PCI Software Security Framework (SSF)

The PCI SSF is aimed at companies devel­oping software that processes card data from the inter­na­tional payment systems American Express, Discover, JCB, MasterCard and Visa. Web shop software, payment solutions or customer management systems are examples of software products that can be certified according to PCI SSF. The aim of the PCI SSF is to support software manufac­turers in the devel­opment of secure appli­ca­tions and the protection of sensitive data (e.g. credit card data).

With a PCI SSF certi­fi­cation, you as a software manufac­turer support your customers in imple­menting PCI DSS. This will benefit not only your customers but also you, as you will strengthen the trust in your product with the inspection by an independent third party and the certificate.

The PCI SSF consists of two standards, the Secure Software Standard and the Secure Software Lifecycle (Secure SLC) Standard.

The Secure Software Standard contains require­ments for the software product and enables listing as “Validated Payment Software” on the PCI SSC website. This super­sedes the listing according to the retired PA-DSS Standard.

The Secure SLC Standard contains require­ments for the devel­opment process and enables listing the vendor as a “Secure SLC Qualified Vendor”. This allows self-attesting delta changes to software listed as Validated Payment Software.

Services of SRC

SSF Workshop

SRC supports and advises software manufac­turers in imple­menting the require­ments of the PCI SSF for software products, e.g. by means of an intro­ductory workshop. The aim of the workshop is to provide a clear under­standing of the require­ments of PCI SSF and its inter­pre­ta­tions on the one hand and to gain a compre­hensive overview of the software, the software archi­tecture, the devel­opment process and the imple­mented or planned security measures on the other hand. The procedure for carrying out the software assessment as well as the upcoming work steps will also be coordi­nated within the framework of this workshop.

Secure Software Assessment

SRC performs a software assessment based on the require­ments of the PCI Secure Software Standard. The basis of the analysis is the document “Payment Card Industry (PCI) Software Security Framework — Secure Software Require­ments and Assessment Proce­dures”, which describes the require­ments for software with regard to the PCI Secure Software Standard.
As part of validation, SRC checks to what extent the require­ments listed in the document are fulfilled and imple­mented by the product.
SRC will perform the validation step by step as follows:

• Pre-analysis and review of manufac­turer documents
• Software validation
• On-site analysis/interviews
• Creating the report

After a positive validation of the PCI Secure Software assessment results by the PCI SSC, the software or product is included in the “List of validated payment software”.
Assess­ments according to the Secure SLC Standard are currently not offered by SRC.