On January 17, 2019, the Payment Card Industry Security Standards Council (the “Council”), a payment industry association, released a new framework for PCI software security – the PCI Software Security Framework – to assist companies in designing and maintaining secure software for processing payment transactions. The framework includes two standards: the PCI Secure Software Standard and the PCI Secure Software Lifecycle Standard. Both Standards are aimed at staying ahead of rapid developments in payment applications.

The Framework as a whole introduces objective-based security practices that can support existing ways to demonstrate strong application security and a variety of newer payment platforms and development practices. Troy Leach, the Council’s chief technology officer, underscored the Framework’s importance and said that it “provides assurance to users of the software that as development practices evolve, the payment applications they rely upon will remain independently evaluated for security vulnerabilities.” Later this year, the Council will introduce a tool for businesses to validate their payment systems against the Framework.

The PCI Secure Software Standard includes security requirements and assessment procedures to ensure payment software adequately protects the integrity and confidentiality of payment transactions and data. The Standard identifies key security principles such as sensitive data protection, access control, and attack detection. The Secure Software Standard is intended for payment software that is sold, distributed, or licensed to third parties for the purpose of supporting or facilitating payment transactions. However, the Council also encourages organizations that develop payment techniques in-house to utilize these same practices.

The Secure Software Lifecycle Standard outlines requirements and procedures for software vendors to validate their processes for properly managing the security of payment software throughout its lifecycle..” Key aspects of the Standard include addressing “governance, threat identification, vulnerability detection and mitigation, security testing, change management, secure software updates and stakeholder communications.” Both Standards were developed with input from industry participants, including software vendors, assessors and other payment security experts.

The new guidelines replace the Council’s existing Payment Application Data Security Standard (“PA-DSS”). PA-DSS focused on software development and lifecycle management principles for security in traditional payment software. The new guidelines are an advancement beyond the PA-DSS to address overall software security resiliency. The PA-DSS will be retired in 2022, and payment applications will be assessed under the PCI Software Security Framework at that time. There will be a transition period for current investments in PA-DSS until its expiration in 2022.

Photo of Mike Nonaka Mike Nonaka

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and…

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and applications matters for banks and other financial institutions, the development of partnerships and platforms to provide innovative financial products and services, and a broad range of compliance areas such as anti-money laundering, financial privacy, cybersecurity, and consumer protection. He also works closely with banks and their directors and senior leadership teams on sensitive supervisory and strategic matters.

Mike plays an active role in the firm’s Fintech Initiative and works with a number of banks, lending companies, money transmitters, payments firms, technology companies, and service providers on innovative technologies such as bitcoin and other cryptocurrencies, blockchain, big data, cloud computing, same day payments, and online lending. He has assisted numerous banks and fintech companies with the launch of innovative deposit and loan products, technology services, and cryptocurrency-related products and services.

Mike has advised a number of clients on compliance with TILA, ECOA, TISA, HMDA, FCRA, EFTA, GLBA, FDCPA, CRA, BSA, USA PATRIOT Act, FTC Act, Reg. K, Reg. O, Reg. W, Reg. Y, state money transmitter laws, state licensed lender laws, state unclaimed property laws, state prepaid access laws, and other federal and state laws and regulations.