Today, PCI shared its new Software Security Framework. PCI describes this framework as “a collection of software security standards and associated validation and listing programs for the secure design, development and maintenance of modern payment software.”
The framework includes two standards for use by software vendors. The first, the Secure Software Standard, is a software security standard for payment software, and the second, the Secure Software Lifecycle (Secure SLC) Standard, is a set of security requirements throughout the software lifecycle for payment software vendors.
PCI developed these new requirements in response to a changing threat landscape, which increasingly includes attacks at the application layer. In fact, according to Verizon’s 2018 Data Breach Investigations Report, web application attacks remain the most frequent incident pattern in confirmed breaches. Further, Veracode’s State of Software Security Report v9, based on an analysis of the data created through customer testing on Veracode’s application security platform, found that more than 85 percent of all applications have at least one vulnerability in them; more than 13 percent have at least one critical severity flaw. PCI also updated their requirements in order to address changing development practices, such as the emergence of DevOps.
PCI Software Security Framework is a much-needed response to the increased web application attacks, the recognition that the health of an organization’s software is tied to the safety and privacy of its customers, and the fact that application security (AppSec) is an often-neglected discipline. The Framework encourages and prescribes the use of security testing across the entire software lifecycle, from development to production. It also acknowledges and requires training for developers on secure coding, stating “having staff knowledgeable of secure coding guidelines should minimize the number of security vulnerabilities introduced through poor coding practices.”
This framework will significantly impact the thousands of organizations that develop and rely on payment software, particularly in the financial and retail sectors. Simply put, payment application vendors, processors and merchants will have to implement a secure application development process. Further, organizations will have to find an integrated solution that is easy to manage and can meet audit deadlines without increasing overhead.
New regulations and standards, similar to what we’ve seen with the EU Global Data Protection Regulations (GDPR) and New York Department of Financial Services Cybersecurity regulations, can be confusing and overwhelming for vendors to implement. At Veracode, we have the application security expertise to help you navigate changes in regulations.
To learn more about how Veracode can provide you with a single, comprehensive solution that helps you comply with the PCI Secure Software Standard, please contact us.