The PCI Security Standards Council (PCI SSC) released a new framework known as the PCI Software Security Framework (SSF) to secure modern payment software. The new framework is a collection of standards and programs that were built to secure the design and development of payment software. With the introduction of SSF, the existing standard – PA DSS (Payment Application Data Security Standard) will soon fade out. This simply means that the SSF replaces PA-DSS with modern requirements that support a wide range of payment software types, technologies, and development methodologies. It is a new approach that supports both the existing and future payment software and working as an extension to the PA-DSS limits to address overall software security resiliency.
The PCI Software Security Framework is based on two standards, namely the Secure Software Standard and Secure Software Lifecycle Standard.
Validation of payment software to Secure Software Standard (S3) assures that the Payment Software that is designed typically protects the integrity of the software and the confidentiality of sensitive data it captures, stores, processes, and transmits. Applicability of this standard typically includes-
Validation of payment software to Secure Software Life Cycle Standard assures that vendor’s software development lifecycle processes, procedures, and practices are compliant with the PCI Secure SLC Standard. Applicability of this standard includes- 
PCI Software Security Framework is a blend of traditional and modern software security requirements. The latest framework supports evolving technologies, software types, and development methodologies. The new PCI SSF framework was designed and implemented with an aim to promote a highly objective oriented security practices that support both the traditional methods of good application security and the latest development practices. It is a framework introduced to ensure vendors can benefit the best of both worlds and implement measures that best secures systems.
 For a smooth transition from PA DSS to PCI SSF, PCI Council will continue to support PA DSS validated applications through the end of October 2022. They have clearly stated that the existing PA-DSS validated applications will remain on the “List of Validated Payment Applications” until their expiry dates with the assurance of not having any impact on the users. Further, by the end of October 2022, PCI Software Security Framework will replace PA DSS and its listings. So, with this transition, the payment application will be validated with PCI SSF after the retirement of PA DSS in 2022. The new framework provides flexibility to all the software vendors and facilitates better alignment of secure application development, as per the industry standard.
The Payment Card Industry Security Standards Council developed the new SSF framework to provide flexibility to software vendors and align payment software development with industry best security standards. Unlike PA-DSS, the SSF will support multiple security efforts and initiatives that focus on secure design and development. Here is how PCI SSF Compliance shall benefit customers, vendors, and merchants in general-
While the transition from PA DSS to PCI SSF may seem challenging, in reality, it won’t make a difference or rather impact your compliance efforts. In fact, PCI SSF provides additional flexibility for software developers to incorporate payment application security as per the current industry-accepted practices. Moreover as mentioned earlier, to make it a hassle-free transition for stakeholders, the PA-DSS and SSF Programs will run parallel with the PA-DSS Program continuing to operate as it does till the date of expiry. Having said that, we personally feel the decision of introducing a new framework is for the better of the society and benefit of the customers and vendors.  Hence the introduction of PCI SSF should not be taken otherwise and should be taken positively by all stakeholders.
Contributed by Narendra Sahoo, Director, VISTA InfoSec
A good blog that explains all about PCI Software Security Framework (SSF) . This new framework is a collection of programs standards designed to secure payment software. This security framework is based on two ideals, the Secure Software Lifecycle Standard and Secure Software Standard. Thanks for providing information on PCI SSF compliance standards and its significance.
The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY
Follow Us
© 2015 – 2019 IT Security Guru – Website Managed by Calm Logic
© 2015 – 2019 IT Security Guru – Website Managed by Calm Logic
This site uses functional cookies and external scripts to improve your experience.
Privacy Settings / PENDING
This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.
NOTE: These settings will only apply to the browser and device you are currently using.
GDPR Compliance


You May Also Like

Attack on Supplier Leaves NHS Recovering Services

A cyberattack, first identified last Thursday, has caused a “major” computer system…

North Korea targets journalists with novel malware

State sponsored hackers operating out of North Korea have been targeting journalists…