When the Payment Application Data Security Standard (PA-DSS) v3.2 closes on 28 October 2022, it will be superseded by the Secure Software Standard and Program, which is part of the PCI Software Security Framework (SSF).
As a reminder, the first milestone date related to the closure is 30 June 2021. This date is relevant for the following two PA-DSS and SSF program-related activities:
- New PA-DSS submissions will not be accepted after 30 June 2021. This date marks the cutoff to submit new payment software products for PA-DSS validation and listing. To obtain an equivalent validation and listing, the Secure Software Program should be used. (Note: Existing PA-DSS validated applications are not impacted by this date and will continue to be supported per normal processes until the PA-DSS Program closes at the end of October 2022.)
- Reduced Certification Requirements for PA-QSA Secure Software Assessor Candidates:
- PA-QSAs, who have not yet transitioned to Secure Software Assessor, have until 30 June 2021 to take advantage of reduced industry-recognized professional certification requirements for this qualification.
- Until 30 June 2021, “List C – Software Development” certifications are not required from PA-QSA and PA-QSA (P2PE) Secure Software Assessor candidates (who meet all other eligibility and qualification requirements) until their next annual requalification.
- Beginning July 1, 2021, all Secure Software Assessor candidates – and all Secure Software Assessors who requalify on/after July 1, 2021 - must possess at least one industry-recognized professional certification from List A – Information Security OR List B - Audit, AND at least one certification from List C – Software Development.
Refer to the Software Security Framework Qualification Requirements document, section 3.2.3 Secure Software Assessor Requirements for complete details.
For Assessors that need additional training for either the Secure Software or Secure Software Lifecycle Standard and Program, remote instructor-led training classes for both have been scheduled for dates in May and registration is now open.
Also on the blog: How to Successfully Transition Software from PA-DSS to the PCI Secure Software Standard