Page 36 - GS180302
P. 36
CoverStory
composed of Secure Software Lifecycle Requirements and Software Security very first priority and first listings for
Requirements. The latter will eventually be a modular type standard with this new standard will be associated
modules for different types of software. with grandfathering in existing PA-
DSS applications, as some being vali-
"Payment software is being pushed to market in much shorter cycles, sprints re- dated now will have a shelf life of up
ally," Leach said. "When we created the original PA-DSS program, it was much to 2022," he added.
simpler at that time. You had a lot more proprietary platforms that payments
were being processed on, and dedicated, limited terminals." Today open cloud- Small Merchant Taskforce update
based platforms and smart devices run software applications across multiple In May 2015, the PCI SSC formed the
environments, he added. Small Merchant Taskforce to collabo-
rate on guidance and resources to
"With the software lifecycle standard, we want to make sure there is a good simplify data security and PCI com-
security process in place through the design, development, production and pliance for small merchants. "What
maintenance of that software after it's been released and still being used in the we've done in the task force over the
marketplace," Leach continued. "We're really excited about how flexible, how last few years is looked at creating
transparent and how dynamic we can make security with this new standard." simpler ways of understanding secu-
rity concepts," Chris Bucolo, Director
The council’s request for comment on the proposed standard is expected to of Market Strategy at Controlscan
draw important PCI SSC member feedback by the comment period's mid-April Inc., said in a webinar with Conexxus.
deadline, as will input received during PCI SSC community meetings sched-
uled this fall in Las Vegas and London. Shortly thereafter, the PCI SSC plans to Bucolo pointed out that in the initial
draft final content for the new standard. phase, the Small Merchant Taskforce
worked to segment processing meth-
"The most important part of this program will be to provide new ways to test ods into individual risk categories
and validate the security of the software, both the PA-DSS applications that and identified the threats most likely
are validated today, as well as new types of applications," Leach said, noting to be associated with each category;
that the transition from PA-DSS is a critical element in the path forward. "The for example, POS systems versus
standalone devices.
Let Be Your EMV Expert! "This year we will be releasing Data
Security Essentials for what we call
Your EMV Eco-System Made Affordable! low- to medium-risk scenarios, mean-
ing that in certain high-risk scenarios,
eProcessing Network has the secure, payment solutions to help you stay current with the we still think an SAQ (self-assessment
technologies that keep your merchants connected. And with real-time EMV capabilities, questionnaire) is appropriate, but we
retailers can not only process contact and contactless payments, Apple Pay and Android Pay, are going to let the acquirers and card
they’re able to manage their inventory as well as balance their books via QuickBooks Online. brands make a determination if they
want to offer those as alternatives to
SAQs," Bucolo noted.
He believes, with the consolidation of
concepts and fewer questions, every
is EMV-Certified effort is being made to simplify PCI
compliance based on risk. Accord-
ing to Leach, the current framework
details approximately 17 small mer-
chant payment environment secu-
rity scenarios; the next iteration will
include additional ecommerce sce-
narios.
"We're putting the categories of secu-
rity controls into better organization
in preparation for a future release
of the Data Security Essentials vali-
dation framework," Leach said. The
framework is expected to be released
1(800) 296-4810 later this year.
© eProcessing Network, LLC. All Rights Reserved.
eProcessingNetwork.com All trademarks are the property of their respective holders.
36
