Ahead of the North America Community Meeting this week in Vancouver, PCI SSC has published new educational resources on the PCI Software Security Framework (SSF). The SSF At-a-Glance and Transitioning from PA-DSS to SSF Resource Guide provide key information to increase awareness and understanding of the SSF, its benefits and impact to the Payment Application Data Security Standard (PA-DSS) and Program.
At-a-Glance: PCI SSF Provides A Modern Approach to Payment Software Security
The PCI Software Security Framework (SSF) is a collection of standards and programs for the secure
design and development of payment software. Security of payment software is a crucial part of the payment transaction flow and is essential to facilitate reliable and accurate payment transactions.
Modern software development requires objective-focused security to support more nimble development and update cycles than traditional software development practices. The SSF recognizes this evolution with an approach that supports both traditional and modern payment software.
It provides vendors with security standards for developing and maintaining payment software so that it protects payment transactions and data, minimizes vulnerabilities, and defends against attacks. The SSF also includes a new methodology for validating software security and a separate secure software lifecycle qualification for vendors with robust security development practices.
Secure Software Framework Assessors (SSF Assessors) evaluate vendors and their payment software products against the Secure Software Lifecycle (Secure SLC) Standard and the Secure Software Standard, respectively. The PCI SSC lists both Secure SLC Qualified Vendors and Validated Payment Software on the Council’s website as resources for merchants, service providers, and acquirers.
For an overview of the SSF, its benefits and how to use it, view our newly published resource: At-a-Glance: PCI Software Security Framework.
Note: The Secure SLC and Secure Software Standards and supporting program documentation are available on the PCI SSC website now and beginning in October organizations can apply to become SSF Assessor Companies. To be listed as an SSF Assessor Company on the PCI SSC website, organizations must have at least one employee successfully complete the Secure Software Assessor or Secure SLC Assessor training and exam. Training will be available in early 2020. Once SSF Assessors are qualified and listed, vendors can begin the validation process for their software lifecycle management practices and payment software. For additional information, refer to the Software Security Framework - Qualification Requirements for Assessors.
Resource Guide: Transitioning from PA-DSS to SSF
When PA-DSS v3.2 expires at the end of October 2022, it will be formally retired and replaced by the SSF, which provides modern requirements that support a broader array of payment software types, technologies, and development methodologies. In the interim, to help minimize disruption and ease the transition process for stakeholders, the standard and program will remain available and fully supported.
For specific information and resources to assist with migration to SSF from PA-DSS, view our newly published Resource Guide: Transitioning from PA-DSS to the PCI Software Security Framework.
Also on the blog: New Software Security Framework Programs: Timeline & Key Milestones
