The PCI Security Standards Council (PCI SSC) released a new framework known as the PCI Software Security Framework (SSF) to secure modern payment software. The new framework is a collection of standards and programs that were built to secure the design and development of payment software. With the introduction of SSF, the existing standard – PA DSS (Payment Application Data Security Standard) will soon fade out. This simply means that the SSF replaces PA-DSS with modern requirements that support a wide range of payment software types, technologies, and development methodologies. It is a new approach that supports both the existing and future payment software and working as an extension to the PA-DSS limits to address overall software security resiliency.
The PCI SSF Standards
The PCI Software Security Framework is based on two standards, namely the Secure Software Standard and Secure Software Lifecycle Standard.
Secure Software Standard
Validation of payment software to Secure Software Standard (S3) assures that the Payment Software that is designed typically protects the integrity of the software and the confidentiality of sensitive data it captures, stores, processes, and transmits. Applicability of this standard typically includes-
Software products involved in or directly support or facilitate payment transactions that store, process, or transmit data.
Software products developed by the vendor that are commercially sold to multiple organizations.
Secure Software Lifecycle Standard
Validation of payment software to Secure Software Life Cycle Standard assures that vendor’s software development lifecycle processes, procedures, and practices are compliant with the PCI Secure SLC Standard. Applicability of this standard includes-
All vendors who develop payment software.
