Document Comparison
PCI-Secure-Software-Standard-Summary-of-Changes-v1_1-to-v1_2.pdf
→
PCI-Secure-Software-Standard-v2.0-Summary-Of-Changes.pdf
8% similar
7 → 7
Pages
1621 → 1498
Words
12
Content Changes
Content Changes
12 content changes. 10 administrative changes (dates, page numbers) hidden.
Added
p. 1
Payment Card Industry (PCI) Secure Software Standard Summary of Significant Changes from v1.2.1 to v2.0
PCI Secure Software Standard v2.0 - Summary of Significant Changes This document provides an overall summary of significant changes from the PCI Secure Software Standard (the Standard) v1.2.1 to v2.0.
Note: This is a major revision. As such, there isn’t a definitive one-to-one mapping from v1.2.1 to v2.0. Contextually, the revised Security Objectives are denoted below. As possible, mapping information is provided.
SECURE SOFTWARE SECURE SOFTWARE DESCRIPTION OF CHANGES Global Changes Payment Software The term “Payment Software” is removed from v2.0. Refer to the new context of “Sensitive Assets”.
New External Document
• Sensitive Asset Identification A new external companion document relative to Sensitive {Assets, Data, Functionality, Resources} now exists. This document, in part, provides additional context for these terms in addition to examples.
This document is a mandatory companion document to the PCI Secure Software Standard v2.x and part of …
PCI Secure Software Standard v2.0 - Summary of Significant Changes This document provides an overall summary of significant changes from the PCI Secure Software Standard (the Standard) v1.2.1 to v2.0.
Note: This is a major revision. As such, there isn’t a definitive one-to-one mapping from v1.2.1 to v2.0. Contextually, the revised Security Objectives are denoted below. As possible, mapping information is provided.
SECURE SOFTWARE SECURE SOFTWARE DESCRIPTION OF CHANGES Global Changes Payment Software The term “Payment Software” is removed from v2.0. Refer to the new context of “Sensitive Assets”.
New External Document
• Sensitive Asset Identification A new external companion document relative to Sensitive {Assets, Data, Functionality, Resources} now exists. This document, in part, provides additional context for these terms in addition to examples.
This document is a mandatory companion document to the PCI Secure Software Standard v2.x and part of …
Added
p. 3
‘Critical Asset’ is now ‘Sensitive Asset’ & rewritten ‘Sensitive Data’ definition revised ‘Sensitive Function’ is now ‘Sensitive Functionality’ & rewritten ‘Sensitive Resource’ definition revised ‘Strong Authentication’
• new term Global Security requirement language, where present, removed from test requirements.
Global ‘Control Objective(s)’ renamed to ‘Security Objective(s)’ Global SLC-related requirements removed as they are covered by the PCI SSLC Standard.
PCI Secure Software Standard v2.0 is now better suited to accommodate the assessment of SDKs, which also includes EMVCo® 3DS SDKs. New additional Module D
• Software Development Kits.
General / Introduction Sections Title Page Updated title page Purpose of this New section header
• aligns with PCI Standards structure Sensitive Assets New section Related Publications Repurposed and moved to Appendix B Stakeholder Roles and Responsibilities Content removed. Accounted for in the PCI Secure Software Program Guide.
Scope of Security Requirements Section removed.
Requirement Security Objective Revised per updated structure Requirement Structure ‘Control Objectives’ changed to ‘Security Objectives’ Added …
• new term Global Security requirement language, where present, removed from test requirements.
Global ‘Control Objective(s)’ renamed to ‘Security Objective(s)’ Global SLC-related requirements removed as they are covered by the PCI SSLC Standard.
PCI Secure Software Standard v2.0 is now better suited to accommodate the assessment of SDKs, which also includes EMVCo® 3DS SDKs. New additional Module D
• Software Development Kits.
General / Introduction Sections Title Page Updated title page Purpose of this New section header
• aligns with PCI Standards structure Sensitive Assets New section Related Publications Repurposed and moved to Appendix B Stakeholder Roles and Responsibilities Content removed. Accounted for in the PCI Secure Software Program Guide.
Scope of Security Requirements Section removed.
Requirement Security Objective Revised per updated structure Requirement Structure ‘Control Objectives’ changed to ‘Security Objectives’ Added …
Added
p. 4
Core
• All Software Core Requirements Core
• All Entire section retitled. Intended to emphasize Core applicability, which applies to all software assessed to the Standard.
Various (2.1, B1.1) Security Objective 1 New section to account for Software Architecture, Composition, and Versioning.
Includes requirements for BOM, versioning, and use of wildcards.
Various (1.1-1.3, 6.1) Security Objective 2 Revised section accounts for Sensitive Asset Identification.
Relies on use of new external document, Sensitive Asset Identification.
Requirements for identifying: Sensitive Data, Sensitive Resources, Sensitive Functionality, and if present, Sensitive Modes of Operation.
This section sets up the required documentation, identification, and information that also serves as input to subsequent sections, requirements, and testing in the Standard.
Various (3.1-3.6, 6.1) Security Objective 3 Revised section to account for Sensitive Asset Storage and Retention.
• All Software Core Requirements Core
• All Entire section retitled. Intended to emphasize Core applicability, which applies to all software assessed to the Standard.
Various (2.1, B1.1) Security Objective 1 New section to account for Software Architecture, Composition, and Versioning.
Includes requirements for BOM, versioning, and use of wildcards.
Various (1.1-1.3, 6.1) Security Objective 2 Revised section accounts for Sensitive Asset Identification.
Relies on use of new external document, Sensitive Asset Identification.
Requirements for identifying: Sensitive Data, Sensitive Resources, Sensitive Functionality, and if present, Sensitive Modes of Operation.
This section sets up the required documentation, identification, and information that also serves as input to subsequent sections, requirements, and testing in the Standard.
Various (3.1-3.6, 6.1) Security Objective 3 Revised section to account for Sensitive Asset Storage and Retention.
Added
p. 5
Introduces new term ‘Strong Authentication’.
Various (2.4, 2.5, 3.6, 4.1, 4.2, 5.1, 5.2, 5.4, 8.3, 8.4, 9.1) Security Objective 5 Revised section to account for Sensitive Asset Protection. This section accounts for the software design itself, which is also a sensitive asset. Formalizes context for ‘anomalous behavior’.
(6.2, 8.3, 8.4,) Security Objective 6 Revised section to account for Sensitive Asset Output. Formalizes secure channel requirements.
(7.1, 7.3, 7.4) Security Objective 7 Revised section to account for Random Numbers associated with Sensitive Assets. Requirements refined to be fit for purpose, and accounts for both leveraging an external RNG or implementing an RNG in the software under assessment.
(7.1, 7.2) Security Objective 8 Revised section to account for Key Management associated with Sensitive Assets.
(6.3, 7.1) Security Objective 9 Revised section to account for Cryptography where not otherwise accounted for by other requirements. A single encompassing requirement.
Various (10.1, 10.2) Security Objective 10 Revised section to account for …
Various (2.4, 2.5, 3.6, 4.1, 4.2, 5.1, 5.2, 5.4, 8.3, 8.4, 9.1) Security Objective 5 Revised section to account for Sensitive Asset Protection. This section accounts for the software design itself, which is also a sensitive asset. Formalizes context for ‘anomalous behavior’.
(6.2, 8.3, 8.4,) Security Objective 6 Revised section to account for Sensitive Asset Output. Formalizes secure channel requirements.
(7.1, 7.3, 7.4) Security Objective 7 Revised section to account for Random Numbers associated with Sensitive Assets. Requirements refined to be fit for purpose, and accounts for both leveraging an external RNG or implementing an RNG in the software under assessment.
(7.1, 7.2) Security Objective 8 Revised section to account for Key Management associated with Sensitive Assets.
(6.3, 7.1) Security Objective 9 Revised section to account for Cryptography where not otherwise accounted for by other requirements. A single encompassing requirement.
Various (10.1, 10.2) Security Objective 10 Revised section to account for …
Added
p. 6
Module B Requirements paired down and consolidated.
Requirements such as (B1.1, B1.2, and B1.3, B3.x, B5.x) accounted for by Core
• All Software requirements).
Revised SRED requirements.
Module C
• Publicly-accessible Software Module C
• Web Software Requirements Module C
• Publicly- accessible Module retitled to better capture intent.
C.1.{1,2,3,4,7} Requirements Moved to Core Section Refer to Core Section above for details.
Control Objective Security Objective 1 Moved to Core. Slightly revised language.
C.1.1 1-2 Moved and slightly revised requirements language. Now a Core requirement.
Requirements such as (B1.1, B1.2, and B1.3, B3.x, B5.x) accounted for by Core
• All Software requirements).
Revised SRED requirements.
Module C
• Publicly-accessible Software Module C
• Web Software Requirements Module C
• Publicly- accessible Module retitled to better capture intent.
C.1.{1,2,3,4,7} Requirements Moved to Core Section Refer to Core Section above for details.
Control Objective Security Objective 1 Moved to Core. Slightly revised language.
C.1.1 1-2 Moved and slightly revised requirements language. Now a Core requirement.
Added
p. 6
C.1.2 1-2 Moved and slightly revised requirement language. Now a Core requirement.
C.1.4 1-4 Moved and slightly revised requirement language. Now a Core requirement.
C.1.3 1-2 C.1.3 absorbed into now 1-2.
Added sub-context to expected minimum information.
C.1.5 REMOVED Accounted for in the PCI Secure SLC Standard C.1.6 REMOVED Accounted for in the PCI Secure SLC Standard
C.1.4 1-4 Moved and slightly revised requirement language. Now a Core requirement.
C.1.3 1-2 C.1.3 absorbed into now 1-2.
Added sub-context to expected minimum information.
C.1.5 REMOVED Accounted for in the PCI Secure SLC Standard C.1.6 REMOVED Accounted for in the PCI Secure SLC Standard
Added
p. 7
Removed context of ‘third-party’. Added context of ‘untrusted’ systems.
Module D
• Software Development Kits Module D
• Software Development Kits New section, module, objectives, and requirements for SDKs.
Appendices Appendix A New Appendix. Replaces the external glossary document “SSF
• Glossary of Terms, Abbreviations, and Acronyms” for v2.x Appendix B New Appendix
• Related Publications Appendix C New Appendix
• Technical References
Module D
• Software Development Kits Module D
• Software Development Kits New section, module, objectives, and requirements for SDKs.
Appendices Appendix A New Appendix. Replaces the external glossary document “SSF
• Glossary of Terms, Abbreviations, and Acronyms” for v2.x Appendix B New Appendix
• Related Publications Appendix C New Appendix
• Technical References
Removed
p. 1
Payment Card Industry (PCI) Software Security Framework Summary of Changes from Secure Software Requirements and Assessment Procedures Version 1.1 to 1.2
Removed
p. 2
Introduction This document provides a summary of changes to the PCI Software Security Framework
• Secure Software Requirements and Assessment Procedures (“PCI Secure Software Standard”) from v1.1 to v1.2. Table 1 provides an overview of the types of changes. Table 2 summarizes the material changes in the Secure Software Standard v1.2.
Table 1: Change Types Change Type Definition Clarification or guidance Updates to language, explanations, definitions, guidance, and/or instructions to increase understanding or provide further information or guidance on a particular topic.
New or evolving content Changes to ensure that the standard is up to date with emerging threats and technologies, and changes in the payment industry. May consist of new, modified, or removed control objectives or test requirements.
Structure or format Reorganization of content including combining, separating, renaming, or renumbering sections or requirements to align content.
Table 2: Summary of Changes
Section Change Change Type v1.1 v1.2 General Changes Throughout Throughout Minor updates to address …
• Secure Software Requirements and Assessment Procedures (“PCI Secure Software Standard”) from v1.1 to v1.2. Table 1 provides an overview of the types of changes. Table 2 summarizes the material changes in the Secure Software Standard v1.2.
Table 1: Change Types Change Type Definition Clarification or guidance Updates to language, explanations, definitions, guidance, and/or instructions to increase understanding or provide further information or guidance on a particular topic.
New or evolving content Changes to ensure that the standard is up to date with emerging threats and technologies, and changes in the payment industry. May consist of new, modified, or removed control objectives or test requirements.
Structure or format Reorganization of content including combining, separating, renaming, or renumbering sections or requirements to align content.
Table 2: Summary of Changes
Section Change Change Type v1.1 v1.2 General Changes Throughout Throughout Minor updates to address …
Removed
p. 3
PCI Secure Software Requirements Overview of PCI Secure Software Standard Renamed section to clarify its purpose. Clarification or guidance Scope of Requirements Scope of Security Requirements Renamed and updated section to further clarify the expected scope of a Secure Software Assessment.
Clarification or guidance Requirements Overview Requirement Modules Renamed and updated section to clarify the intent of requirement modules.
Clarification or guidance Requirement Module Applicability Added new sub-section to describe how to determine requirement module applicability and assess the requirements in applicable modules, and to raise awareness of module specific requirements that may have broader applicability and how those requirements may evolve in future updates to the standard.
Clarification or guidance Objective-Based Approach to Requirements Objective-Based Approach to Requirements Moved sub-section from the Introduction to the Overview of PCI Secure Software Standard section.
Structure or format Requirement Frequency and Rigor Added new sub-section to reorganize and enhance guidance on the expected frequency and rigor …
Clarification or guidance Requirements Overview Requirement Modules Renamed and updated section to clarify the intent of requirement modules.
Clarification or guidance Requirement Module Applicability Added new sub-section to describe how to determine requirement module applicability and assess the requirements in applicable modules, and to raise awareness of module specific requirements that may have broader applicability and how those requirements may evolve in future updates to the standard.
Clarification or guidance Objective-Based Approach to Requirements Objective-Based Approach to Requirements Moved sub-section from the Introduction to the Overview of PCI Secure Software Standard section.
Structure or format Requirement Frequency and Rigor Added new sub-section to reorganize and enhance guidance on the expected frequency and rigor …
Removed
p. 4
Section Change Change Type v1.1 v1.2 Sampling Use of Sampling Renamed sub-section to better align with other related sections.
Clarification or guidance Secure Software Core Requirements Core Requirements Renamed section to better align with other related sections.
Clarification or guidance Terminal Software Evaluation Requirement Module Applicability Consolidated information on the applicability of modules in the Overview of PCI Secure Software Standard section.
Structure or format Additional Considerations Considerations Renamed section title to align with other related sections.
Structure or format Terminal Software Security Security Requirements Renamed section title to align with other related sections.
Structure or format Requirement Changes Throughout Throughout Minor updates to address errata, clarify intent, standardize language, and support the addition of the Web Software Module.
Clarification or guidance Throughout Throughout Updated test requirements to remove all references to “vendor” evidence to enable an assessor to determine the evidence that is most appropriate to support a control objective, and to clarify that an …
Clarification or guidance Secure Software Core Requirements Core Requirements Renamed section to better align with other related sections.
Clarification or guidance Terminal Software Evaluation Requirement Module Applicability Consolidated information on the applicability of modules in the Overview of PCI Secure Software Standard section.
Structure or format Additional Considerations Considerations Renamed section title to align with other related sections.
Structure or format Terminal Software Security Security Requirements Renamed section title to align with other related sections.
Structure or format Requirement Changes Throughout Throughout Minor updates to address errata, clarify intent, standardize language, and support the addition of the Web Software Module.
Clarification or guidance Throughout Throughout Updated test requirements to remove all references to “vendor” evidence to enable an assessor to determine the evidence that is most appropriate to support a control objective, and to clarify that an …
Removed
p. 6
Section Change Change Type v1.1 v1.2 3.1.c 3.2.c 4.2.c 4.2.d 6.2.d 6.2.e 7.2.c 7.3.a 8.3.b 11.2.a A.2.3.d 3.1.c 3.2.c 4.2.c 4.2.e 6.2.d 6.2.e 7.2.a 7.3.a 8.3.c 9.1.g 11.2.b A.2.2.a A.2.2.b A.2.3.d Added new test requirements, new tests to existing test requirements, or moved parts of existing test requirements into new test requirements to clarify intent.
New or evolving content 1.1.d 1.1.e 1.1.f 1.1.g 1.1.h 1.2.b 3.4.a 7.2.c 7.3.a A.2.2.b 1.1.d 1.1.e 1.1.f 1.1.g 1.1.h 1.2.b 3.4.a 7.2.a 7.3.a A.2.2.d Expanded the scope of existing test requirements to clarify intent.
New or evolving content 3.1 3.4 6.1 8.4 9.1 A.2.3 3.1 3.4 6.1 8.4 9.1 A.2.3 Updated guidance to provide additional details, clarify concepts, or for other clarification purposes.
Clarification or guidance 7.1 7.1.a 7.2 7.3 7.1 7.1.a 7.2 7.3 Updated control objectives and test requirements to replace references to “approved” cryptographic algorithms, key management processes, and random number generation algorithms and libraries with …
New or evolving content 1.1.d 1.1.e 1.1.f 1.1.g 1.1.h 1.2.b 3.4.a 7.2.c 7.3.a A.2.2.b 1.1.d 1.1.e 1.1.f 1.1.g 1.1.h 1.2.b 3.4.a 7.2.a 7.3.a A.2.2.d Expanded the scope of existing test requirements to clarify intent.
New or evolving content 3.1 3.4 6.1 8.4 9.1 A.2.3 3.1 3.4 6.1 8.4 9.1 A.2.3 Updated guidance to provide additional details, clarify concepts, or for other clarification purposes.
Clarification or guidance 7.1 7.1.a 7.2 7.3 7.1 7.1.a 7.2 7.3 Updated control objectives and test requirements to replace references to “approved” cryptographic algorithms, key management processes, and random number generation algorithms and libraries with …