The PCI SSF (Software Security Framework) is a blend of traditional and modern software security requirements. Validation of payment software to Secure Software Standards (S3) assures that the Payment Software that is designed protects the integrity of the software and the confidentiality of the sensitive data it captures, stores, processes, and transmits. The latest framework supports evolving technologies, software types, and development methodologies.
The PCI SSF (Software Security Framework) is a collection of standards and programs for the secure design and development of payment software.
The new SSF is comprised of:
1. A Secure SLC Standard, and
2. A Secure Software Standard.
The Secure SLC Standard defines a set of security requirements and associated test procedures for software vendors to validate how to properly manage the security of payment software throughout the software life-cycle. Secure SLC is applied to software vendors that develop software for the payments industry.
The Secure Software Standard defines a set of security requirements and associated test procedures to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data. The Secure Software Standard is applied to payment software that is sold, distributed, or licensed to third parties.
Why choose PCI SSF over PA DSS?
- The PCI SSF is separate and distinct from PA-DSS.
- The PA-DSS program will eventually be integrated into the PCI SSF.
- PCI SSF includes some components of PA-DSS.
- All PA-DSS validated payment applications will continue to be governed by the PA-DSS standard until the applications reach their expiration date.
- It is recommended to assess new payment applications using PCI SSF instead of continue using PA-DSS.
- The PCI Council will accept new PA-DSS validations through mid-2020, and these applications will be valid through late 2022.
How Does It Work?
ControlCase has a streamlined methodology for SSF (Software Security Framework) Certification featuring an easy to understand questionnaire and sample templates, which explain the types of evidence required. We assist you in driving towards achieving certification in an efficient and cost-effective manner.
The PCI SSF will assist auditors in evaluating the security of software and the development lifecycle. It will replace the current PA-DSS with updated requirements aligned with industry standards that support a broader array of payment software types, technologies, and development methodologies.
The methodology consists of the following steps:
Six Phases of Certification Process: Compliance validation is demonstrated and assessed in following five progressive steps.
| 1. Strategy Call: | Strategy call to identify the point of contact from both organizations, timelines for assessment, high level requirement and roadmap for the project. |
| 2. SkyCAM Setup: | Configuring tools to collect evidence automatically, to do remote application vulnerability assessment. |
| 3. Scoping: | Identify the boundaries of the scope of assessment and inclusion and dependency of any third party. |
| 4. Pre-Assessment/Gap Assessment: | Interviews, reviews of documentation and walk-through to identify gaps and provide recommendations. |
| 5. Remediation/ Advisory Support : | Assistance as partners to provide advisory support for mitigating gaps and collecting evidence. |
| 6. Compliance Certification: | Conduct the certification phase, and on successful completion, provide the reports and attestation documentation/certification. Also support client to list the payment application details with the PCI SSC. |
The deliverables include:
- Report on Compliance (ROC) for SLC
- Attestation of Compliance (AOC) for SLC
- Report on Validation (ROV) for SSA
- Attestation of Validation (AOV) for SSA
- Certificate of Compliance (COC) SSF / SLC
- Web Seal
- Card brand registration support
