Software Security Framework: Update to version 1.2 with new Web Software Module

14. December 2022

On December 7, the PCI Security Standards Council (PCI SSC) published version 1.2 of the PCI Secure Software Standard and and its supporting program documentation. Together with the PCI Secure Software Lifecycle (Secure SLC) standard, the PCI Secure Software standard forms the PCI Software Security Framework (SSF). In version 1.2 of the Secure Software Standard, minor adjustments were made to remove inconsistencies, clarify intents and standardize the language. Some test requirements have been updated, consolidated or removed. However, the most important change in version 1.2 is the introduction of the new Web Software Module. 

New Module: Web Software 

Complementing the core requirements of the Secure Software Standard, the module includes a set of security requirements for payment software that uses Internet technologies, protocols, and languages to support or facilitate electronic payment transactions.  

The Web Software Module comprises four main requirement areas: 

  • Documenting and tracking the use of open-source and third-party software components and APIs in payment software
  • Controlling access to payment software web APIs and other critical assets
  • Mitigating common web attacks  
  • Protecting communications between web-based payment software components 

Updates to the Secure Software Report on Validation (RoV) and Attestation of Validation (AoV) related to the v1.2 release are expected to be released in the first quarter of 2023. 

Impact on already validated and listed payment software 

Payment software that has already been successfully certified and is listed on the PCI SSC's „List of Validated Payment Software“ List of Validated Payment Software is not affected by the release of the new web software module until the current listing expires. At that time, the payment software must be revalidated according to the then-current version of the Secure Software Standard and all applicable modules in order to continue to be listed as validated payment software. This also applies to web-based payment software that, for example, was validated and listed prior to the release of the Web Software Module, but for which the requirements of the Web Software Module now apply. 

Impact on the Secure SLC

No changes have been made to the PCI Secure Software Lifecycle (Secure SLC) standard or its supporting documentation with this release. The current version of the Secure SLC remains v1.1. 

Do you have questions about the Secure Software Standard or need assistance with the transition? Get in touch, we are happy to help you.

Also interesting:

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

The Digital Operational Resilience Act (DORA) will apply as of January 17, 2025. In addition to routine operational resilience testing, DORA will also make it mandatory for certain financial companies to carry out threat-led penetration testing (TLPT) every three...

Security Advisory on Gambio

Security Advisory on Gambio

The pentest professionals at usd HeroLab examined the online shop software Gambio during their pentests. The software offers merchants various functions that support the management of inventory and orders. Our professionals discovered a vulnerability in the password...