今年在温哥华举行的支付卡行业(PCI)社区会议上提出的一个主题是软件安全框架(SSF). 新设计的框架专门针对支付软件的安全设计和开发. 杰克·马尔钦科定义的, Standards Manager at PCI Security Standards Council, SSF是“在单一需求架构下对不同类型的支付软件的软件安全需求进行标准化和整合的框架,支持验证和列出程序,是PA-DSS的下一个演进”。.
Introducing the Software Security Framework (SSF)
SSF最终将取代现行的支付应用程序数据安全标准(PA-DSS). This article covers several aspects of the new SSF, including the perceived benefits, 目标, what it looks like at a macro level, and how it could affect both merchants and vendors.
支付卡行业安全标准委员会(PCI SSC)创建了这个新的框架,为软件供应商提供额外的灵活性,并更好地使支付软件开发与行业标准保持一致, specifically around software security. 像这样, 这个框架允许更多的软件供应商提供pci验证的支付软件. 它还可以让商家更有信心地相信,添加到他们的环境中的软件有助于遵守PCI DSS并遵循一组健壮的安全控制.
The SSF will consist of two (2) standards; the Secure Software Standard and the Secure Software Lifecycle (Secure SLC). 这两个标准为软件供应商提供了更有效的验证过程的灵活性. 它还允许将安全SLC管理过程与实际的支付软件产品分开评估. The Framework will also include validation programs, supporting material such as reporting templates, and the compliant software listings themselves.
PCI SSF modules create more flexibility
The Software Security Framework includes benefits for both merchants and software vendors. 为商人, 像PA-DSS, 这个框架可以方便地识别经过安全验证和认证过程的软件,从而为商家提供一定程度的信心. 然而, 不像PA-DSS, SSF将支持多种安全努力和明确关注安全设计和开发的举措. 为供应商, this framework allows for a broader lineup of payment platforms, 以及在变更控制方面更大的灵活性,以帮助支持敏捷环境和DevOps团队. In other words, PA-DSS focuses on facilitating PCI DSS compliance. The new SSF addresses broader software security, not just PCI DSS compliance.
也许这个框架最重要和最强调的特点是它打算提供的灵活性水平. 就像许多的变化 PCI DSS v.4.0, there will be an increased amount of objectiveness to the new framework. Many of the requirements are designed to facilitate certain outcomes, and if they achieve the intended outcome, 供应商和/或评估人员有责任记录并证明目标已经达到.
The Council designed the SSF to provide a modular assessment architecture and approach, 创造了更大的灵活性. The new approach means core security requirements will apply throughout the software, and those requirements can be assessed one time. 处理特定功能或特定平台元素的模块可以分别进行评估. To be fully compliant with the PCI SSF, 软件必须满足核心要求和相关模块内适用的附加要求. 目前, one module has been created within the SSF to address Authentication, and others are expected to be added to the framework over time.
SLC process certification offers and lists of vendors
新的SSF方法最有趣的变化之一是创建了SLC过程认证选项, 它允许经过SLC认证的供应商自我验证其软件的增量更改,而不需要评估人员重新验证. 另外, 新的SSF允许对以前不符合PA-DSS认证条件的不同类型的软件进行认证. 然而, 而新的SLC认证过程旨在提供额外的认证选项和灵活性, 软件供应商不需要为了完成付款软件的验证报告而实现和演示SLC认证.
和PA-DSS一样, 将有可供供应商和商家审查已验证解决方案的列表,并识别合格的PCI SSF评估人员,以协助合规工作. 这些列表包括:
·SSF评估员公司名单-提供进行评估的合格组织名单
·验证付款软件清单-商户、采购商和其他支付软件用户使用
· Secure SLC Qualified Vendor List – used by merchants, 收购方, 和其他支付软件用户识别支付软件评估下的安全SLC计划
PA-DSS和SSF时间轴
最后, 理解事件的时间轴是至关重要的,这样商家和软件供应商就可以据此进行计划. PA-DSS v3.2 is set to expire at the end of October 2022. Once the PA-DSS is retired, it will be completely replaced by the SSF. 在那之前, both the PA-DSS and SSF programs run concurrently, 并且鼓励软件供应商在SSF框架下追求早期采用和认证. 通过使用新的框架, vendors can avoid falling out of compliance when their PA-DSS certification expires. 对于现有的环境, PA-DSS solutions can still be assessed until the expiration date of the application. 在那个时候, they will be categorized as “Acceptable Only for Pre-Existing Deployment” status, 尽管供应商将有能力提交对现有已批准的软件的更改,直到列出的截止日期. 最后, 在2021年6月30日之前,将接受提交新的PA-DSS验证付款申请, and validation will expire at the end of October 2022. 像PA-DSS, validation for the new SSF will be good for three years, with annual attestation required.
Need help with your PCI compliance program? Have questions about PCI compliance? 明升体育app下载. 我们是来帮忙的.
参考链接:
- 2019 PCI Community Meeting Presentation provided by Jake Marcinko in Vancouver, Canada.