Listen to: "Changes Are on the Horizon from PCI SSC: Phasing Out PA-DSS v3.2 in 2022"
PA-DSS v3.2 Made Its Way into the PCI Framework in 2016
Just a little over three years ago, the Payment Card Industry Security Standards Council (PCI SSC) announced what became the latest version of the Payment Application Data Security Standard (PA-DSS). On June 8, 2016, PA-DSS v3.2 was released and was also the point when the PCI SSC provided sunset dates for the previous version called PA-DSS v3.1 and its associated applications and application listings.
Any Report On Validation (ROV) set for submission, along with any changes for payment applications validated according to PA-DSS v3.1, needed to be submitted on or before August 31, 2016. As of September 1, 2016, all new ROVs were to be validated according to PA-DSS v3.2.
What Does PA-DSS v3.2 Require for Proof of Compliance?
The current PA-DSS v.3.2 that software vendors maintain the following 14 protections that prove compliance.
- Do not retain full track data, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data.
- Provide secure authentication features.
- Secure and protect stored cardholder data.
- Perform reports and logs on payment application activity.
- Design and develop secure payment applications.
- Protect wireless transmissions.
- Perform testing on payment applications to address vulnerabilities and maintain accurate payment application updates.
- Provide optimal conditions for secure network implementation.
- Never store cardholder data on a server connected to the Internet.
- Facilitate secure remote access to payment application.
- Encrypt sensitive traffic over public networks.
- Secure all non-console administrative access.
- Maintain a PA-DSS Implementation Guide readily available for customers, resellers and integrators.
- Assign PA-DSS responsibilities for personnel while maintaining training programs for personnel, customers, resellers and all other integrators.
A New Transition Is on Its Way in 2022 to Replace PA-DSS v3.2
Considering the rapidly changing online landscape—chock-full of online shopping and credit card payments—PCI SSC recently announced that more changes are on the way for payment applications in the DSS framework.
While nothing has been fully developed yet, the PCI team is hard at work developing new validation programs to support PCI Software Security Standards. Combined, these standards and programs provide payment software vendors with the PCI Software Security Framework intended to design, develop and maintain modern payment software.
Changes Expected for the 2022 Transition from PA-DSS v3.2 to the PCI Software Security Framework
The PA-DSS Program will remain open and fully supported until October 28, 2022, with no changes to how existing PA-DSS validated applications are handled. They will remain on the list of PA-DSS Validated Payment Applications until their expiry dates, and per the normal process, vendors can submit changes to them until the PA-DSS v3.2 expiry date. At that point, the PA-DSS v3.2 will be formally retired and replaced by the PCI Software Security Framework.
What Is the PCI Software Security Framework?
PCI SSC is currently developing its new validation programs called the Secure Software Lifecycle (Secure SLC) and Secure Software Programs, which are intended for use by payment software vendors. These programs will demonstrate that both their development practices, along with their payment software products, address overall software security resiliency intended to protect payment data. Under both of these programs, Software Security Framework Assessors will assess vendors and their payment software products against both validation programs. PCI SSC will then list both Secure SLC Qualified Vendors and Validated Payment Software on its website.
Introducing these programs as part of the PCI Software Security Framework (SSF) rollout, they comprise a collection of standards set to provide the secure design, development, and maintenance of the existing and future payment software. The PCI SSF goes on to expand the scope of the PA-DSS, thereby replacing it and its program of the list of validated payment applications when PA-DSS retires in 2022. During the time between now and the PCI SSF official introduction, the two will run parallel, with the PA-DSS program running much as it does now.
Merchants and other interested parties can find Secure SLC and Secure Software Program documentation currently available on the PCI SSC website.
PCI SSC will start accepting applications for SSF Assessors in October 2019, with training to follow in early 2020. Once these pieces are in place, vendors can begin the assessment process for their software development lifecycle practices and their payment software products.
I.S. Partners, LLC. Can Help Make Sure You Stay on Track for Full PCI Software Security Framework Compliance by 2022
Are you concerned about your readiness for the October 2022 deadline for PCI Software Security Framework Compliance? It is not too soon to start thinking about how to ensure compliance to keep your payment cardholders protected through a time of transition and uncertainty.
Contact us at 215-675-1400 to learn more about how we can help you keep cardholders safe while doing business with your company.