{"id":4491,"date":"2019-02-20T20:45:41","date_gmt":"2019-02-20T20:45:41","guid":{"rendered":"https:\/\/www.paymentfacilitator.com\/?p=4491"},"modified":"2021-06-15T22:00:17","modified_gmt":"2021-06-15T22:00:17","slug":"what-do-the-new-pci-payments-software-security-standards-mean-for-pfs","status":"publish","type":"post","link":"https:\/\/infinicept.com\/payment-facilitator\/archive\/what-do-the-new-pci-payments-software-security-standards-mean-for-pfs\/","title":{"rendered":"What Do the New PCI Payments Software Security Standards Mean for PFs?"},"content":{"rendered":"\n

Hopes are cautiously\nhigh for the role of the PCI Security Standards Council\u2019s (PCI SSC) new\nsecurity framework in helping to secure a rapidly evolving payments ecosystem. <\/strong><\/p>\n\n\n\n

The council published\nits new requirements for securing payments software in January. The new\nframework goes beyond the current standards to address overall \u201csecurity\nresiliency,\u201d the organization said in a <\/strong>press release<\/strong><\/a>. <\/strong><\/p>\n\n\n\n

Part of the goal was to develop standards that could keep up\nwith the speed of transformation in the payments industry. In an environment\nwhere software and apps are continually updated as they connect people through many\ndifferent devices \u2013 and where consumers and merchants alike increasingly expect\nthe processes that enable and protect payments to be frictionless \u2013 securing\npayments transactions is no easy feat. <\/p>\n\n\n\n

\u201cOur payment systems continue to become more software\ndependent with exponential ways we connect applications to other applications\nand the speed of transferring data. Yet consumers and businesses alike expect\npayment transactions to remain secure and demonstrate integrity,\u201d PCI SSC Chief\nTechnology Officer Troy Leach told PaymentFacilitator. <\/p>\n\n\n\n

The standards help reduce the friction of implementing\npayments software in this environment \u201cby emphasizing an objective-,\noutcome-based approach as part of the framework with emphasis on exceptional security\ndesign and management practices to react more quickly to any potential\nvulnerability,\u201d Leach said. <\/p>\n\n\n\n

\u201cIn other words, empowering software vendors to be more\nadaptive and innovative in the security controls they use as long as they can\ndemonstrate to merchants and other users of the payment software that security\nis at the forefront of their design and ongoing management of their products.\u201d  <\/p>\n\n\n\n

The organization refers to the new standards<\/a>\nas the PCI Software Security Framework, which has two components. <\/p>\n\n\n\n

The PCI Secure\nSoftware Standard<\/em> is \u201cintended for payment software that is sold,\ndistributed, or licensed to third parties for the purposes of supporting or\nfacilitating payment transactions,\u201d according to the organization. It covers\nsecurity requirements and assessment procedures that will enable payment\nsoftware to protect transactions and their associated data. <\/p>\n\n\n\n

The PCI Secure\nSoftware Lifecycle Standard<\/em> covers requirements and procedures that will\nenable software vendors to validate their own management of payment security\nthroughout the lifecycle of their software as changes are introduced. <\/p>\n\n\n\n

Leach acknowledged the increasing role that PFs are playing\nin this software-based payments environment. <\/p>\n\n\n\n

\u201cWhen we designed these standards, one group we had in mind\nwere payment facilitators,\u201d Leach said. \u201cThey often act as the bridge between\nthe software vendor and mass distribution to smaller merchants.\u201d <\/p>\n\n\n\n

The new standards will replace the current Payment\nApplication Data Security Standard, which can still be used before it is\nretired in 2022. So, while the transition will take some time, PFs can and should\nstart to review what the standards may mean to them.<\/p>\n\n\n\n

\u201cFor now, they just need to be aware that there is a\ntransition in approach for payment software security. And this change will\nallow for a broader coverage of security testing for payment applications,\u201d\nLeach said. \u201cIt will empower them to make better decisions for their customers\nand have more informed conversations with their software providers. If the\npayment facilitator develops software in-house, the new security requirements\nwill offer additional flexibility for how to demonstrate security effectiveness\nand diversity of applications that can be listed.\u201d<\/p>\n\n\n\n

According to Leach, the organization plans to launch its\nvalidation program for software vendors later this year. <\/p>\n\n\n\n

\u201cWhile PCI SSC expects validation assessments to begin in\nearly 2020 or earlier, enforcement of the standards will be up to the payment\nbrands and their compliance programs,\u201d he said.<\/p>\n\n\n\n

Chris Bucolo, vice president of market strategy for\nControlScan, told PaymentFacilitator that he is \u201cbullish\u201d about the potential\nfor this new framework to better serve the security needs of the current\npayments environment. <\/p>\n\n\n\n

\u201cThe reality is that the ante is being upped to be involved\nin payments these days because of the need for security. We still have a lot of\ndata out there being stolen and resold on the dark web. And as the shift to EMV\nis occurring, we\u2019re seeing increased fraud in ecommerce,\u201d he said <\/p>\n\n\n\n

\u201cI think the payments industry has been waiting for\nsomething that is broad, flexible and dynamic, that goes beyond the basics to a\nnew level, and allows for any kind of device or deployment.\u201d <\/p>\n\n\n\n

It will be critical for both new and existing payment\nfacilitators in the coming months to take the new standards into account within\ntheir business planning and understand what it will mean for their own\norganizations, Bucolo said.<\/p>\n\n\n\n

\u201cIt\u2019s going to be really important that existing payment\nfacilitators and new ones that are coming down the pike are paying a lot of\nattention to these new standards,\u201d he said. \u201cIf they don’t have all the\nin-house expertise they need, then they need to go outside and get advice from\ntrusted advisors and maybe some help with the security aspects of managing both\nthe development side and the security of what they deploy into the\nmarketplace.\u201d<\/p>\n\n\n\n

The costs associated with adhering to the new framework\naren\u2019t yet known, which is \u201call the more reason to start getting help and\nconsultation early,\u201d Bucolo said. <\/p>\n","protected":false},"excerpt":{"rendered":"

Hopes are cautiously high for the role of the PCI Security Standards Council\u2019s (PCI SSC) new security framework in helping to secure a rapidly evolving payments ecosystem. <\/p>\n","protected":false},"author":21,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","_FSMCFIC_featured_image_caption":"","_FSMCFIC_featured_image_nocaption":"","_FSMCFIC_featured_image_hide":"","footnotes":""},"categories":[1015],"tags":[191,216,261,672,673,675],"class_list":["post-4491","post","type-post","status-publish","format-standard","hentry","category-archive","tag-controlscan","tag-data-security","tag-emv","tag-pci-compliance","tag-pci-council","tag-pci-ssc"],"acf":[],"_links":{"self":[{"href":"https:\/\/infinicept.com\/payment-facilitator\/wp-json\/wp\/v2\/posts\/4491","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infinicept.com\/payment-facilitator\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infinicept.com\/payment-facilitator\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infinicept.com\/payment-facilitator\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/infinicept.com\/payment-facilitator\/wp-json\/wp\/v2\/comments?post=4491"}],"version-history":[{"count":1,"href":"https:\/\/infinicept.com\/payment-facilitator\/wp-json\/wp\/v2\/posts\/4491\/revisions"}],"predecessor-version":[{"id":7242,"href":"https:\/\/infinicept.com\/payment-facilitator\/wp-json\/wp\/v2\/posts\/4491\/revisions\/7242"}],"wp:attachment":[{"href":"https:\/\/infinicept.com\/payment-facilitator\/wp-json\/wp\/v2\/media?parent=4491"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infinicept.com\/payment-facilitator\/wp-json\/wp\/v2\/categories?post=4491"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infinicept.com\/payment-facilitator\/wp-json\/wp\/v2\/tags?post=4491"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}