List of 100 validated software products available on PCI website
The list of validated payment software provided on the Payment Card Industry Security Standards Council website reached the 100-product milestone in March 2023. These software products support compliance with several PCI standards—including the PCI Data Security Standard, an approved security framework used by members of the payment card industry throughout the U.S. and globally.
Cardholder Data Remains Attractive to Cyberthieves
Like every industry, the payment card industry is vulnerable to hacking, data theft, and other cybercrimes. Poor security practices, non-compliant security programs, and occasional lapses in security provide abundant opportunities for cybercriminals to steal cardholder data for use or sale on the dark web.
Second only to healthcare data, which commands the highest value per record on the dark web, payment cardholder data is also immensely desirable and profitable. Exploitable vulnerabilities that put data at risk can appear anywhere in the payment processing ecosystem. They may occur at the merchant level (point of sale), in software and systems used by third-party service providers (TPSPs), and in software and systems used by the financial institutions who support merchants and process card transactions.
No individual cardholder wants to learn that their data has been compromised, and no merchant wants to put their business in jeopardy by enabling a cardholder data breach. Nor do the major payment card brands, which govern the industry, look kindly on data breaches or other security incidents among industry members.
Solutions from the PCI Security Standards Council
Understanding the appeal of cardholder data for cybercriminals, the Payment Card Industry Security Standards Council (PCI SSC) brings together payment industry stakeholders to develop and drive adoption of data security standards and resources that help enable safe card payments worldwide.
The Council maintains several security standards and frameworks. One, the Data Security Standard (PCI DSS), guides members of the payment card industry in establishing and maintaining effective security safeguards for cardholder data. Another, the Software Security Framework (PCI SSF), is a collection of standards and programs governing the secure design and development of payment software.
The Council qualifies companies to perform two types of assessments against the Software Security Framework: Secure Software assessments and Secure Software Lifecycle assessments.
Once qualified, these assessors are able to evaluate payment software solutions, validating their security and thereby promoting a high degree of user confidence in these secure payment software applications.
How the Validation Process Works
The PCI Security Standards Council website lists validated software applications and other products that have been assessed and validated by qualified third parties for compliance with PCI payment security standards.
Software validation is determined solely by Council-qualified assessors, which may include laboratories, based on their evaluation of the software. Their evaluation is documented in a validation report submitted to the Council. Although the Council reviews reports for quality assurance purposes, it doesn’t independently confirm the findings or information contained in the reports. It also does not perform any testing or analysis of the corresponding software or related functionality, performance, suitability, or compliance with the applicable standard. The Council does not endorse or recommend any products.
Two Types of Software Validations are Available
Two standards govern the validation of software solutions that are offered on the Council website. The Secure Software Standard and the Secure Software Lifecyle Standard each serve a distinct purpose, although they are closely related.
Payment Software Security Validation
Payment software vendors can choose to have their software validated to the Secure Software Standard, which provides merchants and service providers the confidence that those software products have been assessed against a stringent set of software security requirements specific to the payment card industry.
According to Jake Marcinko, Senior Manager of Solutions Standards at the PCI Security Standards Council, the security of payment software is a critical part of the payment transaction flow, and is “essential to enabling reliable, accurate payment transactions.”
“Validation to the Secure Software Standard,” says Marcinko, “shows that a product is designed, engineered, and developed in a way that protects transactions and minimizes vulnerabilities.”
Software Lifecycle Security Validation
In addition, payment software vendors can ask to have their software validated against the Secure Software Lifecyle Standard. Taking this second step enables vendors to demonstrate that they have secure software lifecycle management practices in place.
This validation provides industry members with the additional assurance that their payment software will remain secure throughout its lifecycle.
List of Validated Payment Software
There are now 100 software products on the list of validated payment software, and the list continues to expand. Software categories include payment gateway/switch, payment middleware, point-of-sale, and automated fuel dispenser software. A few examples of these include Aspen, ChargeItPro, Open EPS, QuickBooks Desktop, Self Storage Manager, Store Management Suite, Suite Phillips66, Suite Shell, Transaction+, and Vynamic Connection Points (VCP) 6.
The complete list of 100 validated software products can be viewed, filtered, and downloaded from the PCI website.
How Validated Software Supports PCI DSS 4.0 Compliance
We’ve mentioned that the PCI Data Security Standard (PCI DSS) guides industry members in establishing and maintaining effective security safeguards for cardholder data within their organizations. This standard requires members to achieve 12 overall compliance requirements in order to meet six overarching security goals.
With introduction of v4.0 of the standard in March 2022, a total of 64 new sub-requirements were added, each relating to one of the 12 primary compliance requirements. Of these 64 new additions, 53 requirements (83%) apply to all payment card industry members, from merchants to banks to third-party service providers. The other 11 new additions apply exclusively to TPSPs. Complete compliance with the PCI DSS entails meeting all applicable requirements.
Of the 64 new requirements, 13 became effective in March 2022 for all assessments to the PCI DSS 4.0 standard. The remaining 51 new security requirements must be completely implemented by March 31, 2025.
To help meet PCI DSS requirements in order to comply with the standard, members of the payment card industry rely in part on secure payment software to support their particular payment processes. Industry members are able to choose from among the now 100 validated software solutions that are listed for their convenience on the PCI Council website. The list of validated solutions will continue to grow as the Council delivers more resources to its members.
Summary
Like all industries, the payment card industry is vulnerable to cybercrime. As part of its mission, the Payment Card Industry Security Standards Council offers numerous resources to help industry members achieve robust security for their cardholder data. One such resource is a list of secure payment software products that have been validated by Council-qualified third-party secure software assessors.
Payment card industry members, who range from merchants to third-party service providers to financial institutions, must meet PCI Data Security Standard requirements for the protection of cardholder data throughout the payment lifecycle. The resources offered by the Council, including validated payment software, can assist members in efficiently achieving Data Security Standard compliance and data security.
Need help with compliance? 24By7Security is a PCI Qualified Security Assessor (QSA) certified to conduct assessments against the PCI Data Security Standard, including v4.0.
