New Web Software Module Introduced in PCI Secure Software Standard Version 1.2

Today,
the
PCI
Security
Standards
Council
(PCI
SSC)
published
version
1.2
of
the
PCI
Secure
Software
Standard
and
its
supporting
program
documentation.
The
PCI
Secure
Software
Standard
is
one
of
two
standards
that
are
part
of
the
PCI
Software
Security
Framework
(SSF).
The
PCI
Secure
Software
Standard
and
its
security
requirements
help
provide
assurance
that
payment
software
is
designed,
developed,
and
maintained
in
a
manner
that
protects
payment
transactions
and
data,
minimizes
vulnerabilities,
and
defends
against
attacks. 

Version
1.2
of
the
PCI
Secure
Software
Standard
introduces
the
Web
Software
Module,
a
set
of
supplemental
security
requirements
to
the
Secure
Software
Standard’s
Core
Requirements
for
payment
software
that
uses
internet
technologies,
protocols,
and
languages
to
support
or
facilitate
electronic
payment
transactions.
The
security
requirements
provided
in
the
Web
Software
Module
identify
key
software
security
controls
to
implement
to
address
the
most
common
security
issues
related
to
the
use
of
internet-accessible
payment
technologies. 

There
are
four
high-level
requirement
areas
included
in
the
Web
Software
Module:

• 
  Documenting
  and
  tracking
  the
  use
  of
  open-source
  and
  third-party
  software
  components
  and
  APIs
  in
  payment
  software
• 
  Controlling
  access
  to
  payment
  software
  web
  APIs
  and
  other
  critical
  assets
• 
  Mitigating
  common
  web
  attacks
   
• 
  Protecting
  communications
  between
  web-based
  payment
  software
  components 

The
following
documents
are
now
available
in
the
PCI
SSC
Document
Library: 

Updates
to
the
Secure
Software
Report
on
Validation
(ROV)
and
Attestation
of
Validation
(AOV)
associated
with
the
v1.2
release
are
expected
to
be
published
in
Q1
2023.

No
changes
were
made
to
the
PCI
Secure
Software
Lifecycle
(Secure
SLC)
Standard
or
its
supporting
documentation
with
this
release.
The
current
version
of
the
PCI
Secure
SLC
Standard,
Program
Guide,
Report
on
Compliance
(ROC),
and
Attestation
of
Compliance
(AOC)
remains
v1.1.

To
support
the
addition
of
the
Web
Software
Module,
all
Secure
Software
Assessors
must
undergo
training
and
pass
an
exam
on
the
Web
Software
Module
within
90
days
from
the
release
of
the
training
to
remain
in
good
standing
with
PCI
SSC.
Training
is
expected
to
be
made
available
to
all
Secure
Software
Assessors
in
Q1
2023.

Other
parties
interested
in
learning
more
about
the
Software
Security
Framework
standards
are
encouraged
to
attend
SSF
Knowledge
Training.
New
this
year,


Knowledge
Training
courses
are
designed
to
bridge
the
knowledge
gap
between
organizations
and
assessors
by
providing
learning
opportunities
for
individuals
to
take
the
same
training
and
exam
as
the
Assessor.
Knowledge
Training
is
offered
for
both
the
Secure
Software
Lifecycle
(Secure
SLC)
Assessor
course
as
well
as
the
Secure
Software
Assessor
course.
 

PCI
SSC
is
offering
PA-DSS
Vendors
a
special
discount
for
SSF
Knowledge
Training
in
2023.
If
you
are
a
PA-DSS
Vendor,
please
contact
the


PA-DSS
Program
Manager
for
details
on
how
to
take
advantage
of
this
special
offer. 

Also
on
the
blog:
 Watch
and
Learn
All
About
Knowledge
Training 

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts