In response to questions we’ve received regarding the PCI Software Security Framework (PCI SSF), we’ve compiled the following answers to clarify the PCI Council’s newest standards.
Does the PCI SSF apply to me?
The PCI SSF is currently composed of two standards:
1. Secure Software Standard (SSS)
2. Secure Software Lifecycle Standard (SSLC)
The SSS applies to payment software that is sold, distributed, or licensed to third parties. This includes software installed on customer systems and software deployed to customers over the internet. This does not include software applications that a company develops for its own use. Nor does this include software applications that are sold to an individual customer for this specific customer’s use.
The SSLC Standard applies to vendors that develop payment software. A vendor that validates its software lifecycle management practices under the SSLC will be listed on the PCI Council’s website as a SSLC-Qualified Payment Software Vendor.
What’s the difference between PCI SSF and PA-DSS?
Although the PCI SSF includes some components of PA-DSS, the PCI SSF is separate and distinct from PA-DSS. In developing the PCI SSF, the PCI Council and industry experts aimed for a new approach in which existing and future payment applications are developed. The goal was to examine payment applications beyond the PCI DSS environment and to focus on overall software security.
Will PA-DSS be replaced by PCI SSF?
Yes. The PA-DSS program will eventually be integrated into the PCI SSF. There is a three-year transition window beginning in mid-2019 which is when the PCI SSF is expected to launch. All PA-DSS validated payment applications will continue to be governed by the PA-DSS standard until the applications reach their expiration date (2022 for applications validated to PA-DSS v 3.2). When expired, PA-DSS validated applications will be moved to the list of “Acceptable Only for Pre-Existing Deployments.” Any updates to the applications must then be assessed under the PCI SSF.
If I validate under the PCI SSF, will I then be automatically validated under other PCI standards?
No. Validation under the PCI SSF does not mean that an application is automatically validated to other PCI standards. Although some elements of PA-DSS exist within the PCI SSF, the two standards are different. Validation to one standard does not imply validation to the other standard.
Should I continue using PA-DSS or wait for the PCI SSF?
If your application is currently validated under PA-DSS, please continue to submit any changes via the PA-DSS program. If you have initiated a PA-DSS assessment for a new payment application, please complete that PA-DSS assessment. The PCI Council will accept new PA-DSS validations through mid-2020, and these applications will be valid through late 2022. PCI SSF assessments are expected to begin in late 2019, and validations will have about the same 2022 expiration date as PA-DSS validations.
