PCI Compliance Standards Are Changing. Here’s What You Need to Know.
I'm excited to be talking with you on my birthday. With a small twist in tradition, here is my gift to you: compliance updates! Most of you are familiar (maybe too familiar) with what PCI compliance is, what it's for, and how it works. However, you might not yet be up to speed on upcoming changes to the PA-DSS program and the soon-to-be-released changes for PCI v4.0. I recently attended the North America PCI Community Meeting, where these were both hot topics of conversation as the industry tries to understand the impact. It can be difficult to stay on top of how PCI compliance changes impact our business processes, so I'm happy to share TouchNet's perspective.
The most recent PCI compliance upgrade goes into effect in early 2020. Schools that work with a third party like TouchNet just need to be aware of the changes their vendors make. For schools that store card data on campus, these changes will be much more impactful.
Goals for PCI DSS v4.0
First, let's take a look at the PCI Data Security Standard (DSS) v4.0 for which the PCI Security Standards Council (SSC) has set goals.
These high-level goals are intended to lead the industry's current discussion about what goes into the final 4.0 release. With a first draft released in October 2019, the request-for-comment period is now open and Participating Organizations (PO), Qualified Security Assessors (QSA), and Approved Scanning Vendors (ASV) can provide the PCI SSC with their feedback on the proposed rule changes. As a PO, we are currently working with our Global Payments partners to review these changes and provide feedback on how they will impact our higher education merchants.
Prior to announcing the potentially impactful changes coming with version 4.0, the PCI SSC released the Software Security Framework (SSF) and announced the discontinuation of PA-DSS in October 2022.
What will take the place of PA-DSS?
The new SSF is a more objective-based approach designed to modify the scope of PA-DSS and support the secure design, development, and maintenance of existing and future payment software. This new framework is intended for vendors like TouchNet that develop payments industry software. The SSF expands the previous validation options by creating two separate programs for validation, Secure Software Lifecycle (Secure SLC) and Secure Software Program. This change is expected to:
- Expand the range of software eligible for validation
- Enable software vendors to demonstrate their development practices and payment software products
- Address overall software security resiliency and ability to protect payment data
Program 1: Secure Software Lifecycle (Secure SLC)
Payment software vendors that validate to the Secure SLC Standard verify they have mature, secure software lifecycle management practices in place to ensure their software is designed and developed to protect payment transactions and data, minimize vulnerabilities, and defend against attacks. Once a vendor is successfully evaluated by a Secure SLC Assessor, they are listed on the PCI SSC List of Secure SLC Qualified Vendors.
Program 2: Secure Software Program
Payment software vendors that validate to the Secure Software Standard show their payment software product is designed, engineered, developed, and maintained in a manner that protects payment transactions and data, minimizes vulnerabilities, and defends against attacks. Initially, this program is specific to payment software products that store, process, or transmit clear-text account data, are commercially available, and are developed by the vendor for sale to multiple organizations. The goal is that as new modules are added to the Secure Software Standard to address other software types, use cases, and technologies, the program scope will expand to support them.
Under both the Secure SLC and Secure Software Program, SSF Assessors will evaluate vendors and their payment software products against these new standards, which also means there will be a new list of SSF Assessors coming soon.
What do these changes mean for you?
OK – that was a lot of acronyms. So what do these changes mean for your school? It all depends on whether you use a payment software vendor and where your customers' card data resides.
- For TouchNet software customers, we've got you covered! Our PA-DSS validation is good through October 2022. In the meantime, we're working with our QSA to determine how we implement these new standards. Therefore, your PCI scope will remain the same.
- If you have other campus vendors, it's time to review information and ask questions. If card data resides on their servers, the impacts to you will most likely be minimal since the scope of your responsibility is small. Your payments software vendor will be responsible for most of these program updates, but you will want to make sure they stay up to date with these new programs.
- If you are responsible for your own payments processing and store customer card data on your own servers, you should review the Secure SLC and Secure Software Program to determine how they apply to your campus.
If you have any questions, here's one last gift: You'll find a virtual treasure trove of information on the official PCI SSC website, including FAQ sections here and here.