Future of PCI-SSC: How Nelnet Campus Commerce is Staying Ahead

Payment security standards are ever evolving, just like the security threats aimed at payment systems. As an organization that processes more than six million transactions annually, Nelnet Campus Commerce invests in keeping pace with these changes.

The Payment Card Industry Security Standards Council currently maintains 15 standards to protect payment account data throughout the payment lifecycle. Standards are created specifically for merchants, service providers, and financial institutions that provide security practices technologies and processes, as well as standards for developers and vendors that create secure payment products and solutions.

“Nelnet Campus Commerce is a service provider that develops and provides secure payment applications as a SaaS solution, so we focus attentions on keeping up-to-date on evolving standards affecting security payment applications and security standards that affect the way you manage and protect credit card data,” said Patricia Ellington, IT Manager for Cyber Security for Nelnet Campus Commerce.

Currently, there are three big changes that Nelnet Campus Commerce is watching.

The Payment Application-Data Security Standard (PA-DSS) v3.2 expires in October 2022 and will be replaced by the PCI Software Security Framework. The Nelnet Campus Commerce suite of products has always been offered as a hosted environment, and has not been eligible for PA-DSS validation. The new Software Security Framework extends beyond the requirements of PA-DSS to address overall security resiliency. It will support a broader array of payment software types, technologies, and development methodologies.

The PCI Software Security Framework is comprised of the newly developed PCI Secure Software Standards and PCI Secure SoftwareLifecycle, which support the innovations in payments-related technology. It also provides a dynamic method for how software protects payment data for the next generation of applications. The PCI Secure Software Standards will replace the PA-DSS standards by establishing new baseline requirements and guidance for secure payment software. To complement those standards, the PCI Security Software Lifecycle Standard builds on the traditional software development life cycle (SDLC) to include security concepts and activities throughout.

“In support of the new PCI Software Security Framework, we are actively attending training and conferences to better understand the requirements and corresponding assessments procedures for the development of secure software and methods to design, develop and maintain secure payment software throughout the software lifecycle,” Ellington said. “This should put us in a good position for when the PCI Software Security Framework becomes a requirement in October of 2022.

The PCI Software Security Framework represents an evolution in how these security practices are approached.

When the PCI-SSC formed in 2005, the technology landscape was vastly different, mostly centered around on-premise databases and applications. Early iterations of payment security standards proved cumbersome and difficult to enforce because they were too specific to a platform, technology or service.

Over the decade and a half that followed, technology moved to the cloud and went mobile, and speed and flexibility began to dominate not just payment technology, but also the threats against personal and sensitive information. It was harder to incorporate speed into the regulations. In some cases, the regulations were so specific that emergency changes in response to new vulnerabilities took months to proceed.

The Software Security Framework is designed around objectives, such as Secure Software and Data Management and Secure Software Engineering. The goal is to ensure that security is embedded in the software lifecycle.

“As you may know, even though our Nelnet Campus Commerce suite of products is not eligible for PA-DSS assessments, we use the PA-DSS as a guideline for developing and maintaining our payment applications,” Ellington said. “Now, with the introduction of the Software Security Framework, we could meet the requirements to be assessed and we are preparing our application security programs to support and comply with the Framework while maintaining objective-focused security practices that support current and future industry technologies.”

The PCI-SSC is currently working on a second draft of the latest version of the PCI Data Security Standard (PCI DSS), which is in a comments period through November 13, 2020. This second draft incorporates feedback received during the first round of comments last fall, which generated over 3,000 comments from various stakeholders.

“The stakeholder feedback plays a key role in developing the PCI DSS standard to meet the needs of the global payment card industry, and address current changes in payments, technology and security,” Ellington said.

Much of that feedback comes from PCI Participating Organizations, a network of organizations affiliated with the payment card industry, including merchants, banks, processors, hardware and software developers, and point-of-sale vendors.

“As a PCI Participating Organization, we currently have the opportunity to review and provide comment for the upcoming PCI DSS v4.0 Standard,” Ellington said. “This is the second round of review for PCI DSS v4.0, and we have found the review process to be exciting, allowing us to collaborate internally and suggest modifications to the requirements, or even request additional guidance or clarification of the requirements from the PCI. By reviewing the drafts, we also are able to focus on the intent of each requirement, and how controls can meet the intent, which helps us better prepare for the changes as we make business decisions to support our PCI environment, processes and methodology.”

Version 4.0 is expected to be published late next year, and the standards go into effect in 2024.

“However, we are using this time to consider current and future control challenges within our PCI environment and keep up-to-date on the changes within the PCI DSS,” Ellington said.