Registration is now open for Software Security Framework (SSF) New Assessor Training. PCI Security Standards Council (PCI SSC) recently announced the first training dates for its remote, instructor-led Secure Software Assessor and Secure Software Lifecycle Assessor classes, now available on the new eLearning platform.
Who can register?
SSF Assessor qualification provides an opportunity for new candidates to become qualified to perform assessments under the PCI SSC Software Security Framework (SSF), which includes a methodology for validating software security and a separate secure software lifecycle qualification for vendors with robust security development practices.
SSF Assessor qualification also offers existing assessors the chance to use and expand their skills and experience in an area with opportunities for future growth. Payment Application Qualified Security Assessors (PA-QSAs) and QSAs can add to their qualifications and expertise with the Secure Software Assessor qualification, Secure SLC Assessor qualification, or both.
In order to attend Secure Software Assessor or Secure SLC Assessor training for qualification, you must be a full-time employee of an active Software Security Framework Company. Please see the Software Security Framework Qualification Requirements for Assessors for more details. Informational training is also available for individuals who would like to increase their knowledge but do not necessarily need to achieve qualification.
What are the course descriptions?
Secure Software Assessor - This course provides instruction on how to perform assessments of payment software in accordance with the Secure Software Requirements and Assessment Procedures (PCI Secure Software Standard). This training will provide you with an understanding of the requirements with corresponding assessment procedures and guidance for the development of secure payment software.
Secure Software Lifecycle Assessor – This course provides instruction on how to perform assessments of entities in accordance with the Secure Software Lifecycle (Secure SLC) Requirements and Assessment Procedures (PCI Secure SLC Standard). This training will provide you with an understanding of the requirements with corresponding assessment procedures and guidance for payment software vendors to design, develop, and maintain secure payment software throughout the software lifecycle.
Where will training take place?
PCI SSC has adopted a new eLearning platform to move all informational and qualification programs online. With the rise of the COVID-19 pandemic, the Council took important steps earlier this year to protect the health and safety of all involved by canceling face-to-face, instructor-led training (ILT) courses for the remainder of the calendar year. To date, PCI SSC has received considerable positive feedback regarding the course delivery platform and, as a result, has been able to accommodate broader, global participation.
How do I become an SSF Assessor?
To be qualified as Secure Software Assessors and/ or Secure SLC Assessors, eligible SSF Assessor Company employees must successfully complete the requisite training and exam. Training will be offered on the new eLearning platform. eLearning incorporates a combination of computer-based training (CBT), as well as live remote instructor-led training sessions with an online qualification exam. ILT is required for new assessors, however, QSAs and PA-QSAs that meet the SSF Assessor Qualification Requirements have the option to complete a transitional CBT course instead. Note that for eligible QSAs, the transitional CBT is only an option for Secure SLC Assessor training and does not apply to the Secure Software Assessor Program.
When are the first training dates?
The first opportunity to take the Secure Software Assessor class is 11 November 2020. The Secure Software Lifecycle Assessor class is 12 November 2020. These classes can reach capacity. Therefore, it is important to register as early as possible. Future dates will be added as demand dictates.
Why is this training important?
SSF Assessors evaluates vendors and their payment software products against the PCI Secure SLC and Secure Software Standards. PCI SSC lists both Secure SLC Qualified Vendors and Validated Payment Software on the PCI SSC website. Validations are good for three years. The SSF expands beyond the scope of the Payment Application Data Security Standard (PA-DSS) and will replace PA-DSS, its program and List of Validated Payment Applications when PA-DSS is retired in 2022. During the interim period, PA-DSS and SSF Programs will run in parallel, with the PA-DSS Program continuing to operate as it does now.
Also on the blog: New Assessor Opportunity: PCI Software Security Framework