Transition Expected in 2022 with the New PA-DSS Version

Once the PCI-DSS 4.0 transition is complete, all roads lead to a change in PA-DSS 3.2 in 2022. The current program is fully supported through October 2022 with no immediate difference in how validated applications are handled. New validation programs from the PCI Software Security Framework (PCI SSF), called the Secure Software Lifecycle (Secure SLC), are expected, however.

Together, the new standards and programs will provide a robust payment software solution for vendors. It will continue to work within the framework that designs, develops, and maintains modern payment software.

To learn more about the Changes Expected with PCI DSS 4.0 read here.

Changes Are Coming for PA-DSS V3.2

PCI SSC is currently developing its new validation programs called the Secure Software Lifecycle (Secure SLC) and Secure Software Programs, which are intended for use by payment software vendors. These programs will demonstrate that both their development practices, along with their payment software products, address overall software security resiliency intended to protect payment data. Under both of these programs, Software Security Framework Assessors will assess vendors and their payment software products against both validation programs. PCI SSC will then list both Secure SLC Qualified Vendors and Validated Payment Software on its website.

Introducing these programs as part of the PCI Software Security Framework (SSF) rollout, they comprise a collection of standards set to provide the secure design, development, and maintenance of the existing and future payment software. The PCI SSF goes on to expand the scope of the PA-DSS, thereby replacing it and its program of the list of validated payment applications when PA-DSS retires in 2022.

Interim Operations for the PA-DSS Program

During the interim the time before the PCI SSF official introduction, the two will run parallel, with the PA-DSS program running much as it does now.

The PA-DSS program will remain open and fully supported until October 28, 2022, with no changes to how existing PA-DSS validated applications are handled. They will remain on the list of PA-DSS Validated Payment Applications until their expiry dates, and per the normal process, vendors can submit changes to them until the PA-DSS v3.2 expiration date. At that point, the PA-DSS v3.2 will be formally retired and replaced by the PCI Software Security Framework.

PCI SSF Assessor Training

PCI SSC began accepting applications for SSF Assessors in 2019 for the training program. With these pieces in place, vendors can begin the assessment process for their software development lifecycle practices and their payment software products.

Understanding the PCI Software Security Framework

The current PCI Software Security Framework (SSF) consists of two standards – Secure Software Standard, and Secure Software Lifecycle (SLC) Standard. Both are part of a collection of associated validation and listing programs, and related software security standards.

With a focus on the SLC, this standard defines a set of security requirements and associated test procedures for software vendors. It serves to guide testing and validation for management of security protocols within their payment processing systems throughout the software lifecycle. Validation indicates the vendor currently has mature management lifecycle practices in place. These work to minimize, defend, and possibly alleviate attacks.

How PA-DSS v3.2 Helped Evolve the Framework

In 2016, the Payment Card Industry Security Standards Council (PCI SSC) released PA-DSS v3.2. This was also when the PCI SSC provided sunset dates for the previous version called PA-DSS v3.1 and its associated applications and application listings.

Any Report On Validation (ROV) set for submission, along with any changes for payment applications validated according to PA-DSS v3.1, needed to be submitted on or before August 31, 2016. As of September 1, 2016, all new ROVs were to be validated according to PA-DSS v3.2.

Proof of Compliance Required by PA-DSS v3.2

PA-DSS v.3.2 requires that software vendors maintain the following 14 protections in order to prove compliance.

1. Do not retain full track data, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data.
2. Provide secure authentication features.
3. Secure and protect stored cardholder data.
4. Perform reports and logs on payment application activity.
5. Design and develop secure payment applications.
6. Protect wireless transmissions.
7. Perform testing on payment applications to address vulnerabilities and maintain accurate payment application updates.
8. Provide optimal conditions for secure network implementation.
9. Never store cardholder data on a server connected to the Internet.
10. Facilitate secure remote access to payment application.
11. Encrypt sensitive traffic over public networks.
12. Secure all non-console administrative access.
13. Maintain a PA-DSS Implementation Guide readily available for customers, resellers and integrators.
14. Assign PA-DSS responsibilities for personnel while maintaining training programs for personnel, customers, resellers and all other integrators.

What’s the Difference Between PCI DSS and PA DSS?

Good question. The main difference is that PCI DSS applies to every company and entity that handles credit card data. Organizations that store, process, or transmit credit card information are required to comply with PCI DSS. PA DSS, on the other hand, only applies to vendors that produce and sell payment applications.

What’s the Difference Between PCI SSF and PA-DSS?

Another good question. PA-DSS is expected to be phased out starting in 2022; PCI SSF should replace this legacy program. The new validation program will likely include components of PA-DSS. It will be built to better support PCI Software Security Standards and outline a stronger framework for designing, developing and maintaining modern payment software.

Which PCI DSS Self-Assessment Questionnaire Is Right for Your Organization?

Ensuring Your Compliance with AWA

With all the changes coming down the pipeline, achieving and maintaining compliance can be challenging. Our team ensures you’re ready for the PCI Software Security Framework Compliance in October 2022. We provide comprehensive, robust assessments and testing to minimize risks make sure your systems are PCI DSS compliant.

Our PCI DSS Assessment identifies any weaknesses in your security protocols while providing the most secure protection advice for cardholder data based on your business model and industry. For a quote on our services, fill out our contact form or call us at 215-631-3452.

About The Author

Mike Mariano

Michael is the Chief Information Security Officer at IS Partners as well as the leader of the penetration testing practice for AWA International. Michael has 15+ years’ experience in internal IT operations with 7 years of being involved in various levels of IT auditing with experience with PCI DSS, SOC 2, HITRUST CSF, Risk Assessments and experience working with Security Frameworks (such as ISO and NIST). Michael has worked with/at companies from 10 to 50,000 employees in size. Prior to joining IS Partners, Michael worked as the IT Operations Manager at AVASEK an MSP IS Security firm where he managed a team of six technicians to service 1500 client endpoints as well as the firm's Cloud Hosting Solution. while at AVASEK, Michael also performed gap assessments against HIPPA and NIST Security Frameworks and was a member of the incident response team. Michael’s specialties are IT Security and IT Management. He is experienced in performing security Risk Assessments, enforcing security policies, handling confidential information, deploying and administering network and application security systems, administrating SaaS products, Active Directory (AD), firewalls, routers, and VPN. Michael is HITRUST CCSFP and AWS CP Certified and has maintained various CompTIA Certifications over his career. He is currently working to achieve his GIAC GWAP and OSCP Certification in 2020.