The PCI Security Standards Council is creating a payments software framework, including two new standards that can evolve as the software rapidly changes, says Troy Leach, the council's CTO.
A new software security standard is needed, Leach says in an interview with Information Security Media Group, because "we want to have a way to incorporate good security practices, and just as important, good security testing of those applications."
A second standard for software lifecycle requirements now in development is designed to help developers demonstrate that they have ongoing practices in place to minimize security risks through all phases of development and updates, he explains.
The new standards, which likely will be released the middle of next year, are in addition to the more limited PCI Data Security Standard requirements for demonstrating steps for building good security practices into software, Leach says.
In the interview (see link to audio below photo), Leach:
- Discusses why it's important that the new standards can evolve more rapidly than the council's other standards;
- Describes two other new standards in development that are designed to help improve authentication of online and mobile transactions;
- Reviews ransomware concerns and mitigation steps.
In his role as CTO at the PCI Security Standards Council, Leach partners with council representatives, PCI participating organizations and industry leaders to develop comprehensive standards and strategies to secure payment card data and the supporting infrastructure. He is a congressional subject-matter expert on payment security and is the current chairman of the council's standards committee.