Who will be eligible to conduct assessments under the PCI Software Security Framework? How will the assessor qualification process work? When will training be available? Following last month’s update on the development of the Secure Lifecycle (Secure SLC) and Secure Software Programs, Senior Director of Certification Programs, Gill Woodcock, addresses these key questions about Software Security Framework (SSF) Assessor qualification.
Who will conduct assessments under the PCI Software Security Framework?
Gill Woodcock: PCI SSC will be qualifying companies and individuals within those companies to perform assessments under the PCI Software Security Framework (SSF). SSF Assessor Companies may choose to qualify to perform assessments under the Secure SLC Program, the Secure Software Program or both.
- Secure SLC Assessors will evaluate payment software vendors’ adherence to the Secure SLC Standard to be listed as qualified vendors on the PCI SSC website.
- Secure Software Assessors will evaluate payment software products against the Secure Software Standard to be listed as validated payment software on the PCI SSC website.
What are the eligibility requirements for Secure SLC Assessors and Secure Software Assessors?
Gill Woodcock: The SSF Qualification Requirements for Assessors are being finalized now, and we anticipate they will be available in the next few weeks. These include eligibility requirements for Assessor Companies and their employees. Similar to other PCI SSC assessor programs, the qualification process will include fulfillment of the qualification requirements, fees and documentation, and training. Assessor Company employees that are not Payment Application Qualified Security Assessors (PA-QSA) or Qualified Security Assessors (QSA) will need to complete instructor-led training and pass the corresponding exams.
What will be the path for PA-QSAs and QSAs to become Secure SLC and Secure Software Assessors?
Gill Woodcock: The qualification path for PA-QSAs and QSAs takes into account their applicable skills and experience as assessors:
- For Secure SLC, in addition to meeting the Software Security Framework Qualification Requirements for Assessors, both PA-QSAs and QSAs may complete computer-based training and the corresponding exam, rather than the instructor-led training required for new assessors.
- For Secure Software, in addition to meeting the Software Security Framework Qualification Requirements for Assessors, PA-QSAs may complete computer-based training and the corresponding exam. QSAs must complete the instructor-led training and corresponding exam required for new assessors.
When will training be available?
Gill Woodcock: Development of training is underway. Computer-based training for PA-QSAs and QSAs will be available first, followed by instructor-led training. We will share information on training dates and costs as soon as these details are finalized.
Also on the blog: Programs Update: PCI Software Security Framework