PCI Software Security Framework goes live

It’s been a big week in the PCI world. Not only do we get a new guidance document for large organizations, but the PCI Software Security Framework is now fully operational.

In a sense, the PCI Software Security Framework has been live since the press release announcing it on January 16, 2019. The program documents and the standards themselves themselves have been available to review for a long time. People who will be subject to them should have at least reviewed the materials by now, and should be thinking about how to prepare for the future. Sadly, I’ll hazard a guess that many won’t; some people I’ve spoken to don’t even realize that the PA-DSS is going away, and this is the replacement.

However, in another sense, the program has been somewhat “unreal” until this week. The transition dates for the Software Security Framework have been known for a long time, and the retirement date for PA-DSS has been known too. But the PCI Security Standards Council has only recently started training QSAs in the new standard. Without a pool of people in industry familiar with how the standard is intended to operate, it was always just a collection of ideas on paper, rather than a functioning program.

QSACs get accredited

The big news this week? Coalfire have become the first QSA Company accredited to perform assessments using the new standards under the Software Security Framework. Congratulations to Coalfire for being first to market. May the early bird catch the worm!

In principle, there are now qualified industry professionals you can call and ask specific questions regarding the new standards, and what is needed to comply with specific requirements. This is a material change from before, where all you had was the standards documents and a FAQ, and no body of knowledge to guide you on what is actually going to be deemed acceptable in practice.

The final deadline for accepting new submissions under the old PA-DSS is June 30, 2021. If you were considering getting your new software accredited under PA-DSS, review that decision carefully. The PCI Security Standards Council has provided a document on transitioning from PA_DSS to the PCI Software Security Framework which should hopefully inform your decision. I think the only reason you’d continue with a new PA-DSS assessment at this point would be if your planning for that option was well under way, and you want to get your application listed relatively quickly.

Greenfield projects shouldn’t consider PA-DSS at this point – it’s a dead end. Jump straight to the appropriate standard under the Software Security Framework: either the Secure Software Lifecycle (SLC) Standard, or the Secure Software Standard as fits with your business model. Bonne chance!