Leveraging PCI SSF for eCommerce

In the world of eCommerce, digital storefronts make it easier than ever for B2C and B2B clients to find the goods and services they need and pay for them swiftly—and securely. Adhering to the PCI SSF helps ensure secure payment processes, allowing business operations to remain protected and uninterrupted.

Is your eCommerce operation fully PCI SSF compliant? Schedule a consultation to find out!

 

How the PCI SSF Interacts with eCommerce

The Payment Card Industry (PCI) Software Security Framework (SSF) is a new standard aimed at securing payment software from the point of its development and sale. The PCI’s Security Standards Council (SSC) introduced it in 2019 in an effort to expand coverage of its security governance across various industries and organizations, including eCommerce.

Appreciating how the PCI SSF secures eCommerce requires understanding:

• How it applies to payment software developers and vendors using an eCommerce model
• How it applies to other eCommerce merchants that utilize payment platform software
• How to ensure PCI SSF compliance for all stakeholders in the eCommerce ecosystem

Ultimately, any eCommerce merchant that sells or uses payment software is impacted by the PCI SSF either directly or indirectly. Knowing the extent of its coverage and rules and how your organization can leverage them to streamline payments will put you in a position to succeed.

 

eCommerce Merchants Who Sell Payment Software

The most direct application of the PCI SSF in eCommerce is to eCommerce merchants who happen to develop, sell, or manage payment software. The framework has two components, one or both of which may apply to an organization depending on its positioning. And, even for software merchants for whom neither half applies, it can be helpful to understand the inner workings of its rules in case future business ventures entail payment processing software.

If you sell software products or services, they might one day include PCI SSF-eligible functions.

With respect to the framework itself, the SSF has two component parts: the Secure Software Standard and the Secure Software Lifecycle Standard (Secure SLC). The former applies to vendors and managers of online payment software, but the latter applies to its developers

Below, we’ll explain the implications of each and how to comply with one or both frameworks.

 

Payment Software Vendors and Managed Service Providers

The Secure Software Standard portion of the SSF applies to payment software vendors. If your business sells software products or services that include payment processing functions, it will apply to you directly. Leveraging PCI SSF compliance is a best practice for ensuring security across your offerings, and it’s also mandatory for getting your software into buyers’ hands.

Compliance with the Secure Software Standard means implementing its Core Requirements, which break down into 12 Control Objectives across four main categories in the framework:

• Minimizing the Attack Surface

• • • Control Objective 1: Identifying critical assets
    • Control Objective 2: Implementing secure defaults
    • Control Objective 3: Retaining sensitive data securely

• Software Protection Mechanisms

• • • Control Objective 4: Protecting critical assets
    • Control Objective 5: Implementing access control
    • Control Objective 6: Protecting sensitive data
    • Control Objective 7: Implementing cryptography

• Software Operations

• • • Control Objective 8: Tracking activity
    • Control Objective 9: Detecting attacks

• Software Lifecycle Management

• • Control Objective 10: Managing threats and vulnerabilities
  • Control Objective 11: Implementing security updates
  • Control Objective 12: Providing implementation guidance

In addition, there are Modules for particular kinds of payment infrastructure. If your organization sells or manages them, you’ll need to apply these supplemental controls in addition to the core:

• Module A: Account Data

• • • Control Objective A.1: Authentication data protection
    • Control Objective A.2: Cardholder data protection

• Module B: Terminal Software

• • • Control Objective B.1: Documentation for terminal software
    • Control Objective B.2: Secure design for terminal software
    • Control Objective B.3: Attack mitigation for terminal software
    • Control Objective B.4: Security testing for terminal software
    • Control Objective B.5: Implementation guidance for terminal software

• Module C: Web Software

• • Control Objective C.1: Component and service security
  • Control Objective C.2: Access controls for web software
  • Control Objective C.3: Attack mitigation for web software
  • Control Objective C.4: Secure communications for web software

Implementing and managing these controls effectively will help you maximize your clients’ security. It will make you a trusted vendor across payment and other software you offer.

 

 

Payment Software Developers

The Secure SLC portion of the SSF applies to software development. So, if your organization is responsible for the creation of payment software, you’ll need to implement the Secure SLC into the development process. Leveraging PCI SSF controls is a best practice and a requirement.

The Secure SLC Standard is organized similarly to its counterpart above. Its controls include:

• Software Security Governance

• • • Control Objective 1: Responsibilities and resources
    • Control Objective 2: Policies and strategies

• Secure Software Engineering

• • • Control Objective 3: Threat identification and response
    • Control Objective 4: Vulnerability detection and mitigation

• Secure Software and Data Management

• • • Control Objective 5: Change management
    • Control Objective 6: Integrity protections
    • Control Objective 7: Sensitive data protections

• Security Communications

• • Control Objective 8: Vendor implementation guidance
  • Control Objective 9: Stakeholder communications
  • Control Objective 10: Update information

It’s worth noting here that many developers of payment software are also directly responsible for its sale. That means, in many cases, both the Secure SLC and Secure Software Standard apply.

 

eCommerce Merchants Who Use Payment Software

A slightly less direct application of PCI SSF in eCommerce is to merchants who use payment processing software to fuel their marketplaces. These merchants need to make sure that the platforms they’re using are fully compliant, whether they’re leveraging third-party apps or building a custom platform in-house. That means monitoring for compliance when shopping around for a solution, implementing one or more apps, and managing payments long-term.

One of the main goals of the SSC in developing the SSF was to make it more widely applicable than its predecessor, the Payment Application Data Security Standard (PA-DSS). It secures payment software in all contexts where it is used, and companies that might not have been covered by the PA-DSS or the general PCI Data Security Standard (DSS) now need to ensure that payment platforms they develop or use are compliant—including eCommerce merchants.

 

Sellers Who Use Third-Party Payment Platforms

If your eCommerce business outsources its payment processing functionality, then you’ll still need to ensure that the payment software you’re using is compliant. On one level, this means screening for PCI SSF compliance when comparing vendors. You should seek out providers who are vigilant about compliance and security, releasing updates regularly to address any potential issues in their software. Transparency is also critical; you want a partner that’s communicative about risks, concerns, and measures they’re taking to address them.

On another level, eCommerce merchants should also be conducting their own monitoring, especially looking at the connections between third-party apps. Vendors may monitor their own software products diligently but may not (or may not be allowed or able to) monitor connections with other third-party interfaces. Working with an advisor can help ensure all PCI compliance requirements are being met both across the software itself and any systems it interacts with.

 

Sellers Who Develop Their Own Payment Platforms

An eCommerce vendor who develops and maintains its own payment infrastructure in-house will enjoy a greater degree of control and flexibility when it comes to adding features, making changes on the fly, and integrating payment processing with other key systems. However, one challenge is that custom systems still need to be PCI SSF compliant, and there’s no opportunity to share the burden of compliance monitoring with an external vendor or developer team.

Additionally, eCommerce merchants in this position actually need to account for both halves of PCI SSF compliance—the Secure SLC Standard and the Secure Software Standard—since they’re both developing payment software and managing payment software as a solution.

It is highly recommended for organizations in this category to work with a dedicated PCI SSF compliance partner to streamline control implementation, management, and monitoring.

 

 

Ensuring PCI SSF Compliance Across eCommerce

If your eCommerce operation needs to comply with one or both halves of the PCI SSF, you should consider working with an accredited PCI SSF advisor. A quality compliance partner will help you scope out your implementation to determine which controls need to be applied, where, and how. They’ll perform gap analyses to illustrate how much work needs to be done to bring software and/or its development processes up to speed. And they’ll work with you to implement, maintain, and monitor your controls long-term to ensure seamless PCI SSF compliance.

One of the biggest benefits of working with a PCI SSF advisory partner is that you can focus your resources on getting customers to your eCommerce platform and closing sales with the peace of mind that the backend transactions are keeping them—and you—completely safe.

 

Other PCI Compliance Considerations for eCommerce

In addition to the two parts of the PCI SSF, eCommerce merchants may need to comply with the DSS framework. The SSC made it clear that SSF and DSS eligibility apply independently of one another. While the SSF is focused on payment software, the DSS looks more holistically at payment processing and the collection of cardholder data (CHD). If your organization collects, stores, processes, or comes into contact with CHD, you likely need to comply with the DSS.

As with the SSF, the PCI DSS breaks down into a set of controls you need to implement:

• Building and Maintaining Secure Networks and Systems

• • • Requirement 1: Installing and maintaining network security controls
    • Requirement 2: Applying secure configurations to system components

• Protecting Account Data in Storage and Transit

• • • Requirement 3: Protecting account data stored across all systems
    • Requirement 4: Encrypting account data before open-network transmission

• Maintaining Vulnerability Management

• • • Requirement 5: Protecting systems from malicious software
    • Requirement 6: Developing secure systems and software

• Implementing Access Control Measures

• • • Requirement 7: Restricting access by business need to know
    • Requirement 8: Authenticating access to system components
    • Requirement 9: Restricting physical access to CHD

• Monitoring and Testing Networks

• • • Requirement 10: Logging and monitoring access to CHD
    • Requirement 11: Testing system security regularly

• Maintaining Information Security Policies

• • Requirement 12: Supporting security with policies and programs

Many organizations are in a position where they need to implement these controls along with the Control Objectives for the Secure SLC and the Secure Software Standard. The best way to streamline the process and ensure long-lasting security is to work with an advisory partner.

 

Streamline eCommerce Compliance and Security with PCI SSF

No matter what you’re selling, success in eCommerce depends on seamless, secure transactions. The PCI SSF helps ensure payments are processed securely by requiring payment software to follow rigorous guidelines. If you’re selling or using such software, you’ll need to abide by those guidelines completely. And in many cases, that can be challenging.

RSI Security is committed to helping eCommerce organizations meet their PCI obligations effectively, securing their payment infrastructure to protect their clientele. We believe discipline upfront unlocks the freedom to grow, and we’ll help you rethink your cybersecurity to that effect.

To learn more about our PCI SSF compliance services, contact RSI Security today!

 

Contact Us Now!