed significantly since PA-DSS was first developed. The breadth of new development practices to risk-management requires an objective-based approach to define secure software requirements compared to the prior standard. Our security community helped develop a standard that can accommodate the advancements in payment software and accelerate the necessary validation, while continuing to protect payment data against new threats and vulnerabilities.”
Vendors and assessors should download the current program documentation and reference v1.1 of the Program Guide when working with v1.1 of the Standard. The following documents can be found in the PCI SSC document library:
- PCI Secure Software Standard v1.1
- Summary of Changes from PCI Secure Software Standard v1.0 to v1.1
- PCI Secure Software Program Guide v1.1
- PCI Secure Software Report on Validation (ROV) template v1.1
- PCI Secure Software Attestation of Validation (AOV) v1.1