Introduction to PCI Software Security Framework (SSF)
When is the last time you went to an ATM to withdraw cash? Gone are the days when people visited ATM terminals for money.
Today, with the digital revolution, everything has become online, and the payment methods have changed in such a way that you longer require the payment card to conduct the transaction. We see people shop, dine out, use utilities and then pay with their digital devices. With the evolution of modern payment methods, the traditional methods of securing the software that facilitates payments should also evolve.
PCI SSC introduced the Payment Application Data Security Standards (PA DSS) in 2008 with the vision of securing payment applications. PA DSS helps payment application vendors develop secure payment applications.
With progressing times, the number of payment methods started multiplying. To support the current security needs of the payment world, PCI SSC has published Software Security Framework.
Why PCI Software Security Framework over PA-DSS?
PA DSS helps merchants maintain PCI DSS compliance by supporting software development and lifecycle management principles. In addition, PA DSS has a strict eligibility criterion that the application taking part in authorization and (or) settlement can only be validated as per its requirements.
Constantly evolving payment application software to facilitate a variety of payment methods requires objective focused security approach. The approach must provide security for the modern payment software, reduce vulnerabilities, and abate cyberattacks.
To support a broader array of payment software types, technologies, and development methods, PCI SSC announced the release of the new PCI Software Security Framework (SSF) in 2022. After October 2022, PCI SSC planned the official retirement of PA DSS, the benchmark standard.
PCI SSF is an independent collection of payment security standards that includes elements of PA DSS. SSF supports existing ways to demonstrate good application security and a variety of new payment software and development processes.
Currently, there are two standards under PCI Software Security Framework:
1. Secure Software Standard
2. Secure Software Life Cycle Standard (Secure SLC)
What is Secure Software Standard?
The Secure Software Standard defines the eligibility criteria for various types of payment software for evaluation and listing. For initial launch, the defined eligibility includes only those payment software products developed by the vendor that are involved in or directly supporting or facilitating payment transactions that store, process, or transmit clear-text account data and commercially available for sale to multiple organizations qualify for validation and listing. It is also mentioned that additional modules and eligibility may be allowed under future versions of the standard. So if the application that are not eligible currently can be eligible at a later point of time.
What is Secure SLC standard?
For the payment software that are not eligible for evaluation and listing, A software vendor can choose to have their software lifecycle management practices evaluated against the Secure SLC Standard to demonstrate the organization’s ability and commitment to secure software development practices.
This qualification shows that the software vendor has mature SLC practices in place to ensure their payment software can protect payment transactions, minimize vulnerabilities and defend against attacks. It also serves to demonstrate the vendor’s SLC processes, technology, and personnel involved in the design, development, and maintenance of the payment software that has security built into and throughout the entire software lifecycle.
Transition from PA DSS to Software Security Framework
To ensure a smooth transition without any disruptions, PCI Council will continue to support PA DSS validated applications through the end of October 2022. Existing PA-DSS validated applications will remain on the List of Validated Payment Applications until their expiry dates with no impact on the users.
By the end of October 2022, PCI Software Security Framework will replace PA DSS and its listings. The payment applications will be validated with PCI SSF after the retirement of PA DSS in 2022.
Timelines
- Announcement about the release of PCI Software Security Standards – January 2019
- PCI SSC published the Software Security Standards documents – June 2019
- Software Security Standards Assessor company applications are available – October 2019
- SSF Assessor Training available – Q1 of 2020
- SSF programs open for vendors – Q1 of 2020
- First PCI SSF program listings expected – June 2020
- Deadline for the acceptance of new PA DSS application submission – June 2021
- PA DSS program closes and the start of payment application validation under PCI Software Security Standards Framework – October 2022
Be among the first few vendors listed for SSF program. Contact SISA to know more about PCI SSF standard and how we can support you on SSF Program.
SISA has created a document to help application developers to support them with the transition. You can download the resource – Practical Transition Strategy from PA DSS to PCI SSF from here.