How to Successfully Transition Software from PA-DSS to the PCI Secure Software Standard

On 28 October 2022, the Payment Application Data Security Standard (PA-DSS) program will officially close. In this blog, Jake Marcinko, PCI SSC Senior Manager, Emerging Standards, shares how PA-DSS compares to its successor, the PCI Secure Software Standard, a standard within the PCI Software Security Framework (SSF); and Tracey Harrington, PCI SSC Manager, Certification Programs, offers key timelines and suggestions on how to prepare your organization to make the transition.

What is the PCI Software Security Framework and PCI Secure Software Standard?

Jake Marcinko: The PCI Software Security Framework (SSF) standardizes and consolidates software security principles and practices for payment software and software development entities under a single requirements architecture. The two standards within the SSF are the PCI Secure Software Lifecycle (Secure SLC) Standard and the PCI Secure Software Standard, each with a supporting program to manage validations and listings. This blog will focus on the PCI Secure Software Standard, which will supersede PA-DSS as the primary standard for securing payment software. The PCI Secure Software Standard expands on the key principles of protecting payment applications and data, that were first introduced in PA-DSS, and is designed to support a much larger set of payment software architectures, functions, and software development methodologies.

Why is the PCI Secure Software Standard replacing PA-DSS?

Jake Marcinko: The PCI Secure Software Standard offers several key benefits over PA-DSS:

• Greater diversity of software that can be assessed than was previously available
• More agility for modern development techniques and release cycles
• Consistency in use of software security across all PCI standards
• Increased transparency of interim software updates
• Increased flexibility and accountability for software vendors in the achievement of PCI software security objectives
• More emphasis on education within software development community on the importance of payment security

Overall, the PCI Secure Software Standard, and associated validation program, allow for improved flexibility to accommodate various software management approaches, streamlined assessment processes, and simplified listings management. It allows for expanded program eligibility for payment software that is not eligible for validation under PA-DSS.

How is the PCI Secure Software Standard similar to PA-DSS? How is it different?

Jake Marcinko: To better understand how PA-DSS and the PCI Secure Software Standard relate to one another, it is helpful to see a side-by-side comparison. The graphics shown here help to illustrate the similarities and differences between the two. It is important to note that there is not a clear one-to-one exchange in the requirements. Both programs are intended to facilitate the development of secure payment applications and software, and both address secure application design and development.

Where the PCI Secure Software Standard and PA-DSS differ is the PCI Secure Software Standard’s use of requirement “modules.” Modules are groups of requirements that address specific use cases. There are currently two modules in the PCI Secure Software Standard: the “Core” module which includes general security requirements applicable to all payment software, and the “Account Data Protection” module which includes additional security requirements for payment software that stores, processes or transmits clear-text account data. We are planning to introduce a third module, the Terminal Software Module, in December 2020 and expect to introduce additional modules in the future. Given the modular nature of the PCI Secure Software Standard, not all security requirements may be applicable to all software.

What are the major program differences between PA-DSS and the PCI Secure Software Standard?

Jake Marcinko: Overall, the PCI Secure Software program will be more dynamic than PA-DSS, so be prepared for more frequent changes and updates to the standard and its supporting documentation. As modules are added, the Program Guide, Assessor Qualification Requirements, and supporting documentation will be reviewed and updated as needed to accommodate these additions.

Another major difference between PA-DSS and the PCI Secure Software Standard is that vendors have an opportunity to benefit from additional flexibility for maintaining their Validated Payment Software listing by participating in the Secure Software Lifecycle (Secure SLC) program. More information on the value of the PCI Secure SLC Standard can be found in a recent blog.

What is the timeline for transitioning from PA-DSS to the PCI Secure Software Standard? 

Tracey Harrington: The next important dates to note in the transition timeline are June 2021 and October 2022. Submission of new payment applications for PA-DSS validation will be accepted until 30 June 2021. Existing PA-DSS validated applications will remain on the List of Validated Payment Applications and vendors can continue to submit changes as they normally would until the PA-DSS program closes on 28 October 2022. After that date, all PA-DSS validated application listings will be moved to the “Acceptable Only for Pre-existing Deployments” list.

How can all PCI SSC stakeholders prepare for this transition?

Tracey Harrington: A great starting point for all stakeholders is to educate themselves on the PCI Secure Software Standard and the PCI Software Security Framework overall. PCI SSC is now offering informational training. This training is a great fit for any individual who may want to understand what the PCI Secure Software Standard entails, and what to expect from an assessment, but who does not need or may not be eligible to certify as an assessor for that Program.

How can vendors prepare for this transition?

Tracey Harrington: A great first step for vendors is to perform a gap analysis between the PA-DSS and the PCI Secure Software Standard on any applications that are listed for PA-DSS.

How can assessors prepare for this transition?

Tracey Harrington: As part of the closing of PA-DSS in October 2022, the supporting PA-QSA qualification and program will also be retired. For existing PA-QSAs interested in performing PCI Secure Software Standard validations, online training is available for Secure Software Assessors. Remote, instructor-led training with a proctored exam for QSAs, and new assessors, is scheduled this month. Individuals interested in becoming Secure Software Assessors are encouraged to review the Qualification Requirements to identify any gaps and allow enough time to resolve them.

What are some helpful resources to aid in this transition?

Tracey Harrington: The PCI SSC website Document Library is your go-to resource for all the standards and program documents for the SSF. Our PCI SSC blogs are also a great way to get the latest communications on the PCI Secure Software Standard, as well as the PCI Software Security Framework and many other topics. Interested individuals can subscribe to receive these blog posts via email to stay up-to-date with the latest information. Additionally, vendors who are ready to transition can refer to our online listings of PCI Software Security Framework Assessors.

Also on the blog: Resource Guide: Transitioning from PA-DSS to the Software Security Framework