The Payment Card Industry (PCI) Software Security Framework (SSF) provides software vendors with standards for designing, developing, and maintaining secure payment software. First published in January 2019, PCI SSF will fully replace the PCI Payment Application Data Security Standard (PA-DSS) in October 2022.
The new PCI SSF standards extend and improve upon PA-DSS by addressing recent advancements in payment technologies, platforms, and software development practices.
PCI SSF Components
PCI SSF has two fundamental components. The Secure Software Lifecycle (Secure SLC) Standard applies to the software development lifecycle. The Secure Software Standard covers the security of payment software.
What’s Changing With PCI SSF?
Here are some of the key things that are changing with PCI SSF relative to PA-DSS:
- Supports a broader range of payment software types, technologies, and development methodologies.
- Uses outcome-focused requirements.
- Provides more agility for developers to incorporate payment application security with nimble development practices and frequent update cycles.
- Enables accelerated provision of customization and features for payment applications for merchants without compromising security.
- Improves consistency and transparency in testing payments applications.
- Promotes developer education on the importance of integrating security into the software development lifecycle.
- Provides authoritative lists of Validated Payment Software and Secure SLC Qualified Vendors on the PCI Security Standards Council (PCI SSC) website.
What is the Implementation Timeframe for PCI SSF?
When PA-DSS v3.2 expires at the end of October 2022, it will be formally retired and replaced by PCI SSF. In the interim, to help minimize disruption and ease the transition process for stakeholders, the PA-DSS standard and program will remain available and fully supported.
Here’s a timeline of key milestones for the transition from PA-DSS to PCI SSF:
PA-DSS to PCI SSF Transition Timeline
How Do We Certify for PCI SSF?
Once you’ve made the changes necessary to bring your software development lifecycle into compliance with the Secure SLC Standard, a PCI-approved SSF Assessor will perform a formal assessment to validate your compliance with the new lifecycle standard. When your compliance has been successfully validated, your company will be listed on the PCI SSC website as a Secure SLC Qualified Vendor.
When you bring each of your payment software products into compliance with the Secure Software Standard, an SSF Assessor can perform an assessment for compliance. Once compliance has been validated for a software product, it will be listed on the PCI SSC website as a Validated Payment Software product.
Getting listed on the PCI SSC website lets your customers know that your development process and payment software products meet the industry gold standard for security.
Here are resources that provide more detail on PCI SSF:
- Transitioning from PA-DSS to the PCI Software Security Framework
- Software Security Framework At-a-Glance
- Secure SLC Program Guide
- Secure Software Program Guide
We Can Help
Tevora’s experienced team of payment security experts can partner with you to help you make the changes needed to comply with PCI SSF. And as a PCI-approved SSF Assessor, we can also do a formal assessment to validate your compliance with the new standards.
If you have questions about PCI SSF or would like help bringing your organization into compliance, just give us a call at (833) 292-1609 or email us at firstname.lastname@example.org.
 This information sourced from the “Transitioning from PA-DSS to the PCI Software Security Framework” document published by the PCI Security Standards Council.
About the Author
Jason Pieters is the Managing Director of Payments at Tevora.