Software Security Framework: Update to version 1.2 with new Web Software Module

14. December 2022

On December 7, the PCI Security Standards Council (PCI SSC) published version 1.2 of the PCI Secure Software Standard and and its supporting program documentation. Together with the PCI Secure Software Lifecycle (Secure SLC) standard, the PCI Secure Software standard forms the PCI Software Security Framework (SSF). In version 1.2 of the Secure Software Standard, minor adjustments were made to remove inconsistencies, clarify intents and standardize the language. Some test requirements have been updated, consolidated or removed. However, the most important change in version 1.2 is the introduction of the new Web Software Module. 

New Module: Web Software 

Complementing the core requirements of the Secure Software Standard, the module includes a set of security requirements for payment software that uses Internet technologies, protocols, and languages to support or facilitate electronic payment transactions.  

The Web Software Module comprises four main requirement areas: 

  • Documenting and tracking the use of open-source and third-party software components and APIs in payment software
  • Controlling access to payment software web APIs and other critical assets
  • Mitigating common web attacks  
  • Protecting communications between web-based payment software components 

Updates to the Secure Software Report on Validation (RoV) and Attestation of Validation (AoV) related to the v1.2 release are expected to be released in the first quarter of 2023. 

Impact on already validated and listed payment software 

Payment software that has already been successfully certified and is listed on the PCI SSC's „List of Validated Payment Software“ List of Validated Payment Software is not affected by the release of the new web software module until the current listing expires. At that time, the payment software must be revalidated according to the then-current version of the Secure Software Standard and all applicable modules in order to continue to be listed as validated payment software. This also applies to web-based payment software that, for example, was validated and listed prior to the release of the Web Software Module, but for which the requirements of the Web Software Module now apply. 

Impact on the Secure SLC

No changes have been made to the PCI Secure Software Lifecycle (Secure SLC) standard or its supporting documentation with this release. The current version of the Secure SLC remains v1.1. 


Do you have questions about the Secure Software Standard or need assistance with the transition? Get in touch, we are happy to help you.

Also interesting:

DORA Countdown: One Month Left Until the Deadline

DORA Countdown: One Month Left Until the Deadline

DORA, the Digital Operational Resilience Act, will fully apply as of 17 January 2025. We have summarized everything you need to know about the EU regulation, preparation and best practices from our news blog.

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on...

Top 3 Vulnerabilities in SSO Pentests

Top 3 Vulnerabilities in SSO Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

Categories

Categories