The Payment Card Industry (PCI) is updating their standards from the Payment Application Data Security Standard (PA-DSS) to the all-new Software Security Framework (SSF). Meant to bolster data security and better serve merchants and consumers alike, PCI SSF will replace PA-DSS in its entirety. But what can we expect from the new PCI Software Security Framework?
Introducing the SSF
Most industries have an established set of standards to protect employees, the general public, and individual organizations. For software developers in the retail space, the PCI, composed of the five major credit card providers, oversees these regulations. While most of the focus has remained on PA-DSS for over a decade, it will be retired in October 2022.
The new PCI Software Security Framework will become the primary compliance framework for payment application developers and software vendors in place of the PA-DSS.
To prepare for the upcoming transition, you’ll need to know:
- How does the SSF compare to the PA-DSS?
- What new standards are introduced?
- What is the timeline for SSF implementation?
Partnering with a PCI compliance expert will help streamline your navigation of the new framework’s implementation.
Comparing PA-DSS and the New PCI Software Security Framework
Officially launched in 2008, most developers are already familiar with the regulations contained in the PA-DSS. As the PCI’s newest standard—first introduced in 2019—the SSF promises even more significant data security and consumer protection.
The PCI’s PA-DSS is aimed specifically at payment application developers and software vendors. It provides an extensive list of 14 specific protections that must be met to achieve compliance.
All of these protections revolve around safeguarding cardholder data (CHD) and personally identifiable information (PII), defending network infrastructure from cyberattacks, testing software for vulnerabilities, and educating staff, customers, resellers, and end-users.
Support for PA-DSS officially ends in October 2022, and it remains active until that date—at which point the PCI Software Security Framework replaces it.
Introduced and published in January 2019, the PCI Software Security Framework is a total replacement for PA-DSS. Although it includes many elements from PA-DSS and builds on many of the components of its predecessor, the PCI considers SSF as a wholly separate and independent set of regulations.
The SSF’s ultimate goal is to further standardize the payment software development process, strengthen security mechanisms, and provide a more user-friendly experience for everyone. It adds to the regulations first established in PA-DSS by:
- Increasing data and software security resiliency across the board
- Supporting a broader range of payment software
- Making it easier for developers to implement next-gen payment application security
- Providing greater customization of software without jeopardizing data security
- Adding enhanced transparency and visibility during software testing phases
- Promoting new development and programming methodologies
- Maintaining official listings of approved software and qualified vendors
Additionally, the SSF introduces two brand new components: the Secure Software Standard and the Secure Software Lifecycle Standard. The former is focused specifically on payment software.
The Secure Software Standard and the Secure SLC Standard
Designed to ensure robust data and consumer protection, the PCI Software Security Framework incorporates two different standards into its design. Although they’re primarily focused on payment application software, they also apply to supplementary applications that are included with the original payment software—even if they don’t store or process confidential data.
Secure Software Standard
This standard is designed to protect consumer confidentiality and data integrity during every payment transaction. In many ways, this standard closely mirrors the contents of PA-DSS. For a software vendor to pass this assessment, they must undergo a complete examination as well as several interim, or “delta,” assessments.
Secure Software Life Cycle Standard
While the Secure Software Standard pertains to individual transactions, the Secure Software Lifecycle (Secure SLC) Standard ensures that vendors manage data security from design and development to “end-of-life.”
Secure SLC assessments are optional for software developers and vendors who wish to comply with the PCI Software Security Framework. Assessments are valid for a period of three years before re-assessment is required.
Following the SSF Transition Timeline
To make the process easier on everyone involved and to minimize any potential service disruptions or loss of business, the new PCI Software Security Framework includes a transition timeline for developers, vendors, and retailers.
The timeline concludes with the PA-DSS’ retirement in October 2022:
- January 2019 – The PCI Software Security Framework was introduced to the general public.
- June 2019 – The first documents related to the SSF were published online.
- October 2019 – Applications to become a qualified SSF Assessor were made available to organizations.
- February 2020 – The first round of SSF Assessor training began.
- July 2020 – The first Secure SLC listing was published.
- January 2021 – The first Secure Software was published.
- June 2021 – New PA-DSS submissions are no longer being accepted.
- October 2022 – The traditional PA-DSS program officially closes.
Transitioning to PCI SSF
With a closing date of October 2022, the PCI-DSS will soon be outdated and obsolete. Payment application developers and software vendors currently subject to the PA-DSS must transition to the PCI SSF.
If you want to get a head start on the new PCI Software Security Framework, or if you have any questions regarding your transition from PCI-DSS to SSF, contact RSI Security today.