Through the SSF Assessor Program, PCI SSC qualifies companies and their employees to assess vendors’ software lifecycle management practices and payment software products to the PCI Secure Lifecycle (Secure SLC) and Secure Software Standards. Secure SLC Qualified Vendors and Validated Payment Software are then listed on the Council’s website as resources for merchants, service providers, and acquirers.
Opportunities for both New and Existing Assessors
SSF Assessor qualification provides an opportunity for new candidates to join the first PCI SSC program of this kind, which includes a new methodology for validating software security and a separate secure software lifecycle qualification for vendors with robust security development practices. The SSF will evolve to support more types of software in the future, which will introduce additional opportunities for assessors down the line.
SSF Assessor qualification also offers existing assessors the chance to use and expand their skills and experience in an area with opportunities for future growth. Payment Application Qualified Security Assessors (PA-QSAs) and QSAs can add to their certifications and expertise with the new Secure Software Assessor qualification, Secure SLC Assessor qualification, or both.
For an overview of the SSF, its benefits and how to use it, view our newly published resource: At-a-Glance: PCI Software Security Framework.
SSF Assessor Company qualification is open to any company that meets the SSF Assessor Qualification Requirements, including, but not limited to QSA Companies. To be listed as an SSF Assessor Company on the PCI SSC website, the company must have at least one employee meet the SSF Assessor Qualification Requirements and successfully complete Secure Software Assessor and/or Secure SLC Assessor training and the corresponding exam.
To be qualified as Secure Software Assessors and/ or Secure SLC Assessors, eligible SSF Assessor Company employees must successfully complete the requisite training and exam. Training will be offered both as instructor-led training (ILT) and computer-based training (CBT).
ILT is required for new assessors, but QSAs and PA-QSAs that meet the SSF Assessor Qualification Requirements have the option to complete CBT instead. Note that for eligible QSAs, CBT is only an option for Secure SLC Assessor training.
Training will be available in early 2020, and more information, including course details will be published on the PCI SSC website.
Eligible organizations can apply now to become SSF Assessor Companies by visiting the Secure SLC Assessor or Secure Software Assessor pages on the PCI SSC website and following the steps outlined in the registration process:
PCI SSC will begin accepting applications from SSF Assessor Company employees in November.