PCI Software Security Framework

The PCI Software Security Framework (SSF) is a collection of standards and programs for the secure design and development of payment application software. Securing payment software is a crucial part of payment transaction flow to facilitate reliable and accurate transactions.

The latest software development requires objective-focused security to support evolving development and update cycles than the traditional software development practices. The PCI SSF recognizes this supplement with a modern approach that can support security requirements in both contemporary and traditional payment software.

SSF provides vendors with security standards for building and maintaining payment software that protects payment transactions and data, reduces vulnerabilities, and fights against attacks. The SSF introduces a new methodology for validating software security and a separate secure software lifecycle qualification for vendors with robust security development practices.

Why PCI Software Security Framework (SSF)?

PCI Software Security Framework (SSF) is a combination of modern software security requirements that support evolving technologies, software types, and development methodologies.

SSF brings in objective-focused security practices that can support both existing ways to demonstrate good application security and a variety of newer payment platforms and development practices.

The PCI Council scheduled a formal retirement of the benchmark standard PA DSS v3.2 and planned to replace the Payment Application Data Security Standard (PA-DSS) with Software Security Framework (SSF). To ease the transition process and minimize disruptions, the PCI Council made the standard and program fully available for stakeholders.

The Structure of PCI SSF:

PCI Software Security Framework is a collection of application security standards and respective validation and listing programs. Currently, SSF has two standards.

1. Secure Software Standard
Validation to Secure Software Standard (S3) helps assure that Payment Software is developed to protect the integrity of the software and the confidentiality of sensitive data it captures, stores, processes, and transmits.

Applicability

• Software products involved in or directly supporting or facilitating payment transactions that store, process, or transmit clear-text account data.
• Software products developed by the vendor that are commercially available for sale to multiple organizations.

 

2. Secure Software Lifecycle Standard
Validation to Secure Software Life Cycle (Secure SLC) Standard helps assure that vendor’s software development lifecycle processes, procedures, and practices are compliant with the PCI Secure SLC Standard.

Applicability

• This standard is applicable to all vendors that develop payment software.

 

PCI Software Security Framework (SSF) Compliance Journey

 

Phase 1 – Pre-Assessment
Both SISA and the client initiate the project with a kick-off call, introducing respective project teams and laying down the process of validation.

The journey starts with a one-hour awareness session, covering Software Security Framework (SSF) for the application stakeholders identified by the client.

SISA then requires the documents and business flowcharts necessary to understand the cardholder data flow in the application.

 

Phase 2 – Gap Assessment
SISA conducts Gap Assessment with the objective of identifying all the risks pertaining to the application and shares the detailed action tracker with all the action points that need mitigation from the client.

 

Phase 3 – Remediation
After the completion of the Gap Assessment phase, the client receives an action tracker list from QSA. The client must remediate/mitigate the gaps found in the application during the gap assessment as per the action tracker.

SISA assists the client with offsite consulting support for the closure of gaps in order to achieve the Software Security Framework (SSF) validation.

 

Phase 4 – Certification and Listing
The fourth phase includes the final audit and the Software Security Framework (SSF) compliance review report (Report on Validation), being shared with the PCI SSC for the application listing, after successful review and validation.

 

SISA handholds you through the entire process and ensure that we identify and support you to mitigate all the vulnerabilities in the payments application to make it fully PCI SSF compliant and enables you to get certified quick and easy, keeping in mind SISA’s philosophy of True Security.

With over a decade of experience in the payment security space, SISA brings a rare depth of understanding and acts as a trusted partner to over 2000 customers in 40+ countries to secure their network and technology infrastructure in order to secure the cardholder data.

SISA has worked to provide cutting-edge compliance services to a diverse industries and domains which includes banks, ITES, insurance, e-commerce, payment service providers, telecommunications, airlines and retail companies.

 

Contact us today to know more about PCI Software Security Framework and implement the effective security for your applications.