CC BY
9ECONOMIC SCIENCES
Adil CHEBIR
(Corresponding author) Omar TAOUAB
Research laboratory in organizational management sciences, Ibn Tofail University, Kenitra, Morocco
Ibtissam EL MOURY Adil ECHCHELH
Laboratory in electronic systems, information processing, mechanics and energy. Ibn Tofail University, Kenitra, Morocco
DOI: 10.24412/2520-6990-2022-29152-39-47 ISSUES OF HARMONIZATION OF ISO 9001 STANDARD AND PCI SECURE SLC -ELECTRONIC BANKING AND CERTIFICATION IN MOROCCO: POTENTIALS AND RISKS
Abstract
Payment's innovation is advancing at an unimaginable pace. Each new advancement offers the industry the opportunity to develop applications faster and more efficiently than ever before and also to design software for new payment acceptance platforms. The new PCI Secure and PCI Secure SLC software standards support this evolution in payment software practices by providing developers with a dynamic way to demonstrate that their software protects payment data from the next generation of applications. The application of this change, by ISO 9001 certified suppliers, impacts processes relating to the product development lifecycle. The major challenge_ for these companies is to have a Quality approach allowing the coexistence of the ISO 9001 standard and the PCI Secure SLC standard. It is in this very specific context that this article fits.
Keywords: ISO 9001, PCI Secure SLC, EFQM, Quality management, Security
1.Introduction
Electronic banking is developing all over the world, admittedly at different speeds, but the field of payments and electronic banking is constantly changing given the major stake of Cashless in the development of the economy. In Morocco, this is also the case. The growing figures for local or online electronic payment transactions testify to the favourable development of electronic payment activity, which generated more than 322 billion Dirhams in 2020, in a context of health crisis rich in lessons for the payment's ecosystem. In this context, providers of electronic payment solutions play a key role in the modernization, digitization and preservation of the electronic payment business model. Suppliers will therefore have to support their customers in implementing solutions that adapt to new consumer practices while complying with the requirements of the main payment systems in terms of security. To master these constraints, the supplier of electronic payment solutions is therefore required to adopt strategies based on modern quality management techniques, in particular the adoption of principles based on the international ISO 9001 standard while being confirmed by the PCI Software Security Framework standard ( SSF) which will replace the PA-DSS standard in October 2022.
Nowadays, the version 1.1 of the PCI Secure Software Lifecycle (SLC) standard and accompanying program documentation has been released by the PCI Security Standards Council (PCI SSC). PCI Secure SLC is one of 2 standards that are part of the PCI SSF(Software Security Framework). Its role is to provide security requirements and all assessment procedures for software vendors in order to incorporate into their software development cycles and so validate secure lifecycle management practices are in place.
Like any company wishing to demonstrate its ability to constantly provide quality products and services, providers of payment solutions are required to adopt the principles of the ISO 9001 standard in order to implement a logic of improvement. keep on going. This recognition also allows it to become competitive on local and international markets. Thus, payment software suppliers wishing to comply with PCI Secure SLC and ISO 9001 must ensure that their management system provides proof that it meets the requirements of each standard. To do this, it must adopt a quality approach to integrate its QMS. In this context, our contribution consists in clarifying the existing synergies between the two ISO 9001 and PCI SLC standards in order to help the manager to optimize his quality approach.
2. LITERATURE REVIEW
As part of this study, we carried out some bibliographic searches which goal is to find a theoretical framework for the coexistence of ISO 9001 and PCI Secure SLC within a management system.
When we launched a research on Integrated Management, we found different books and studies dealing with Integrated Quality Management or highlighting the correspondence between requirements belonging to different models. So:
• Several researchers such as FabriceBonnifet and Jean-Marc Gey (2010) discussed the Integrated Quality-Safety-Environment management and explained, relying on practical examples, different ways to evolve towards a global management system, thanks to an integration of management standards and reference documents ISO 9001, ISO 14001, OHSAS 18001, SA 8000 [1].
• Research around the harmonization of different models:
S Suggests a model that allows unifying the contents of CMMI and ISO. [2].
S Introduces an ontology that provides the most important concepts in relation with the harmonization of different models, and there is a web tool thatsup-portsthis ontology which has been applied for the harmonization of Basel II, VAL IT, COBIT 4.1, RISK IT, ITIL and ISO 27002 [3].
• There are certain studies that illustrate a harmonization between agile approaches and ISO 9001:
S A study explains how a company specialized in developing enterprise project management software, known as Primavera Systems, could establish a Quality Management System (QMS) that was aligned with ISO 9001 whilemaintaining all of the benefits of its Scrum / XP agile practices [4])
S Another study helps us to learn different ways to reconcile efficient development's focus on speed and lean development with ISO 9001's need for control, documentation and traceability [5].
• A research about PCI-DSS integration with the ISO 27001 standard:
S A study explains and discusses the interoperability of PCI-DSS and ISO 27001 standards [6]
S The PCI Security Standards Council (PCI SSC) issued a document that maps PCI DSS to the NIST Framework while providing a resource that stakeholders may use in order to understand how to align security efforts to achieve the goals in both PCI-DSS and the NIST Framework [7].
• Relations between the ISO family and GDPR regulations:
S After analyzing ISMS framework included in ISO 27001, an article identifies the synergies with the GDPR compliance efforts. This article describes the importance of additional actions that an organization has to implement as they have already setup an ISMS to gain the compliance with the GDPR [8].
S When we map ISO 27552 against GDPR we notice that Articles 5 to 49 of the General Regulation have been covered, except Article 43 that can be used as a model for an inconsistency analysis in an organization that tries to comply with the General Regulation [9]
The research carried out in this context did not lead us to a bibliographic reference directly dealing with the integration of the two standards ISO 9001 and PCI Secure Software Lifecycle (SLC). Nevertheless, we can focus on the common purposes between the two standards ISO 9001 and PCI Secure SLC.
2.1. The Benefits of a Quality Approach Based on ISO 9001 Standard
The first benefit of the ISO 9001 certification is that the company enjoys a competitive advantage that reinforces its position in front of the competition while gaining customers' confidence as it will provide them with an analysis of the different means used in order to respect the promise made to them, as well as allowing them to verify the conditions of compliance with this promise via certification [10]
In contrast, EVA GIESEN states that certification will help in maintaining the system active and evolving
through its pace of continuous improvement and audits for the follow-up [11].
The purpose of adopting the principles of quality management explains its success. Thus, S. Faucher explains the goals of a Quality Management System in 3 points:enhancing the efficiency of the system and the implemented processes, demonstrating the ability to regularly supply a product that complies with both customers and applicable regulatory requirements and increasing customer satisfaction [12].
ISO 9001 is able to help any size or type of organisation which goal is to enhance its employees' efficiency, establish a framework leading to an implementation of a long-term strategy which can help to improve security and profitability and so to get the satisfaction of its customers [13].
2.2. PCIstandard :definition and purpose
We will focus on the purpose of the PDSS standard because PCI Secure SLC is indirectly derived from the PCI-DSS standard, namely that:
S The conditions of the PA-DSS standard are taken from the Security Assessment Conditions and Procedures of the PCI DSS Stand-ard[14].
S The PCI Software Security Framework (SSF) will replace Payment Application Data Security Standard (PA-DSS) v3.2 when it expires at the end of October 2022 and will be formally retired.[15].
S The PCI Secure SLC Standard is aimedto be used as a part of the PCI Software Security Framework. Under this framework, software vendors who want to validate their software lifecycle management practices to this PCI Secure SLC Standard have the possibility to do so[16].
ALAN CALDER (2013) [17] defines the PCI-DSS standard as follows: "PCI-DSS was developed by the five founding payment brands of the PCI (Security Standards Council): American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa. PCI-DSS cosists of a standardized, industry-wide set of requirements and processes for security management, policies, procedures, network architecture, software design and critical protectives measures ".
Anton Chuvakin, Branden R Williams, Ward Spangenberg (2010) [ 18] assert that the purpose of the pci-dss standard is not limited to the technical protection of cardholder data. Thereby:
S By encouraging improved security and reducing the risk of card fraud, PCI DSS helps build consumer confidence in the payment system.
S By controlling the risks of fraud around payment systems, the PCI standard defends the functioning of the economic system.
Timothy M. Virtue (2008) [ 19] discusses the purpose of PCI-DSS as follows:
S Organizations have an interest in transacting securely so that they can maintain the
Strengthen consumer confidence Improve the performance of the
orgam-
trust of their customers, reduce their operating costs, and protect their organizational assets from fraud and abuse.
S Consumers can easily choose other providers if they are not comfortable with the security of their personal information.
Based on these thoughts, we can see that:
1. The integration of the two standards ISO 9001 and PCI Secure SLC is possible within the framework of a management system.
2. The two standards have common objectives:
S
S
zation
These findings allow us to deduce the following hypothesis: The two standards ISO 9001 and PCI Secure SLC Standard present a synergy allowing their integration within the framework of a QMS.
3. METHODOLOGY OF RESEARCH
For an efficient study of this approach, and to figure out the degree of adherence of the institutions in terms of quality and conformity, we will firstly discuss the extent of evolution of ISO 9001 and PCI-DSS certifications. Then, we will give some examples of the present synergies between ISO 9001 and PCI-DSS standards that enable the implementation of a system that integrates the requirements of both standards. So, to illustrate this synergy, we rely on a comparative analysis that plays an essential role in forming concepts by focusing on similarities and contrasts among the studied cases [20]. Thus, a deep reading of the newest versions of PCI Secure SLC and ISO 9001 standards (published by their institutional bodies) will be the basis of this comparative analysis. After extracting the differences and points of convergence between the two
standards, we will be able to illustrate the existing synergies. In this context, and to be sure that they make it possible to prepare an integrated QMS. The selected points of convergence presenting a synergy between PCI Secure SLCand the ISO 9001 standard are brought together with a total quality assessment model.
4. RESULT
4.1. Development of ISO 9001 Certification and Compliance with PCI Secure SLCin Morocco
Having certificates or labels is one of the most ef-ficientw ays of reassuring customers that their banking datais secure. However, it is necessary to implement a management system to improve their satisfaction.
4.1.1 Development of ISO 9001 Certification in Morocco
In order to meet the expectations of their customers and partners, all the organizations have to deal with different market requirements if they want to survive. We consider that establishing an ISO 9001 compliant QMS as a pledge of confidence, and to achieve this goal the number of issued ISO 9001 certificates reached 1 056 855 in 2017 according to the study published on the portal of the ISO body.
Standardization is considered as one of the most important tools to build a continuous improvement approach in a constantly changing market, this approach covers the quality of the services of all the organization's activities. In the next two figures we will notice that Moroccan companies focus also on strengthening the notoriety of their products and services by adopting an approach aimed at ISO 9001 certification.
Most recent results of the ISO Study are for 2019. There is an estimated number of certificates valid up to December 31st, 2019.
Figure 1 illustrates the development of the number of the certificates issued from 1993 to 2019 (ISO Sur-vey;2020) [21].
Figure 1: Evolution in number of certificates issued from 1993 to 2019
After a quick analysis of Figure 1 we can see a constant evolution from 1993 until 2019 (except a decline in 2003, 2008, 2009, 2010, 2017 and 2018), and from 2010 until 2016 a steady evolution allows to reach the peak in 2016 with 1524 certificates. There was significant decrease in Morocco (and also in several countries) in 2017, the ISO body explains this decrease by
the change in the method how data is reported from certain suppliers. However, 2019 witnessed a significant improvement.
In figure 2, the evolution of the number of ISO 9001 certificates in Morocco is shown according to the sector of activity, we can note that quality certification concerns especially the service sector 2019 (ISO Survey ; 2020 ) [21].
Figure 2: Number of ISO 9001 certificates in Morocco by business sector .
It is easy to understand that in Morocco the quality has become more and more a reality after analysing these figures. The evolution of the quality is now certain in the most important economic sectors. And that explains why a question arises about the companies' interest in projects of banking data protection in accordance with PCI Secure SLC.
4.1.2. Evolution of PCI standard Since it is still a very sensitive matter In Morocco, there is unfortunately no officially circulating figure that deals with this subject. However, when we go tothe website of PCI Security Standards Council, we find a downloadable list of suppliers that comply. There is also a published register of compliant organizations by the banking consortia, Visa and MasterCard.
After Reading the list of PCI-DSS compliant organizations published by Visa, we can see there is only 1 Moroccan bank registered on the VISA list [22].
However, 6 payment and interoperability operators are displayed on the same list. The PCI Security Standards site displays PA-DSS compliant suppliers without specifying the location, however the main electronic payment suppliers in Morocco appear on this list [ 23 ].
Hence the present synergy between the PCI Security Standards and ISO 9001 is highlighted by the results of our research.
4.1.3. Comparative Analysis of ISO 9001 Standard and PCI Secure SLC
The results of the comparative analysis based on an in-depth reading and study of PCI Secure SLC [24] and ISO 9001 [25]will be introducedwithin the next ta-bles.Through those 2 tables we will indicate the differences and points of convergence between ISO 9001 standard and PCI Secure SLC.Then we are going to state the existing synergies between ISO 9001 standard and PCI Secure SLC.
Table 1
Presents extracts from the ISO 9001 and PCI Secure SLC standards allowing their purposes to be compared:
SLC ISO 9001
Application The PCI Requirements for Secure SLCs apply to the software vendor's processes, technology, and personnel involved in the design, development, deployment, and maintenance of the software vendor's software products and services. All the requirements of this International Standard are generic and intended to apply to any organization, regardless of its type or size, or the products and services it provides.
Goal Provide a basis of security requirements with corresponding assessment procedures and guidelines to help software vendors design, develop and maintain secure software throughout the software lifecycle. The PCI Standard for Secure SLC is intended to be used as an integral part of the PCI Software Security Framework. As part of this, software vendors who wish to validate their software lifecycle management practices against this PCI Standard for Secure SLCs may choose to do so. This International Standard specifies the requirements for the quality management system when an organization: a) must demonstrate its ability to consistently provide products and services in accordance with customer requirements and applicable legal and regulatory requirements, and b) aims to increase customer satisfaction through the efficient application of the system, including processes for improving the system and ensuring compliance with customer requirements and applicable legal and regulatory requirements.
Table 2
Summarizes the result of our research which goal is to find an existing synergy between ISO 9001 and PCI
Secure SLC standards:
Critère SLC Standard ISO 9001 Synergie
Roles, responsibilities andauthorities 1.1 ; 1.2 5.3 Management should ensure that Software security responsibilities and authorities are assigned, communicated and understood within the organization.
Skills management 1.3 7.2 The organization should determine the necessary skills of software development personnel based on their role, responsibilities and specific function.
Product and service requirements 2.1 8.2 The regulatory and industry security and compliance requirements applicable to the software vendor's operations, products and services and to data stored, processed or transmitted by the software vendor are: • Identified according to 8.2.2 Determination of requirements relating to products and services • checked according to 8.2.3 Review of requirements for products and services
Policy 2.2. 5.2 The quality policy established by the software supplier includes a commitment to meet security and compliance obligations.
Design and development of products and services 2.3 8.3.2 When determining software security policy steps, the organization ensures that this determination complies with the requirements of 8.3.2
2.4 8.3.4 Updating of the software security assurance process throughout the software lifecycle is carried out as part of the requirements of 8.3.4
6.1 8.3.4 Maintaining the integrity of all software code and third-party components throughout the software lifecycle is carried out in accordance with 8.3.4
Records and documentation management 2.5 7.5 The generation and updating of supporting documents to indicate the efficiency of the software security insuring processes is carried out in accordance with the require-mentsof 7.5 (documented information)
3.1 7.5.2 The identification and classification of critical assets are carried out under 7.5.2 (Creation and updating of documented information)
5.2. 7.5.2 Software version management is performed according to the requirements of 7.5.2 Creating and updating documented information
8.1 ; 8.2 et 8.3 7.5 The organization shall produce, maintain and make available to stakeholders guidelines (in accordance with 7.5) on the secure implementation, configuration and operation of its software.
Risk management 3.2 6.1 The organization must put in place actions to address the risks arising from threats to the software and weaknesses in its design in accordance with 6.1 (Actions to be taken in the face of risks and opportunities).
Control and audit 2.6 9.2 Defects or weaknesses in software security insuring processes are found out in accordance with9.2 (Internal audit).
3.3 9.2 Integrate these controls as part of the definition of audit criteria and the scope of each audit;
Improvement 2.6 10.2 Weak or ineffective security insuring processes are updated, strengthened or replaced in accordance with 10.2 (10.2 Non conformity and corrective action)
3.4 10.2 Updates for weak or ineffective security controls (which will be strengthened or replaced as part of 10.2 Non-compliance and corrective action
4.1 9.1 Emerging or Existing software vulnerabilities can be detected in accordance with the requirements of 9.1
Evaluation of performances 4.2 9.1.3 Newly discovered vulnerabilities are corrected after being analysed and assessed according to 9.1.3 in order to pre-ventre introducing similar or already resolved vulnerabilities.
Control of modifications 5.1 8.5.6 All software modifications are identified, evaluated and approved in accordance with the requirements of 8.5.6
Release of products and services 6.2 8.6 The delivery of software versions and updates is carried out in accordance with 8.6 (Release of products and services)
Property of clients 7.1 ; 7.2 8.5.3 Sensitive production data is collected, stored, used and deleted in accordance with 8.5.3 (Property of customers or external providers)
Communication 9.1 ; 9.2 ; 9.3 ; 10.1 7.4 In accordance with 7.4 Communication: S Channels of communicationare defined and available for the interested parties S Common communication subjects: • Information on timely security updates. • Security notifications are sent to the relevant stakeholders in order to provide instructions to mitigate the risks linked to known exploits and vulnerabilities. • A summary of specific software changes is provided to stakeholders.
By comparing the data in Table 1, we find that these two standards are created for different purposes and are created by different organizations, thus:
■ PCI Secure SLC Standard has the role of providingthe procedures of security requirements and assessment for software vendors to integrate into their software development lifecy-cles and also to ensure that secure lifecycle management practices are in place.
■ The ISO 9001 standard is international. It constitutes a guide for the management and organization of an organization, without providing rigid solutions. It is therefore up to the organization to adapt it to its culture and to its own best practices and business requirements.
However, we can say that the hypothesis is verified as table 2 demonstrates the desired synergy which we note in these following points:
• Records and documentation management
• The risk- basedapproach
• The logic of control and audit
• The logicof continuous improvement
• Roles, responsibilities and authorities
• Communication
• Politics
• Design and development of products and services
• Evaluation of performances
• Control of modifications
• Release of products and services
• Client property
• Skills management
In this context, and to ensure the 13 selected criteria will allow preparing an integrated QMS, we suggest a comparison between these criteria and a total quality assessment model. We can justify this reflection by the fact that it is commonly accepted that the implementation of total quality management (TQM) is considered as the main factor for the long-term success of an organization and that the TQM forms the system of quality management, the implementation of which is the most appropriate, allowing companies to build a competitive advantage. We opted for the EFQM model as it is based on the principles of TQM and implies a desire for constant progress. Thus, the name "TQM models" witnessed an evolution after the creation and distribution of the Malcolm Baldrige model and then the EEM. The term "TQM models" was changed into "models of excellence". For many researchers, the goal of this gradual name change is to use the terms as if they were interchangeable, which has arisen a discussion in academia about whether models of excellence share the same philosophy as TQM models. And, ultimately, whether they are the same (JG Gómez, M Martinez Costa& A. R. Martínez Lorente ; 2016) [26].
In this context, we have prepared a correspondence of the selected criteria with the sub-criteria of the EFQM excellence model (2013) [27] based on chapters of the ISO 9001.
Hence, we think the selected criteria converge towards the Principles of Total Quality. So, these criteria will help the manager to design an integrated QMS that meets the requirements of PCI Secure SLC and ISO 9001.
As a conclusion we can say that there are some existing synergies, even the goals of PCI Secure SLC and ISO 9001 are distinct. Thus, we consider that possessing a QMS based on the PCI Secure SLC and ISO 9001 is crucial as the ISO 9001 standard offers a valuable guide for the organization and governance of any company or institution especially those who want to focus on the protection of banking data. It allows the emergence of a governance model including all the measures of data protection that any organization believes to be necessary for its compliance with PCI Secure SLC.
6. CONCLUSION
In a competitive world where economic players are increasingly interdependent and their relationships increasingly complex and evolving, companies need to rely on an optimized organization, a strong commitment of their staff and relationships of trust with their partners to be efficient and offer quality services to their customers. Indeed, companies that have implemented quality approaches testify to the benefits obtained in terms of competitiveness, control of the management of their activities, as well as the improvement of their relations, both external (customers, suppliers) and internal with their collaborators. In addition, the implementation of a quality approach is now based on simplified benchmarks focused on the added value provided to all stakeholders.
Numerous signs of benefits attest to quality guarantees in relation to ISO 9001 and PCI standard. The degree to which these benchmarks are implemented depends on the company's strategy, its needs and the maturity of its quality system. For the process to bear fruit, it is imperative that it is not experienced as a constraint or an obligation. On the contrary, it should serve as a guide and support for a global approach to improving the functioning of the company.
With the presence of this update, software vendors now have more to think about, even more so when we consider that the PA-DSS program will end in October 2022. Preparing for that, organizations should already be working to replace their current PA-DSS requirements and assess as soon as possible to meet the needs of a 'customized approach' to the standards. To help get started, the PCI SSS eligibility can be seen below, as well as within the respective Program Guides on the PCI SSC website. Thus, the ISO 9001 standard is the benchmark for quality management, providing guarantees on the organizational part allowing the new framework provided by PCI SLC to emerge, which represents a different approach to the design and development of secure payment software. It includes elements of PA-DSS and extends beyond the existing standard to address the overall resiliency of software security. This point insists on a QMS integrating all the applicable devices including the requirements of both PCI Secure SLC and ISO 9001.
References
1.B.Froman, J.-M. Grey & F. Bonni-fet. " Qualité, sécurité, environnement construire un système de management intégré ". Afnor; 1st Edition (2010) .PP 17. ISBN-10: 2124651978
2.C.Yoo, J Yoon, B. Lee, C. Lee, J Lee, S. Hyun & C. Wu . "A unified model for the implementation of both ISO 9001:2000 and CMMI by ISO-certified organizations". The Journal of Systems and Software 79 (2006) 954-961. doi:10.1016/j.jss.2005.06.042
3.C Pardo, FJ Pino, F García, M Piatti-ni, MT Baldassarre "An ontology for the harmonization of multiple standards and models. Computer Standards & Interfaces 34 (2012) . PP.4859 doi:10.1016/j.csi.2011.05.005
4.B.McMichael& M. Lombardi . ISO 9001 and Agile Development ", Proceedings of the Agile Conference. Washington, United States. Computer society. 2007, Volume: 1, PP :262-265 . DOI: 10.1109/AGILE.2007.36
5. T.Stâlhane and G.K. Hanssen .The Application of ISO 9001 to Agile Software Devel-opment.Product-Focused Software Process Improvement: 9th International Conference, PROFES 2008, Monte Porzio Catone, Italy, June 23-25, 2008, Proceedings. , 2008., pp. 371-385. ISBN: 3540695648.
6.T.Mataracioglu" Comparison of PCI DSS and ISO/IEC 27001 Standards " ; ISACA JOURNAL. VOLUME 1, 2016 pp: 51-55;
7. "Mapping PCI DSS v3.2.1 to the NIST Cybersecurity Framework v1.1" .PAYMENT CARD INDUSTRY SECURITY STANDARDS COUNCIL .July 2019
8.V. Diamantopoulou., A. Tsohou. and M. Karyda. "From ISO/IEC27001:2013 and I SO/IEC27002:2013 to GDPR compliance controls" ; Information and Computer Security .PP:11-12. June 2020 Emerald Publishing Limited . DOI: 10.1108/ICS-01-2020-0004
9. T. Tzolov "ISO 27552 as a Model for Establishment Personal Information Management Systems"; Proceedings of the 2019 IEEE International Conference on Information Technologies (InfoTech-2019) 19-20 September 2019, St. St. Constantine and Elena, Bulgaria
10.D.Boéri. « Maîtriser la qualité : Tout sur la certification et la qualité totale » .Maxima Paris 2003. 2nd edition . PP 27 .ISBN: 2-84001313-4.
11.E. GIESEN. « Démarche qualité et norme ISO 9001. Une culture managériale appliquée à la recherche ». IRD Edition, Paris 2008 . PP 25. ISBN : 978-2-7099-1631-8
12.S. Faucher « Système intégré de management - Qualité Sécurité Environnement ».AFNOR. 1st edition (2006). PP 39 . ISBN: 2-12-475530-7
13.R.Tricker "ISO 9001:2015 for Small Businesses" Published October 4, 2016 by Routledge; 6th Edition. PP 19. ISBN 9781315774855;
14.Norme PCI-DSS :Conditions et procédures d'évaluation de sécurité. Version 3.0 Novembre 2013 Page 3
15.Transitioning from PA-DSS to the PCI Software Security Framework .
A Resource Guide from the PCI Security Standards Council
16.Secure Software Lifecycle Requirements and Assessment Procedures Version 1.1 February 2021 Page 4
17.ALAN CALDER, GERAINT WILLIAMS -PCI-DSS A Pocket Guide. Page14
IT Governance Publishing - Third edition 2013 - ISBN 978-1-84928-555-1
18. Anton Chuvakin, Branden R William and Ward Spangenberg - PCI compliance: Understanding and Implementing Effective PCI Data Security Standard Compliance. Page 19
Amsterdam; Boston: Elsevier / Syngress -Second Edition 2010 - ISBN: 978-1-59749-4991
19. "Payment Card Industry Data Security Standard Handbook" Timothy M. Virtue.
Éditeur John Wiley & Sons, 2008 . ISBN 0470456914, 9780470456910
20. D. Collier - The Comparative Method -University of California, Berkeley - 1993
21. ISO Survey of certifications to management systems standards - Full results - 2017 , 2018 and 2019 Internet: https ://isotc.iso.o rg/livelink/livelink?func=ll&obj
Id= 18808772&objAction=browse&viewType= 1
[September 17, 2021]
22."Visa's Global Registry of Service Providers" - Accessed on January 7, 2019
23.VALIDATED PAYMENT APPLICATIONS - PCI-SSC
https://www.pcisecuritystandards.org/assess ors_and_solutions/payment_applications?agree= true [September 17, 2021]
24. Secure Software Lifecycle Requirements and Assessment Procedures Version 1.1 February 2021
25. INTERNATIONAL STANDARD Quality Management Systems-Requirements -Fifth edition 2015-09
26. JG Gómez, M Martinez Costa& A. R. MartínezLorente .EFQM Excellence Model and TQM: an empirical comparison.. ISSN: 14783363. Total Quality Management & Business Excellence . Vol. 28, No. 1PP :89. December 2016 .DOI:https://doi.org/ 10.1080/14783363.2015.1050167.
27. EFQM Excellence Model 2013
