There are four pillars to successful and efficient preparation for PCI SSF compliance:
- Understanding the scope of the SSF, including both component frameworks
- Meeting the requirements of the Secure Software Standard
- Implementing the Secure Software Lifecycle framework
- Conducting an assessment for validation with a PCI-listed assessor
Understand the Scope of the SSF
The Payment Card Industry (PCI) Software Security Framework (SSF) is a new regulation that replaced the now-defunct Payment Application Data Security Standard (PA-DSS). Governed by the PCI’s Security Standards Council (SSC), the SSF aims to guarantee security and privacy across payment apps by protecting the software itself and the processes by which it’s made.
The SSF comprises two parts: the Secure Software and Secure Software Lifecycle Standards.
The Secure Software Standard is primarily concerned with the payment software itself. It governs things like default settings and configurations that keep sensitive payment data safe. The Secure Software Lifecycle (Secure SLC or SSLC) Standard focuses on the conditions under which payment software is developed. It prescribes protections for that IT environment.
Depending on your organization’s relationship to payment software, one or both parts of the SSF may apply. That means you may need to implement two distinct suites of controls and conduct separate assessments to verify your compliance with each part separately. Other frameworks from the PCI, such as the Data Security Standard (DSS), may also apply.
Meet PCI Secure Software Standard Requirements
If the Secure Software Standard applies to your organization, you’ll need to implement its control schema. If it does not apply, it’s still worth understanding its scope for future reference.
The 12 Control Objectives are distributed across four categories of requirements:
- Requirements for minimizing the attack surface –
- Control Objective 1: Identifying critical assets
- Control Objective 2: Implementing secure defaults
- Control Objective 3: Retaining sensitive data securely
- Required software protection mechanisms –
- Control Objective 4: Protecting defined critical assets
- Control Objective 5: Controlling authentication and access
- Control Objective 6: Protecting retained sensitive data
- Control Objective 7: Utilizing strong cryptography
- Requirements for secure software operations –
- Control Objective 8: Tracking activity
- Control Objective 9: Detecting attacks
- Requirements for secure software lifecycle management –
- Control Objective 10: Managing threats and vulnerabilities
- Control Objective 11: Ensuring security updates are installed
- Control Objective 12: Providing vendor implementation guidance
Beyond these baseline controls shared by all eligible organizations, the Standard also includes three Modules with additional controls that apply to specific kinds of software (and organizations that develop, vend, or manage them). One or multiple of these sets of controls may apply, along with the base 12, so organizations’ exact implementation and assessment processes may differ.
Implement PCI Secure SLC Controls
If the SSLC applies, you’ll implement its Controls. As with the Secure Software Standard, it may be worth perusing these to understand their scope even if this part of the SSF doesn’t apply.
The SSLC comprises 10 Control Objectives, also distributed across four categories:
- Requirements for software security governance –
- Control Objective 1: Designate security responsibilities and resources
- Control Objective 2: Disseminate software security policies and strategies
- Requirements for secure software engineering –
- Control Objective 3: Implement threat identification and mitigation
- Control Objective 4: Implement vulnerability detection and mitigation
- Requirements for secure software and data management –
- Control Objective 5: Monitor and manage changes across systems
- Control Objective 6: Implement protections for software integrity
- Control Objective 7: Implement protections for sensitive data
- Requirements for security communications –
- Control Objective 8: Provide implementation guidance for vendors
- Control Objective 9: Ensure stakeholder communication infrastructure
- Control Objective 10: Ensure timely communication regarding updates
Unlike the Secure Software Standard, there are no additional modules applicable only to select organizational settings. Instead, all eligible organizations implement and assess the same way.
Conduct PCI SSF Assessments
Assessments for Secure Software Standard and/or Secure SLC Standard compliance are conducted by PCI-listed third-party assessors. Organizations can search the listings on the SSC’s website or consult with their existing compliance advisor to determine the best fit. The assessor organization will monitor all systems related to the maintenance and production of payment software and generate a Report on Validation (ROV) to confirm that all applicable Control Objectives are met. The organization must also sign an Attestation of Validation (AOV).
In the lead-up to the official certification audit, organizations may also choose to work with an assessor or advisor on gap and readiness assessments, for greater assurance of verification.
Another consideration is streamlining SSF processes with other PCI compliance implementation and verification. Although both parts of the SSF are distinct from the DSS, they draw on similar principles. If your organization is preparing for DSS 4.0 compliance, you should look for ways to leverage the same resources—i.e., controls and assessors—for compliance across both rulesets.
Streamline Your SSF Compliance Today
If your organization was subject to the PA-DSS before it was abandoned in favor of the SSF, there’s a good chance that one or both of the Secure Software Standard and SSLC apply to you. If that’s the case, preparing for implementation means understanding the scope of both, deploying required controls, and identifying an assessment partner for your validation report.
RSI Security has helped countless organizations comply with PCI regulations, including the DSS and PA-DSS. We’re now committed to helping organizations like yours prepare for the future of SSF compliance. We believe the right way is the only way to keep your data safe.
To learn more about PCI Secure Software compliance requirements and processes, along with how working with a qualified advisor or assessor can streamline them, get in touch today!