What Do the New PCI Payments Software Security Standards Mean for PFs?

Lock in space-like setting

Hopes are cautiously high for the role of the PCI Security Standards Council’s (PCI SSC) new security framework in helping to secure a rapidly evolving payments ecosystem.

The council published its new requirements for securing payments software in January. The new framework goes beyond the current standards to address overall “security resiliency,” the organization said in a press release.

Part of the goal was to develop standards that could keep up with the speed of transformation in the payments industry. In an environment where software and apps are continually updated as they connect people through many different devices – and where consumers and merchants alike increasingly expect the processes that enable and protect payments to be frictionless – securing payments transactions is no easy feat.

“Our payment systems continue to become more software dependent with exponential ways we connect applications to other applications and the speed of transferring data. Yet consumers and businesses alike expect payment transactions to remain secure and demonstrate integrity,” PCI SSC Chief Technology Officer Troy Leach told PaymentFacilitator.

The standards help reduce the friction of implementing payments software in this environment “by emphasizing an objective-, outcome-based approach as part of the framework with emphasis on exceptional security design and management practices to react more quickly to any potential vulnerability,” Leach said.

“In other words, empowering software vendors to be more adaptive and innovative in the security controls they use as long as they can demonstrate to merchants and other users of the payment software that security is at the forefront of their design and ongoing management of their products.”  

The organization refers to the new standards as the PCI Software Security Framework, which has two components.

The PCI Secure Software Standard is “intended for payment software that is sold, distributed, or licensed to third parties for the purposes of supporting or facilitating payment transactions,” according to the organization. It covers security requirements and assessment procedures that will enable payment software to protect transactions and their associated data.

The PCI Secure Software Lifecycle Standard covers requirements and procedures that will enable software vendors to validate their own management of payment security throughout the lifecycle of their software as changes are introduced.

Leach acknowledged the increasing role that PFs are playing in this software-based payments environment.

“When we designed these standards, one group we had in mind were payment facilitators,” Leach said. “They often act as the bridge between the software vendor and mass distribution to smaller merchants.”

The new standards will replace the current Payment Application Data Security Standard, which can still be used before it is retired in 2022. So, while the transition will take some time, PFs can and should start to review what the standards may mean to them.

“For now, they just need to be aware that there is a transition in approach for payment software security. And this change will allow for a broader coverage of security testing for payment applications,” Leach said. “It will empower them to make better decisions for their customers and have more informed conversations with their software providers. If the payment facilitator develops software in-house, the new security requirements will offer additional flexibility for how to demonstrate security effectiveness and diversity of applications that can be listed.”

According to Leach, the organization plans to launch its validation program for software vendors later this year.

“While PCI SSC expects validation assessments to begin in early 2020 or earlier, enforcement of the standards will be up to the payment brands and their compliance programs,” he said.

Chris Bucolo, vice president of market strategy for ControlScan, told PaymentFacilitator that he is “bullish” about the potential for this new framework to better serve the security needs of the current payments environment.

“The reality is that the ante is being upped to be involved in payments these days because of the need for security. We still have a lot of data out there being stolen and resold on the dark web. And as the shift to EMV is occurring, we’re seeing increased fraud in ecommerce,” he said

“I think the payments industry has been waiting for something that is broad, flexible and dynamic, that goes beyond the basics to a new level, and allows for any kind of device or deployment.”

It will be critical for both new and existing payment facilitators in the coming months to take the new standards into account within their business planning and understand what it will mean for their own organizations, Bucolo said.

“It’s going to be really important that existing payment facilitators and new ones that are coming down the pike are paying a lot of attention to these new standards,” he said. “If they don’t have all the in-house expertise they need, then they need to go outside and get advice from trusted advisors and maybe some help with the security aspects of managing both the development side and the security of what they deploy into the marketplace.”

The costs associated with adhering to the new framework aren’t yet known, which is “all the more reason to start getting help and consultation early,” Bucolo said.