Today, PCI shared its new Software Security Framework. PCI describes this framework as “a collection of software security standards and associated validation and listing programs for the secure design, development and maintenance of modern payment software.”
The framework includes two standards for use by software vendors. The first, the Secure Software Standard, is a software security standard for payment software, and the second, the Secure Software Lifecycle (Secure SLC) Standard, is a set of security requirements throughout the software lifecycle for payment software vendors.
PCI developed these new requirements in response to a changing threat landscape, which increasingly includes attacks at the application layer. In fact, according to Verizon’s 2018 Data Breach Investigations Report, web application attacks remain the most frequent incident pattern in confirmed breaches. Further, Veracode’s State of Software Security Report v9, based on an analysis of the data created through customer testing on Veracode’s application security platform, found that more than 85 percent of all applications have at least one vulnerability in them; more than 13 percent have at least one critical severity flaw. PCI also updated their requirements in order to address changing development practices, such as the emergence of DevOps.
PCI Software Security Framework is a much-needed response to the increased web application attacks, the recognition that the health of an organization’s software is tied to the safety and privacy of its customers, and the fact that application security (AppSec) is an often-neglected discipline. The Framework encourages and prescribes the use of security testing across the entire software lifecycle, from development to production. It also acknowledges and requires training for developers on secure coding, stating “having staff knowledgeable of secure coding guidelines should minimize the number of security vulnerabilities introduced through poor coding practices.”
This framework will significantly impact the thousands of organizations that develop and rely on payment software, particularly in the financial and retail sectors. Simply put, payment application vendors, processors and merchants will have to implement a secure application development process. Further, organizations will have to find an integrated solution that is easy to manage and can meet audit deadlines without increasing overhead.
New regulations and standards, similar to what we’ve seen with the EU Global Data Protection Regulations (GDPR) and New York Department of Financial Services Cybersecurity regulations, can be confusing and overwhelming for vendors to implement. At Veracode, we have the application security expertise to help you navigate changes in regulations.
To learn more about how Veracode can provide you with a single, comprehensive solution that helps you comply with the PCI Secure Software Standard, please contact us.
Are you looking for products for hacking, cybersecurity, and penetration testing? Do you need to cleanse your smartphone, PC, or website from viruses and malware? Do you need to track down a person or recover urgent information? Do you need to regain control of an account, email, or password that has been stolen from you? Interested in purchasing pre-configured devices to easily and quickly experiment with hacking techniques? Do you have specific requirements in software or hardware? We can assist you!
Contact us immediately for immediate assistance: provide us with details via email or WhatsApp about the type of support you need, and we will respond you promptly!