PSC provides validation services for organizations that wish to comply with the PCI Software Security Framework.
Two standards make up the PCI Secure Software Framework (SSF) and combine the best features from the legacy Payment Application Data Security Standard (PA-DSS) along with real-world development methodologies, resulting in an effective compliance standard. Companies that design, develop and deploy payment application software can select either or both of these Standards:
Secure Software Life Cycle (Secure SLC) describes a baseline of requirements covering design, development and maintenance of best software development practices to enhance and deploy secure software.
Secure Software Standard (SSS) covers requirements related to the actual design and development of payment applications sold or licensed to other companies. This new, more efficient set of requirements replace the old PA-DSS.
The PA-DSS is one large standard with 14 major requirement areas synchronized to the 3.2.1 version of the PCI Data Security Standard. Over time, advances in software frameworks and computing technology innovations made it difficult for modern development organizations to comply with “legacy” PA-DSS.
“Objective-Based” approach means one size does not fit all and software vendors can take a risk assessment strategy to fit solution to a security control objective. |
The objective-based requirements of the Software Security Framework comprise a set of modular standards and it gives software vendors several options and advantages.
The new standard is designed to allow software developers more flexibility and operate more in line with the way software applications are actually designed – specifically in the early application life cycle stages, where changes can be frequent. This chart illustrates the architecture of the SSF.
For companies that develop, license, and deploy software into the payments industry, there are several advantages to being listed on the PCI Security Standards Council list of approved solutions as an SLC Vendor.
If your company designs, builds, licenses, and deploys payment software for use by other companies, there are several reasons to begin work now to validate: