March 4, 2019 | Software Secured
Earlier this year, the PCI Security Standards Council released the first major revamp of its software standards in over a decade.
The new standards were crafted to better evaluate the security of payment ecosystems. They’re meant to square existing standards with modern software production, which embraces DevOps, Agile, and continuous integration and delivery.
They may also fire interest in embedding security earlier into the software development life-cycle.
With the new standards, the PCI council hopes to reduce credit card fraud, which continues to plague the industry despite the move to EMV technology. The chip-on-a-card tech was supposed to thwart fraudsters.
That doesn’t seem to be the case, however. A report by Gemini Advisory released in May noted that 60 million U.S. payment cards were compromised during the previous 12 months. Of that number, 75 percent (45.8 million) were compromised at a point-of-sale device, with the remainder compromised in an online breach.
Surprisingly, of the card-present cards compromised, 90 percent had EMV chips.
The new standards—the Secure Software Standard and Secure Software Lifecycle Standard—are part of the PCI Software Security Framework. The framework is a collection of software security standards and associated validation and listing programs for the secure design, development, and maintenance of modern payment software.
“Software development practices have evolved over time, and the new standards address these changes with an alternative approach for assessing software security,” PCI SSC Chief Technology Officer Troy Leach explained in a blog.
“The PCI Software Security Framework introduces objective-focused security practices that can support both existing ways to demonstrate good application security and a variety of newer payment platforms and development practices,” he added.
PCI has designed the Secure Software Standard to protect the integrity and confidentiality of payment transaction and data through new security requirements and assessment procedures. The S3 addresses issues such as critical asset identification, secure default configuration, sensitive data protection, authentication and access control, attack detection, and vendor security guidance.
The S3 is expected to eventually replace the existing Payment Application Data Security Standard. The PA-DSS focuses on software development and lifecycle management principles for security in traditional payment software to help merchants maintain PCI-DSS compliance. The S3 goes beyond that. It addresses overall software security resiliency.
“The PA-DSS is applicable to direct payment applications only—apps that directly process credit cards. The new standards apply to all application development in the PCI DSS space,” Matthew Getzelman, a principal consultant at Synopsys, explained in a company blog.
Both standards are similar in one respect, however. Their goal is to establish a way to demonstrate how software protects the payment data that it stores, processes, or transmits and give software providers a method for performing independent security evaluations of their software.
A gradual transition from PA-DSS to S3 is envisioned by the PCI council. Organizations that have invested in PA-DSS can continue to use applications validated under that process until 2022, when validation on those apps runs out. After that, those applications will be moved to a “acceptable for pre-existing deployments list” and any upgrades of those apps will have to assessed under the new Software Security Framework.
Both standards are similar in one respect, however. S3 is aimed at payment software that is sold, distributed or licensed to third parties for supporting or facilitating payment transactions. However, the council is encouraging large organizations to use the standards on their in-house payment apps, too.
The new PCI framework also includes Secure Lifecycle Management standards. Those standards could help expand the movement toward embedding security earlier into the application development life-cycle.
“I was particularly pleased to see the emphasis on integrating security into the software development process rather than attempting to assure security by after-the-fact testing,” Steve Lipner, executive director of the Software Assurance Forum for Excellence in Code and a participatant in the PCI Software Security Task Force, said in a statement.
Modern software development, which incorporates Agile, DevOps, and continuous integration and delivery, has increased the difficulty of maintaining good application security as changes are introduced. The new life-cycle standards address that challenge by outlining security requirements and assessment procedures by which software vendors can validate their security efforts throughout the application life-cycle.
Among the principles addressed by the standards are governance, threat identification, vulnerability detection and mitigation, security testing, change management, secure software updates, and stakeholder communications.
The standards can be used by makers of software for the payments industry to demonstrate they have mature secure application life-cycle management practices in place to ensure their apps are designed and developed to protect payment transactions and data, minimize vulnerabilities, and defend against attacks.
“This provides confidence to businesses using the payment application that their software vendor is providing ongoing assurance to the integrity of the software development and confidentiality of payment data as change occurs,” PCI’s Leach explained.
More integration of security into the software lifecycle will also be encouraged by more flexible testing standards than in the past. PA-DSS, for example, is overly prescriptive.
“It said you had to do A, B, and C, and it just didn’t work for a lot of different kinds of software,” Jeff Williams, co-founder and CTO of Contrast Security and a participant in the expert council that contributed to the new standard, told Dark Reading.
“So when you’re looking at DevOps projects that are releasing seven times a day and moving super fast and using tons of libraries, and building APIs, and deploying in the cloud, that old standard just didn’t work well,” he added.
Testing is no longer limited to pen and software application security testing. To meet the new standards, a combination of static and dynamic tools must be used to validate each code objective. They include automated static analysis security testing (SAST), dynamic analysis security testing (DAST), interactive application security testing (IAST), and software composition analysis (SCA) tools—as well as manual techniques such as manual code reviews and penetration testing.
The new PCI Security Framework has been described as “transformational” by some experts. But Sammy Migues, chief scientist at Synopsys, who served on a working group that developed the standards, had a word of warning for enthusiasts of the new rules. The “intent and philosophy” are transformational, he told Forbes, but it will take some time to see if the reality matches the intent.