PCI SSC publishes PCI Secure Software Standard 1.1 and supporting program documentation
Version 1.1 of the PCI Secure Software Standard introduces the Terminal Software Module, a new security requirements module for payment software intended for deployment and operation on PCI-approved PIN Transaction Security (PTS) Point-of-Interaction (POI) devices. Software intended for deployment and operation on other platforms is not affected by the new requirements.
“The PCI Secure Software Standard is designed to offer a more flexible approach to how we test the security and integrity of payment software,” said Emma Sutcliffe, SVP Standards Officer, PCI Security Standards Council.
“The modular nature of the Standard allows for broader inclusion to accommodate various software management approaches and support a larger set of payment software architectures, functions, and software development methodologies.”
The new Terminal Software Module is the third module to be incorporated into the PCI Secure Software Standard’s modular requirements architecture. Modules are groups of requirements that address specific use cases.
Security requirements for payment software
The two existing modules in the PCI Secure Software Standard are the “Core” module, which includes general security requirements applicable to all payment software, and the “Account Data Protection” module, which includes additional security requirements for payment software that stores, processes, or transmits clear-text account data. PCI SSC expects to introduce additional modules in the future.
The PCI Secure Software Standard 1.1 also addresses errata, adds minor clarifications, and aligns key terms and definitions across the Standard and program documentation.
“As the industry innovates to create new opportunities to accept payments, there is more reliance on good software security,” said Troy Leach, SVP Engagement Officer, PCI Security Standards Council.
“Software for payment acceptance has changed significantly since PA-DSS was first developed. The breadth of new development practices to risk-management requires an objective-based approach to define secure software requirements compared to the prior standard.”