PCI Secure Software Standard version 1.2 and its related program documentation were both published today by the PCI Security Standards Council (PCI SSC). There are two standards that are included in the PCI Software Security Framework, and one of those standards is the PCI Secure Software Standard (SSF). The PCI Secure Software Standard and its security criteria aid in assuring that payment software is created, maintained, and designed in a way that safeguards payment transactions and data, reduces vulnerabilities, and deters attacks.

The Web Software Module is a set of supplemental security requirements that were introduced with version 1.2 of the PCI Secure Software Standard. These requirements were created to address the most common security issues that are associated with the utilization of payment technologies that are accessible via the internet.

When it comes to testing the safety and integrity of payment software, the PCI Secure Software Standard is intended to provide a more adaptable method than the one now in use. The Web Software Module was developed to provide assistance to software manufacturers and developers in the process of determining and putting into practice appropriate software security controls for the purpose of providing protection against common web software attacks.

Within the scope of the Web Software Module, there are a total of four high-level requirement categories:

1. Keeping detailed records of, and keeping track of, how payment software makes use of open-source software, third-party software components, and APIs.
2. Managing access to payment processing software, application programming interfaces (APIs), and other vital resources.
3. Defending against frequent attacks on the web.
4. Keeping secure the communications between the various components of web-based payment software.

PCI preliminary efforts to introduce the Software Security Framework have been successfully concluded with the release of the brand-new Web Software Module, which is included as part of the Secure Software Standard version 1.2. The next phase of development for the SSF will concentrate on providing further advice, improving the requirements that are already in place, and addressing emerging and developing payment technologies, threats, and attack methodologies.

The post PCI Security Standards Council (PCI SSC) releases PCI Secure Software Standard v1.2    appeared first on Information Security Newspaper | Hacking News.

The new standard, detailed in a 360-page document, was created based on feedback from more than 200 members of the payments industry globally. A summary of the changes is presented in a document with technical details.

Cybersecurity specialists report that among the most prominent changes of this new release include the implementation of multi-factor authentication for all access to cardholder data environments, as well as replacing the term “firewall” with “network security controls” to support a wider range of data security technologies.

The implementation of updates to the new standard could take an indefinite time, so the current version will remain active until March 2024. The PCI SSC noted that some of the new requirements are initially considered best practices, but will take effect on March 31, 2025. After this date, they will be considered in their entirety in PCI DSS assessments.

Cybersecurity specialist Tim Erlin believes this update came at an ideal time: “Any additional emphasis on secure configuration of systems is a welcome addition to cybersecurity best practices. Although the previous version of PCI DSS addressed secure configuration, its limit came to changing default passwords.”

The expert adds that the new version focuses on the Zero Trust standard for authentication and authorization with permissions for an analytical security posture dynamically, providing access to resources in real time as an alternative to password rotation.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Payment card industry releases new PCI DSS v4.0 security standard appeared first on Information Security Newspaper | Hacking News.