Compliance with the PCI SSF Requirements is essential for securing cardholder data (CHD) and other sensitive information as it is stored, processed, or transmitted via software assets. Read on to learn more about the PCI SSF core requirements and how best to apply them in your organization.
Breakdown of the PCI SSF Requirements for Security
Our guide to the PCI SSF Requirements and the changes in the new PCI software security framework will first cover the four security objectives necessary to achieve the PCI SSF protections, along with the Control Objectives that fall under each. Then, we’ll gloss over the importance of PCI SSF security. Your organization can meet the PCI SSF Requirements with the help of a PCI compliance advisor, who can guide you on compliance best practices.
Let’s dive into the PCI SSF core requirements—
Security Objective: Minimizing the Attack Surface
Minimizing the attack surface of software assets is critical to securing CHD.
By identifying critical assets, securing defaults, and minimizing sensitive data retention, you can protect the confidentiality and integrity of these assets.
Control Objective 1: Critical Asset Identification
To pinpoint which assets are critical in your infrastructure, you should:
- Identify the sensitive data stored, processed, or transmitted by the software assets
- Pinpoint the sensitive functions or resources used by the assets
- Classify critical assets
Critical asset identification and classification will help strengthen their overall security and mitigate the risks of data breaches.
Control Objective 2: Secure Defaults
Securing CHD is best achieved if default privileges, features, and functionality are limited to those with secure configurations. The PCI SSF Requirements for securing defaults include:
- Functions exposed by the software assets are enabled by default when they are intrinsic to the software architecture.
- Software security controls, features, and functionalities are enabled when the software is initially installed.
- The use of default authentication credentials or keys for built-in accounts is limited after assets have been installed, initialized, or first used.
- Only the privileges required for software operation can be requested from its execution environment.
- Default privileges are used when necessary for built-in accounts to function.
Keeping defaults secure minimizes the risks of unjustified account use and reduces the overall attack surface.
Control Objective 3: Sensitive Data Retention
Minimizing sensitive data retention reduces the risks of the data being compromised.
The PCI SSF sensitive data retention requirements include:
- Software assets limit sensitive data retention to the data required for the software to function as intended.
- Retention of transient sensitive data is only for the duration required to fulfill legitimate business needs.
- If sensitive data must be retained by software assets, data confidentiality and integrity must be protected.
- Sensitive data is securely deleted when it is no longer required.
- When the purposes for which sensitive data is retained have been met, transient sensitive data is automatically deleted by the software.
- Sensitive data is not disclosed outside of intended channels.
Minimizing the attack surface will keep sensitive data secure during its processing.
Security Objective: Software Protection Mechanisms
To protect the integrity and confidentiality of software assets, you must implement software security controls. Let’s explore the software protection mechanisms required by the PCI SSF:
Control Objective 4: Critical Asset Protection
Protecting critical assets from attack scenarios involves:
- Identifying potential risks to software and attack scenarios
- Implementing software security controls to mitigate attacks
Control Objective 5: Authentication and Access Control
Protecting the confidentiality and integrity of critical software assets involves implementing authentication and access controls. PCI SSF Requirements for Control Objective 5 include:
- Authenticating access to critical assets
- Requiring unique identification to access critical software assets
- Using robust and strong authentication methods that cannot be easily compromised
- Restricting access to critical assets to only those accounts or services requiring default access
Strengthening authentication and access control will keep critical software assets safe from data breach risks.
Control Objective 6: Sensitive Data Protection
Whether at rest or in transit, sensitive data must be protected by:
- Securing sensitive data wherever it is stored
- Safeguarding sensitive data during its transmission
- Ensuring cryptographic tools meet applicable cryptography requirements
Sensitive data protection based on the PCI objectives will keep data safe from threats at rest and in transit.
Control Objective 7: Use of Cryptography
Appropriate use of cryptography will also secure PCI software, especially when:
- Approved and accepted industry-standard cryptographic algorithms are used to secure critical software assets.
- The key-management processes and procedures used by the software are recognized by bodies such as NIST or ISO.
- Random numbers used by the software are generated by industry-standard random number generation (RNG) algorithms.
- The random values have met the minimum effective strength requirements to support cryptographic keys.
When aligned with the PCI SSF objectives, cryptography will keep CHD safe and minimize data breach risks.
Security Objective: Securing Software Operations
The PCI SSF Requirements also mandate software vendors to secure software operations via Control Objectives 8 and 9:
Control Objective 8: Activity Tracking
Software vendors must track all software activity across critical assets by:
- Tracking and tracing access attempts to unique individuals
- Capturing all activity in detail to describe the who, what, when, and how of activities performed on critical assets
- Ensuring the software can retain detailed activity records
- Preserving activity records in software assets
Activity tracking will increase the visibility into threat risks across software assets.
Control Objective 9: Attack Detection
Detecting attacks and minimizing their impact will help secure software operations.
To comply with PCI SSF Control Objective 9, the software you deploy must be capable of detecting anomalous changes to configurations.
Security Objective: Securing Software Lifecycle Management
Keeping software secure throughout its life cycle reduces gaps and vulnerabilities that could present threats to sensitive PCI data.
The three Control Objectives listed under secure software lifecycle management are:
Control Objective 10: Threat and Vulnerability Management
Vendors are required to assess their payment software for threats and vulnerabilities that could impact data security. PCI SSF threat and vulnerability management entails:
- Conducting assessments of threats and vulnerabilities to software assets and addressing them promptly before they can become full-blown attacks
- Testing third-party applications for threats and vulnerabilities prior to release
Managing threats and vulnerabilities to sensitive PCI data will minimize disruptions to your software payment applications and keep them available for customers to use.
Control Objective 11: Secure Software Updates
Secure software releases help keep your payment applications up-to-date with the latest patches such that vulnerabilities can be easily identified and remediated.
The PCI SSF Requirements for securing software updates include:
- Availing software updates to known vulnerabilities promptly
- Securing the delivery of software releases or updates to avoid compromising software and its code
Often, patch installation and management are helpful when minimizing the impact of threat risks to vulnerable software applications.
Control Objective 12: Vendor Security Guidance
Stakeholders using applications for processing CHD must be aware of the guidance provided by software vendors on best practices for implementing, configuring, or operating the software.
Module A – Account Data Protection 2
Maintaining the confidentiality and security of account data minimizes risks that could translate into data breaches. Here, organizations are required to comply with two objectives:
Control Objective A.1: Sensitive Authentication Data
Following authorization, sensitive authentication data should not be retained. Instead, software applications should delete the data, except if it is required for strict business or legal purposes.
Control Objective A.2: Cardholder Data Protection
Software vendors are also required to guide customers on how to securely delete CHD after it has been stored for the customer-defined retention period. Additionally, PAN must be masked to leave only the first six and last four digits or otherwise tokenized to meet business needs.
The Importance of SSF
The PCI SSF Requirements apply to any organization that processes data using software payment applications. PCI SSF compliance boosts security resilience and minimizes the risks of cybercriminals successfully targeting your software assets.
Staying ahead of cybercriminal attempts to steal sensitive data or compromise its integrity, availability, and confidentiality requires compliance with the PCI SSF Requirements. Partnering with a PCI compliance specialist like RSI Security will help you protect data in the long term.
Contact us to learn more about RSI Security!