The PCI SSF is aimed at companies that develop software that processes card data from the international payment systems American Express, Discover, JCB, MasterCard and Visa. Web store software, payment solutions or customer management systems are examples of software products that can be certified according to the PCI SSF. The goal of the PCI SSF is to support software vendors in developing secure applications, as well as securing sensitive data (e.g. credit card data).
With a PCI SSF certification, you as a software manufacturer support your customers in their implementation of PCI DSS. This not only benefits your customers, but you as well, since the test by an independent third party and the certificate strengthen confidence in your product.
The PCI SSF consists of two standards, the Secure Software Standard and the Secure Software Lifecycle (Secure SLC) Standard.
The Secure Software Standard sets requirements for the software product and enables listing as “Validated Payment Software” on the PCI SSC website. This replaces the listing under the PA-DSS standard, which is no longer available.
The Secure SLC standard imposes requirements on the development process and enables the manufacturer to be listed as a “Secure SLC Qualified Vendor”. This allows, within a limited scope, to make changes to listed software yourself without the involvement of an external assessor.
SRC services
SSF Workshop
SRC supports and advises software manufacturers in implementing the requirements of the PCI SSF in software products, e.g. by means of an introductory workshop. The goal of the workshop is, on the one hand, to provide a clear understanding of the PCI SSF requirements and their interpretations and, on the other hand, to gain a comprehensive overview of the software, the software architecture, the development process, and the implemented or planned security measures. The procedure for conducting an assessment and the upcoming work steps are also coordinated during this workshop.
Secure Software Assessment
SRC performs the assessment based on the requirements of the PCI Secure Software Standard. The examination is based on the document “Payment Card Industry (PCI) Software Security Framework – Secure Software Requirements and Assessment Procedures”, which describes the requirements for software with regard to the PCI Secure Software Standards.
As part of the validation, SRC checks the extent to which the requirements listed in the document are fulfilled and implemented by the product.
SRC will carry out the validation step by step as follows:
- Pre-analysis and review of manufacturer documents
- Software validation
- On-site analysis/interviews
- Create the report
After a positive examination of the results of the PCI Secure Software Assessment by the PCI SSC, the software or the product is included in the “List of validated payment software” available on the Internet.
SRC does not currently offer checks in accordance with the Secure SLC standard.