PCI SSC has announced the rollout of the Secure Software Lifecycle (Secure SLC) and Secure Software Programs. These new validation programs are intended for use by payment software vendors to demonstrate that both their development practices and their payment software products address overall software security resiliency to protect payment data. Under the programs, Software Security Framework Assessors will evaluate vendors and their payment software products against the PCI Secure SLC and Secure Software Standards. PCI SSC will list both Secure SLC Qualified Vendors and Validated Payment Software on the PCI SSC website.
PCI SSC is introducing these programs as part of the PCI Software Security Framework (SSF), a collection of standards and programs for the secure design, development and maintenance of existing and future payment software. The SSF expands beyond the scope of the Payment Application Data Security Standard (PA-DSS) and will replace PA-DSS, its program and List of Validated Payment Applications when PA-DSS is retired in 2022. During the interim period, PA-DSS and SSF Programs will run in parallel, with the PA-DSS Program continuing to operate as it does now.
Secure SLC and Secure Software Program documentation is now available on the PCI SSC website. PCI SSC plans to start accepting applications for SSF Assessors in October 2019, with training to follow in early 2020. Once these pieces are in place, vendors can begin the assessment process for their software development lifecycle practices and their payment software products.
Here we look at the timeline for the SSF Programs rollout and cover key milestones to help stakeholders know what to expect and when.
SSF Programs Timeline
- Program Documentation Available: Program Guides, Qualification Requirements for SSF Assessors and FAQs are now available on the PCI SSC website. Reporting Templates will be published shortly.
- Programs Open for SSF Assessors: PCI SSC will begin accepting SSF Company applications in October 2019.
- Training Available: Training will be available in early 2020, first for PA-QSAs and QSAs, and then for new assessors.
- Programs Open for Vendors: Once SSF Assessors are in place, vendors can begin the validation process for their software lifecycle practices and payment software. PCI SSC anticipates assessments will begin in Q1 2020.
- Deadline for Acceptance of New PA-DSS Submissions: PCI SSC will continue to accept new PA-DSS submissions until 30 June 2021.
- PA-DSS Program Closes: Upon expiry of PA-DSS v3.2 on 28 October 2022, all validations will move to the “Acceptable Only for Pre-Existing Deployments” tab on the PA-DSS listing and the PA-DSS Program will close.
SSF Programs Documentation
The Secure SLC Program Guide, Secure Software Program Guide, Software Security Framework - Qualification Requirements for Assessors, and supporting FAQs are now available on the PCI SSC website. Reporting Templates will be published shortly.
Secure SLC Program Guide
- The Program Guide details the processes that payment software vendors must use in order to be validated to the Secure SLC Standard.
- Validation to the Secure SLC Standard illustrates that the software vendor has mature secure software lifecycle management practices in place to ensure its payment software is designed and developed to protect payment transactions and data, minimize vulnerabilities, and defend against attacks.
- Upon successful evaluation by a Secure SLC Assessor, validated software vendors will be recognized on the PCI SSC List of Secure SLC Qualified Vendors.
- Secure SLC Qualified Vendors will be able to self-attest to delta changes for their products that are listed as Validated Payment Software under the Secure Software Program.
Secure Software Program Guide
- The Program Guide details the processes that software vendors must use in order to have their payment software products validated to the Secure Software Standard.
- Validation to the Secure Software Standard illustrates that the payment software product is designed, engineered, developed, and maintained in a manner that protects payment transactions and data, minimizes vulnerabilities, and defends against attacks.
- Upon successful evaluation by a Secure Software Assessor, validated payment software will be recognized on the PCI SSC List of Validated Payment Software.
Software Security Framework - Qualification Requirements for Assessors
- The Qualification Requirements for Assessors describe the minimum capability and related documentation requirements that candidate Software Security Framework Assessor Companies and their Assessor-Employees must satisfy.
- Qualified Assessor Companies will be recognized on the PCI SSC List of Software Security Framework Assessors.
Frequently Asked Questions (FAQs)
- This document addresses frequently asked questions (FAQs) related to the SSF, including questions about the relationship between the SSF and other PCI Standards and the transition from PA-DSS to the SSF.
PA-DSS vendors and other payment software vendors are encouraged to review these documents to understand the vendor and payment software validation process, and how it is different from PA-DSS. Once assessors are in place, vendors will be able to begin the validation process for their software development lifecycle practices and their payment software products. Validations will be good for three years.
PA-QSAs, QSAs, and other companies interested in becoming SSF Assessors should also review the program documents to understand what’s required for being qualified to conduct assessments under the SSF, as well as how the vendor and software validation process works.
SSF Assessors – Applications and Training
To support these programs, PCI SSC is creating a new assessor type – Software Security Framework (SSF) Assessor. SSF Assessor Companies can be qualified to perform Secure SLC assessments, Secure Software assessments, or both:
- Secure SLC Assessors are individuals at SSF Assessor Companies qualified to evaluate payment software vendors’ adherence to the Secure SLC Standard.
- Secure Software Assessors are individuals at SSF Assessor Companies qualified to evaluate payment software products against the Secure Software Standard.
PCI SSC will begin accepting SSF Company applications in October 2019. In order to be listed as an SSF Assessor Company, the company must have at least one employee successfully complete the Secure Software Assessor or Secure SLC Assessor training and exam. Training will be available in early 2020, and more information, including course details and fees, will be published on the PCI SSC website.
The Software Security Framework - Qualification Requirements for Assessors provide all the details on what it takes for companies and their employees to be qualified to conduct assessments under the SSF. Here are a few key things to note:
- SSF Assessor Companies do not have to be existing QSA Companies: Any company that meets the qualification requirements, fees and documentation can be qualified as an SSF Assessor Company.
- PA-QSAs and QSAs are eligible for a modified training requirement: For both Secure SLC and Secure Software Programs, in addition to meeting the SSF Qualification Requirements for Assessors, PA-QSAs may complete computer-based training (CBT) and the corresponding exam, instead of instructor-led training required for new assessors. QSAs are eligible for CBT for Secure SLC only.
- Training will be rolled out in two phases: Computer-based training will be available first for PA-QSAs (and QSAs for Secure SLC only), followed by instructor-led training for QSAs and new assessors.
PA-DSS Program Transition
When PA-DSS v3.2 expires in 2022, the standard and program will be formally retired and replaced by the SSF. At that time, all PA-DSS validations will move to the “Acceptable Only for Pre-Existing Deployments" tab on the PA-DSS listing and the PA-DSS Program will close.
In the interim, to help minimize disruption and ease the transition process for stakeholders, the PA-DSS and SSF Programs will run in parallel, with the PA-DSS Program continuing to operate as it does now:
- Existing PA-DSS validated payment applications: The PA-DSS Program remains open and fully supported until October 2022, with no changes to how existing PA-DSS validated applications are handled. They will remain on the List of PA-DSS Validated Payment Applications until their expiry dates, and per the normal process vendors can submit changes to them until PA-DSS v3.2 expiry (28 October 2022).
- New PA-DSS submissions: Vendors will be able to submit new payment software products for PA-DSS validation and listing until 30 June 2021.
Assessments against the PCI Software Security Framework are anticipated to begin in Q1 2020 and will have a three-year validity period.
More information on the PA-DSS Program transition is available in the Secure SLC and Secure Software Program Guides and the FAQs.
New SSF Listings
As part of the Secure SLC and Secure Software Programs, there will be three new lists on the PCI SSC website for use by payment software vendors, merchants, acquirers and other payment software users:
- SSF Assessor Company List: Software vendors can use this list to identify independent security organizations that are qualified by PCI SSC to perform assessments to the Secure Software Standard, the Secure SLC Standard or both. The SSF Assessor Company List will indicate whether a company is qualified as a Secure Software Assessor Company and/or as a Secure SLC Assessor Company.
- Validated Payment Software List: Merchant, acquirers and other payment software users can use this list to identify payment software products that have been evaluated by a Secure Software Assessor and validated as meeting the Secure Software Standard.
Initially, this program and list is specific to payment software products that store, process, or transmit clear-text account data, and are commercially available and developed by the vendor for sale to multiple organizations. As new modules are added to the Secure Software Standard to address other software types, use cases and technologies, the program scope will expand to support them. - Secure SLC Qualified Vendor List: Merchant, acquirers and other payment software users can use this list to identify payment software vendors who have software lifecycle development practices that have been evaluated by a Secure SLC Assessor and validated as meeting the Secure SLC Standard.
