PCI Software Security Framework (SSF)
The PCI SSF is aimed at companies developing software that processes card data from the international payment systems American Express, Discover, JCB, MasterCard and Visa. Web shop software, payment solutions or customer management systems are examples of software products that can be certified according to PCI SSF. The aim of the PCI SSF is to support software manufacturers in the development of secure applications and the protection of sensitive data (e.g. credit card data).
With a PCI SSF certification, you as a software manufacturer support your customers in implementing PCI DSS. This will benefit not only your customers but also you, as you will strengthen the trust in your product with the inspection by an independent third party and the certificate.
The PCI SSF consists of two standards, the Secure Software Standard and the Secure Software Lifecycle (Secure SLC) Standard.
The Secure Software Standard contains requirements for the software product and enables listing as “Validated Payment Software” on the PCI SSC website. This supersedes the listing according to the retired PA-DSS Standard.
The Secure SLC Standard contains requirements for the development process and enables listing the vendor as a “Secure SLC Qualified Vendor”. This allows self-attesting delta changes to software listed as Validated Payment Software.
Services of SRC
SRC supports and advises software manufacturers in implementing the requirements of the PCI SSF for software products, e.g. by means of an introductory workshop. The aim of the workshop is to provide a clear understanding of the requirements of PCI SSF and its interpretations on the one hand and to gain a comprehensive overview of the software, the software architecture, the development process and the implemented or planned security measures on the other hand. The procedure for carrying out the software assessment as well as the upcoming work steps will also be coordinated within the framework of this workshop.
Secure Software Assessment
SRC performs a software assessment based on the requirements of the PCI Secure Software Standard. The basis of the analysis is the document “Payment Card Industry (PCI) Software Security Framework — Secure Software Requirements and Assessment Procedures”, which describes the requirements for software with regard to the PCI Secure Software Standard.
As part of validation, SRC checks to what extent the requirements listed in the document are fulfilled and implemented by the product.
SRC will perform the validation step by step as follows:
- Pre-analysis and review of manufacturer documents
- Software validation
- On-site analysis/interviews
- Creating the report
After a positive validation of the PCI Secure Software assessment results by the PCI SSC, the software or product is included in the “List of validated payment software”.
Assessments according to the Secure SLC Standard are currently not offered by SRC.