Compliance Series: Software and Service Security and PCI DSS/PA-DSS

This article in our compliance series looks at how the Microsoft Security Development Lifecycle (SDL) helps organizations meet compliance requirements under the financial sector’s Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS).

PCI DSS is an industry-accepted information security standard authored and approved by the PCI Security Standards Council (PCI SSC). It applies to organizations operating within the United States that handle cardholder information for the major debit, credit, pre-paid, e-purse, Automated Teller Machine (ATM) and Point of Sale (POS) cards. The standard was created to increase controls around cardholder data to help reduce credit card fraud.

PA-DSS is a global standard also created by PCI SSC. PA-DSS is intended to provide the definitive standard for software and service developers that develop payment applications. The standard aims to prevent applications from storing prohibited data (such as credit card magnetic stripe information). 

PCI DSS includes several requirements that align closely with SDL practices. In addition, PA-DSS also mandated SDL-like controls for licensed or distributed third-party applications.

Microsoft published a whitepaper in 2011 titled “SDL and PCI DSS/PA-DSS” to help business decision makers, systems integrators, and software developers understand where compliance activities and SDL practices intersect in practical ways that may help them realize time, resource, or process efficiencies. While the PCI SSC standards have continued to evolve over the past two years, the paper remains highly relevant. Recent moves in the financial sector to focus resources on improving application security reinforce the need for a robust secure development framework.

SDL practices can be used when developing new software or services that must meet PCI DSS/PCI PA-DSS compliance requirements, and also when integrating software customizations within PCI controlled systems.  Organizations that are writing or integrating software and services in a PCI-regulated environment can readily see how the security best practices of the SDL can help it meet many of the PCI DSS and PZ-DSS requirements. Applying SDL practices to a software development process provides a methodology for improving the security of software and services during development in some PCI complaint scenarios. The paper can serve as a valuable resource in applying the SDL to development and integrated software modules in payment card environments.

For more information on software and compliance, I encourage you to check out the Microsoft SDL compliance center. 

Tim Rains
Trustworthy Computing


About the Author
Tim Rains

Chief Security Advisor, Microsoft Worldwide Cybersecurity & Data Protection

Tim Rains is Chief Security Advisor of Microsoft’s Worldwide Cybersecurity & Data Protection group where he helps Microsoft’s enterprise customers with cybersecurity strategy and planning. Formerly, Tim was Director Cybersecurity & Cloud Strategy in Trustworthy Computing at Microsoft, where he Read more »