PCI SSC Takes Another Shot at Shoring Up Web Software Security

The Payment Card Industry Security Standards Council (PCI SSC) wants to prevent Internet-accessible payment technologies from creating a web of security snafus. So, it is no surprise that version 1.2 of the PCI Secure Software Standard and its supporting documentation, released recently, incorporates the new Web Software Module, a set of supplemental security requirements designed to address the most common security issues related to the use of Internet-accessible payment technologies.

More specifically, the module defines security requirements and assessment procedures for payment software that uses Internet technologies, protocols, and languages for the purposes of initiating or supporting electronic payment transactions. This includes browser-based payment applications, application programming interfaces (APIs), web services, microservices, serverless functions, and any other software methods used to make payment functions accessible or to conduct electronic payment transactions over the Internet.

Any software-based features or functions that handle requests from Internet “clients” and generate responses for the purpose of supporting an electronic payment transaction are in scope for the Web Software Module requirements. In general, these requirements span four high-level areas and dictate methods and procedures for:

• Documentation and tracking of the use of open-source and third-party software components and APIs in payment software;
• Controlling access to payment software web APIs and other critical assets;
• Mitigation of common web attacks;
• Protection of communications between web-based payment software components.

According to a statement released by the PCI SSC, the PCI Secure Software Standard itself is designed to offer a more flexible approach to how the security and integrity of payment software are tested. Moreover, the new module was launched to aid software vendors and developers in identifying and implementing appropriate software security controls to protect against common web software attacks.

Payment software that is already listed on the PCI SSC’s “List of Validated Payment Software” is not affected by the publication of the new module until its listing is set to expire. At that time, the software must be re-evaluated for conformance to the current Secure Software Standard and all applicable modules (including the Web Software module) in order for the listing to remain current.

E-Complish will continue to ensure that its software solutions conform not only to the latest version of the Secure Software Standard but also to all standards set by the PCI SSC. Schedule a consultation to learn more about it.