Today, the PCI Security Standards Council (PCI SSC) published version 1.1 of the PCI Secure Software Lifecycle (SLC) Standard and its supporting program documentation. The PCI Secure SLC Standard is one of two standards that are part of the PCI Software Security Framework (SSF). It provides security requirements and assessment procedures for software vendors to integrate into their software development lifecycles and to validate that secure lifecycle management practices are in place.
The version 1.1 update to the PCI Secure SLC Program Guide expands program eligibility beyond payment software vendors. The revised eligibility includes software vendors who develop software products for the payment card industry. This expansion of the program enables more vendors to leverage Secure SLC qualification and facilitates broader vendor adoption and participation in the Secure SLC Program.
The PCI Secure SLC Standard v1.1 also addresses errata, adds minor clarifications, and aligns key terms and definitions across the standard and program documentation.
Vendors should download the current program documentation and reference v1.1 of the Program Guide when working with v1.1 of the standard. The following documents can be found in the PCI SSC document library:
- PCI Secure SLC Standard v1.1
- PCI Secure SLC v1.1 Program Guide
- PCI Secure SLC v1.1 Report on Compliance (ROC) Template
- PCI Secure SLC v1.1 Attestation of Compliance (AOC)
In addition to the updated Secure SLC Standard and Program, PCI SSC has recently announced 2021 dates for Software Security Framework Assessor training. SSF Assessors are independent security organizations that are qualified by PCI SSC to perform assessments to the Secure Software Standard, the Secure SLC Standard, or both.
SSF Assessor Company qualification is open to any company that meets the SSF Assessor Qualification Requirements. It provides an opportunity for new candidates to join the first PCI SSC program of this kind, which combines a new methodology for validating software security and a separate secure software lifecycle qualification for vendors with robust security development practices into a single framework. Eligible organizations can apply now to become SSF Assessor Companies by visiting the Secure Software Assessor or Secure SLC Assessor pages on the PCI SSC website and following the steps outlined in the registration process. Classes are available for qualification, informational or corporate group training.
Also on the blog: The Value of the PCI Secure Software Lifecycle Standard for Software Vendors