Of late we have been receiving numerous calls from software developers requesting us how on earth do they become PCI-DSS certified.
It’s never easy to explain over the phone, especially with misconceptions that PCI-DSS is a license, or a software, or a solution, or some sort of exam or some other thing. And also, how do we go about explaining to them that technically they don’t (or can’t) be PCI certified as a software vendor, but they can opt for PA-DSS or the new Secure Software Standard from PCI.
So the first thing to ask is (assuming this application/solution is handling credit card information):
a) Are you developing software only and selling that software to your customers?
b) Are you developing a solution where you are hosting and managing and allowing clients?
If it’s a), applicability of PCI-DSS is simply on your customer that is buying your software, not on you as a company. After all, you generally don’t handle credit card – your customer does. However, your software is likely in scope for their PCI-DSS assessment, so there could be an instance where you need to participate in your client’s assessment or to develop your software in a manner where it would be “PCI Compliant”. Developing a PCI compliant software doesn’t make it certified, but it does assist in helping your clients getting certified. An example would be to develop your solution with logging capability and able to log to a central location. Another example is your solution being able to integrate with AD, or to have PCI compliant password policies (session timeouts, password expiry etc). Other examples are to ensure there is Role Based Authentication and Authorisation. Or ensuring encryption is properly done for data at rest and in transit. By doing these doesn’t make it immediately PCI certifiable – but it does provide your client with less headache.
If it’s b), then yes, you are not considered just a software developer but a service provider. You are providing SAAS, so generally that makes you responsible for the day to day security of card data in behalf of your client. In that case, PCI-DSS is able to be applied to you on your solution and your process.
As with PA-DSS, the new Secure Software Program applies to the following software:
Software products involved in or directly supporting or facilitating payment transactions that store, process, or transmit clear-text account data.
Software products developed by the vendor that are commercially available for sale to multiple organizations.
So all the CRM systems, call systems, in house systems, customised systems are all not eligible for PA-DSS or the new program. This is typically in line with what has always been, anyway.
So that leaves us back to square one. What happens if you are not eligible for PA-DSS or Secure Software program and you are just a software developer and NOT a service provider, but your client is insisting on you being PCI-DSS certified?
Well, hopefully you can explain to them or point them out to this article. Another option you can have is to say you have developed your software that is compliant to PCI requirements. The following list shows what it should take to address PCI compliance (not comprehensive):
1. Requirement 2 – Ensure no clear text for administrative access
2. Requirement 3 – Application is transmitting /store and strong encryption needed
3. Requirement 4 – Application must encrypt when transmitting over public network
4. Requirement 6 – Software development process – secure code review, remove test data before rolling to production, ensure application is patched, prompt when bugs are discovered.
5. Requirement 8 – ensure the application can support PCI DSS password requirements, password is encrypted at rest and transmission
6. Requirement 10 – the application is capable of sending logs to the SIEM, Application penetration testing is conducted and documented what methodology of testing is used.
|Requirements affecting Software: Sample Evidences|
|For all system components in scope (servers, network devices, applications, databases, etc.) and POS devices, provide evidence of strong cryptography being implemented (ssh, TLS 1.2 or later, RDP over TLS etc.)|
|Provide the following for all filesystems, databases and any backup media|
– Details on method (encryption, hashing, truncation, tokenization) being used to protect covered information in storage
– Evidence (screenshots or settings) showing covered information is protected
|Provide evidence of encryption being used for transmission of in-scope data over any open or public communication channel (i.e. Internet, Wireless network, GSM, GPRS, VSAT technology etc.). Encryption must confirm to strong industry standards.|
|For the selected sample, provide evidence of,|
– Current patch levels
– Patches being deployed in a timely manner
|Provide secure software development process document in accordance with industry best practices|
|Provide a recent secure code review report for an application that stores, processes or transmits covered information.|
|Provide a document that outlines|
– the process for generating test data to be used in lower (test/development) environments.
– the process for removing test data and test accounts prior to moving the system to higher (production) environment.
|Provide 4 sample change request (2 for software modification and 2 for security patch implementation) from the last 6 months.|
|Provide the following from a secure code training perspective|
– Material used for training
– Attendee list showing that all developers are covered
|Provide evidence of logical access account and password features to include,|
– Account lockout policy
– Account lockout duration
– Session timeout policy
– Password length
– Password complexity
– Password history
– Password expiry
|Provide evidence that passwords (for platform and/or consumer applications) are encrypted during transmission and storage.|
|Provide the audit log policy settings.|
|Provide actual event logs for each of the platforms identified in the sample.|
|Provide a documented methodology being used for penetration testing.|
|Provide internal penetration test report.|
You would get stuck if your clients want to see the PCI-DSS certification, which obviously you won’t have. In this case, the only way forward is to talk to them saying it’s not possible for you to be PCI certified in that sense. If you want, you could actually engage a third party auditor or even a QSA to assess the application based on PCI requirements. You won’t get a certificate for PCI, but at least you have a third party attestation or report, which hopefully should be enough.
Another option is to just get a hold of us at firstname.lastname@example.org and we can maybe provide a bit more persuasion to your client in accepting your application for PCI-DSS!