Skip to content

PCI SSF

Security Controls for Application Developers in Online Payment Transactions

With the ongoing digital revolution, the landscape of payment methods has transformed. Today, transactions can be completed without the need for physical payment cards, as people increasingly use digital devices to shop, dine, and pay for utilities. As these modern payment methods evolve, the traditional approaches to securing the software that facilitates these payments must also adapt.

The PCI Security Standards Council (PCI SSC) introduced the Payment Application Data Security Standards (PA DSS) in 2008 to help secure payment applications. PA DSS guided payment application vendors in developing secure software for payment processing.

As payment methods have rapidly diversified, there was a growing need to address the evolving security requirements of the payment ecosystem. To meet these demands, PCI SSC launched the Software Security Framework (SSF).

Why PCI Software Security Framework Over PA-DSS?

The PA DSS played a key role in helping merchants maintain PCI DSS compliance and supported secure software development and lifecycle management. However, its strict eligibility criteria limited validation to applications involved in authorization or settlement, leaving gaps as payment technologies evolved. With modern payment applications now supporting a wider range of methods, a more comprehensive and security-focused approach was required to safeguard payment software, minimize vulnerabilities, and prevent cyberattacks. To address these challenges, PCI SSC introduced the PCI Software Security Framework (SSF) in 2022, marking the planned retirement of PA DSS after October 2022. PCI SSF builds on the principles of PA DSS while expanding its focus to encompass modern payment software types, diverse technologies, and flexible development processes.

What is the Secure Software Standard?

The Secure Software Standard outlines the eligibility criteria for various types of payment software to be evaluated and listed. Initially, only payment software products developed by vendors that are involved in, or directly support, payment transactions storing, processing, or transmitting clear-text account data and are commercially available for sale to multiple organizations will qualify for validation and listing. Future versions of the standard may expand the eligibility criteria to include additional modules or applications. Therefore, applications that are not currently eligible may become eligible in the future.

What is the Secure SLC Standard?

For payment software that does not meet the criteria for evaluation and listing, vendors can choose to have their software lifecycle management (SLC) practices evaluated against the Secure SLC Standard. This demonstrates the vendor’s commitment to secure software development practices and their ability to protect payment transactions, minimize vulnerabilities, and defend against cyberattacks. It highlights the maturity of the vendor’s SLC practices, ensuring that security is integrated throughout the software lifecycle—from design and development to maintenance.

Transition from PA DSS to Software Security Framework

To ensure a smooth transition, PCI SSC will continue to support PA DSS-validated applications until October 2022. These applications will remain on the List of Validated Payment Applications until their expiry dates, with no impact on users. After October 2022, the PCI Software Security Framework will replace PA DSS and its listings, and payment applications will be validated according to PCI SSF.

Timelines:

  • January 2019: Announcement of the release of PCI Software Security Standards
  • June 2019: PCI SSC published the Software Security Standards documents
  • October 2019: Software Security Standards Assessor company applications available
  • Q1 2020: SSF Assessor Training available
  • Q1 2020: SSF programs open for vendors
  • June 2020: First PCI SSF program listings expected
  • June 2021: Deadline for the acceptance of new PA DSS application submissions
  • October 2022: PA DSS program closes and payment application validation begins under PCI Software Security Framework

Applicability

This standard applies to all entities involved in the development of applications for card payments and online transaction processing.

Consulting Methodology

Concept Building Training

Providing training to the client team to enhance their conceptual understanding of requirements and highlight the key drivers necessitating implementation.

Gap Analysis Report for IT Infrastructure & Configuration

Our team of domain experts will evaluate the current IT infrastructure, focusing on networking and data security controls to ensure effective management of information security, privacy, and business continuity. A comprehensive report detailing identified gaps and recommending potential solutions will be provided.

Design and Implementation of a Documented Management System

Creation of a tailored management system encompassing policies, system manuals, procedural guidelines, risk assessment frameworks, security control SOPs, and customizable templates.

Risk and Privacy Assessment Support

Providing expert guidance and assistance to clients in completing risk assessments, implementing necessary controls, and presenting the residual risk inventory to top management.

Implementation Training

Conducting one-on-one sessions with the key implementation team to provide comprehensive training on the documented management system and its implementation strategies.

Implementation Handholding

Providing ongoing consulting support to address routine queries and ensure the successful implementation of the requirements.

Internal Auditor Training

In-depth training on clause requirements and audit techniques, including case studies and assessments.

Conducting the Internal Audit

Our consulting team, along with the trained internal auditors from the client's team, conducts a comprehensive internal audit to assess all requirements and generates the audit report.

Closure of Audit Findings

We provide guidance and support to help the client address and resolve internal audit findings, ensuring readiness for the certification assessment.

Certification Audit Process

International certification and regulatory bodies will conduct the final assessment and issue an audit report upon successful evaluation.

Certificate Issuance by Certification Body

Once all audit findings are successfully closed, the client will receive the certification from the certification body.

Ongoing Consulting Support for Surveillance & Recertification Audits

As part of our commitment to long-term client partnerships, we provide continued consulting support for all future certification needs, assisting in the ongoing growth and success of our valued clients.