Navigating the PCI Software Security Framework (SSF)

As of June 30, 2021, applications can no longer be submitted under the Payment Card Industry (PCI) Payment-Application Data Security Standard (PA-DSS). PCI has created a new standard to replace the PA-DSS: the PCI Software Security Framework (SSF). The PCI SSF is an evolution for PCI that takes secure software development for payment related software to a new level. It is designed to be more flexible and take a more risk-based approach. This new approach brings some challenges and many changes.

While the PCI SSF replaces PA-DSS, we will briefly review how it is structured differently between the optional Secure Software Lifecycle (Secure SLC) standard and the Secure Software Standard (S3).

This paper will review what this means for those required to meet this new standard. If you have been required to meet PA-DSS in the past, the S3 applies to you, but you will need to understand the new approach and how to be prepared for it. If you develop software that has not been required to meet PA-DSS in the past, you also want to understand this approach as the PCI SSF continues to develop and expand the scope of what applications are included.

SSF provides an opportunity to better own the security aspect of your application development process. If done in the right way, this can result in a more efficient development process saving time and money in development and in the assessment process, all while producing a more secure application.

Understanding and following the PCI SSF can help any software developer to produce more secure software if the core principles are followed. This paper will also review how Secure Compass’s SD Elements can be leveraged to meet and exceed the different aspects of the PCI SSF while streamlining your development process.

Download the PDF