New Web Software Module Introduced in PCI Secure Software Standard Version 1.2

 

Today,
the
PCI
Security
Standards
Council
(PCI
SSC)
published
version
1.2
of
the
PCI
Secure
Software
Standard
and
its
supporting
program
documentation.

New Web Software Module Introduced in PCI Secure Software Standard Version 1.2



 


Today,
the
PCI
Security
Standards
Council
(PCI
SSC)
published
version
1.2
of
the
PCI
Secure
Software
Standard
and
its
supporting
program
documentation.
The
PCI
Secure
Software
Standard
is
one
of
two
standards
that
are
part
of
the
PCI
Software
Security
Framework
(SSF).
The
PCI
Secure
Software
Standard
and
its
security
requirements
help
provide
assurance
that
payment
software
is
designed,
developed,
and
maintained
in
a
manner
that
protects
payment
transactions
and
data,
minimizes
vulnerabilities,
and
defends
against
attacks. 


Version
1.2
of
the
PCI
Secure
Software
Standard
introduces
the
Web
Software
Module,
a
set
of
supplemental
security
requirements
to
the
Secure
Software
Standard’s
Core
Requirements
for
payment
software
that
uses
internet
technologies,
protocols,
and
languages
to
support
or
facilitate
electronic
payment
transactions.
The
security
requirements
provided
in
the
Web
Software
Module
identify
key
software
security
controls
to
implement
to
address
the
most
common
security
issues
related
to
the
use
of
internet-accessible
payment
technologies. 


There
are
four
high-level
requirement
areas
included
in
the
Web
Software
Module:


  • Documenting
    and
    tracking
    the
    use
    of
    open-source
    and
    third-party
    software
    components
    and
    APIs
    in
    payment
    software

  • Controlling
    access
    to
    payment
    software
    web
    APIs
    and
    other
    critical
    assets

  • Mitigating
    common
    web
    attacks
     

  • Protecting
    communications
    between
    web-based
    payment
    software
    components 

The
following
documents
are
now
available
in
the
PCI
SSC
Document
Library: 

Updates
to
the
Secure
Software
Report
on
Validation
(ROV)
and
Attestation
of
Validation
(AOV)
associated
with
the
v1.2
release
are
expected
to
be
published
in
Q1
2023.

No
changes
were
made
to
the
PCI
Secure
Software
Lifecycle
(Secure
SLC)
Standard
or
its
supporting
documentation
with
this
release.
The
current
version
of
the
PCI
Secure
SLC
Standard,
Program
Guide,
Report
on
Compliance
(ROC),
and
Attestation
of
Compliance
(AOC)
remains
v1.1.

To
support
the
addition
of
the
Web
Software
Module,
all
Secure
Software
Assessors
must
undergo
training
and
pass
an
exam
on
the
Web
Software
Module
within
90
days
from
the
release
of
the
training
to
remain
in
good
standing
with
PCI
SSC.
Training
is
expected
to
be
made
available
to
all
Secure
Software
Assessors
in
Q1
2023.

Other
parties
interested
in
learning
more
about
the
Software
Security
Framework
standards
are
encouraged
to
attend
SSF
Knowledge
Training.
New
this
year,


Knowledge
Training

courses
are
designed
to
bridge
the
knowledge
gap
between
organizations
and
assessors
by
providing
learning
opportunities
for
individuals
to
take
the
same
training
and
exam
as
the
Assessor.
Knowledge
Training
is
offered
for
both
the
Secure
Software
Lifecycle
(Secure
SLC)
Assessor
course
as
well
as
the
Secure
Software
Assessor
course.
 


ssf-600x150

PCI
SSC
is
offering
PA-DSS
Vendors
a
special
discount
for
SSF
Knowledge
Training
in
2023.
If
you
are
a
PA-DSS
Vendor,
please
contact
the


PA-DSS
Program
Manager

for
details
on
how
to
take
advantage
of
this
special
offer. 


Also
on
the
blog:

Watch
and
Learn
All
About
Knowledge
Training
 




Download PCI Secure Software Standard v1.2

 

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.