On December 7, the PCI Security Standards Council (PCI SSC) published version 1.2 of the PCI Secure Software Standard and and its supporting program documentation. Together with the PCI Secure Software Lifecycle (Secure SLC) standard, the PCI Secure Software standard forms the PCI Software Security Framework (SSF). In version 1.2 of the Secure Software Standard, minor adjustments were made to remove inconsistencies, clarify intents and standardize the language. Some test requirements have been updated, consolidated or removed. However, the most important change in version 1.2 is the introduction of the new Web Software Module.
New Module: Web Software
Complementing the core requirements of the Secure Software Standard, the module includes a set of security requirements for payment software that uses Internet technologies, protocols, and languages to support or facilitate electronic payment transactions.
The Web Software Module comprises four main requirement areas:
- Documenting and tracking the use of open-source and third-party software components and APIs in payment software
- Controlling access to payment software web APIs and other critical assets
- Mitigating common web attacks
- Protecting communications between web-based payment software components
Updates to the Secure Software Report on Validation (RoV) and Attestation of Validation (AoV) related to the v1.2 release are expected to be released in the first quarter of 2023.
Impact on already validated and listed payment software
Payment software that has already been successfully certified and is listed on the PCI SSC's „List of Validated Payment Software“ List of Validated Payment Software is not affected by the release of the new web software module until the current listing expires. At that time, the payment software must be revalidated according to the then-current version of the Secure Software Standard and all applicable modules in order to continue to be listed as validated payment software. This also applies to web-based payment software that, for example, was validated and listed prior to the release of the Web Software Module, but for which the requirements of the Web Software Module now apply.
Impact on the Secure SLC
No changes have been made to the PCI Secure Software Lifecycle (Secure SLC) standard or its supporting documentation with this release. The current version of the Secure SLC remains v1.1.
Do you have questions about the Secure Software Standard or need assistance with the transition? Get in touch, we are happy to help you.