Finding the right Secure SLC Assessor comes down to looking for four critical factors:
- Assessors must be qualified by the PCI SSC to validate your compliance
- Assessors should provide comprehensive knowledge & preparatory assistance
- Assessors should present other frameworks and regulations required for compliance
- Assessors must be flexible and accommodate your current IT deployment
Factor #1: Capacity for Official Certification
First and most importantly, you need to find a Secure Software Lifecycle (Secure SLC or SSLC) assessor who can perform an official assessment for validation. The Security Standards Council (SSC) of the Payment Card Industry (PCI) governs SSLC and other forms of PCI compliance. They also certify assessor organizations that can provide third-party validation, and they list various organizations you can choose from to assist in your SSLC compliance process.
With respect to the actual process of achieving certification, you’ll contact a third-party assessor, and they’ll conduct a system-wide audit to ensure that your protections meet the requirements of the SSLC framework (see below). If they do so satisfactorily, your assessor will fill out a Report on Validation (ROV), which will be accompanied by an Attestation of Validation (AOV) signed by the assessor and your organization. They’ll be reviewed by the PCI for verification.
Many security providers listed as Approved Scanning Vendors (ASV) or Qualified Security Assessors (QSA) are either already qualified to assess SSLC compliance or will be soon.
Factor #2: Comprehensive Preparatory Assistance
Critically, achieving PCI SSLC certification requires more than a single assessment. You also need to have all of the framework’s controls in place and functioning as expected so that you pass your assessment, ideally on the first try. To that effect, you should consider seeking out an advisor who can assist with planning, implementing, and maintaining cybersecurity controls.
Namely, an architecture implementation for SSLC needs to cover its 10 Control Objectives:
- Control Objective 1 – Assign Security Resources and Responsibilities
- Control Objective 2 – Define Software Security Strategies and Policies
- Control Objective 3 – Implement Threat Identification and Mitigation
- Control Objective 4 – Implement Vulnerability Detection and Mitigation
- Control Objective 5 – Manage Changes Systematically
- Control Objective 6 – Protect Software Integrity
- Control Objective 7 – Safeguard Sensitive Data
- Control Objective 8 – Provide Vendor Implementation Guidance
- Control Objective 9 – Maintain Stakeholder Communications
- Control Objective 10 – Provide Information on Software Updates
Quality assessors and advisors offer services such as gap assessments—which illustrate what changes need to be made before an assessment—and deployment assistance to fulfill them.
Factor #3: Coverage for Other Regulatory Needs
PCI Secure SLC is not the only regulatory framework facing most eligible organizations. In fact, the SSLC itself is only one-half of the PCI’s Software Security Framework (SSF). The other half, the Secure Software Standard, applies to payment software itself and focuses on configurations for securing payment data that need to be installed by developers and vendors. In many cases, organizations will be subject to both parts of the SSF, along with other frameworks. Within the PCI alone, there is also the Data Security Standard (DSS), which applies to most organizations that process payments or otherwise come into contact with sensitive cardholder data (CHD).
And, outside of the PCI, there are many other regulations that could apply to your organization.
For example, if you operate within healthcare or adjacent to it, or provide services to clients who do, you may be a covered entity (or business associate thereof) subject to the Health Insurance Portability and Accountability Act (HIPAA). At the same time, If you process the personal data of residents in protected territories, you may be subject to rulesets like the California Consumer Privacy Act (CCPA) or the European Union’s General Data Protection Regulation (GDPR).
You should seek out an advisor who can help you assess for and achieve compliance across a wide variety of regulations with minimal overlap, including streamlining both controls and audits.
Factor #4: Accommodations for Your IT Environment
Beyond flexibility for your specific regulatory context, you should also seek out an assessor who can meet the specific needs of your broader IT and security environment. For example, newer and smaller organizations with less developed cybersecurity infrastructure may benefit from a more comprehensive suite of advisory and implementation services, not limited to a final official assessment. But larger organizations with more mature infrastructure, such as those who were previously PA-DSS compliant, may prefer more focused assessment and reporting assistance.
The specific kinds of data your organization processes and the risk factors present in your environment all complicate PCI SSLC and other assessment processes. A quality advisor strategizes through and around these potential issues with you. They can implement broader threat and vulnerability management programs that will address Control Objectives 3 and 4 above while also strengthening your overall cyberdefense. A holistic approach is often best.
Rethink Your PCI SSLC Assessment Process
Ultimately, selecting an SSLC advisor is about finding a service provider who understands your needs and means. You want a qualified partner who’ll help you assess and report but also govern and manage controls—all while accounting for your broader security context.
At RSI Security, we believe that discipline now unlocks freedom and flexibility to grow later. We’ll help you to strategize, implement, and assess controls to achieve and maintain PCI compliance.
To learn more about our Secure Software Lifecycle Assessor services, contact us today!