The Payment Card Industry Software Security Framework (SSF) is a collection of Software Security Standards and validation programs that were developed by PCI SSC to ensure secure design, development, and maintenance of software in the payment industry and environment.
The framework typically applies to any type of payment software submitted by a software vendor for validation under the PCI Software Security Framework, regardless of the software functionality and its underlying technology. The software security framework focuses on the security practices that support both the traditional and modern methods of application security and development practices. The framework is built on the fundamentals of security principles and objectives that support the design and development of secure software, regardless of the type of software or the industry in which they are used.
That said, the PCI SSF standard has 4 security objectives each of which comprises certain security control requirements. Elaborating this in detail we have today explained the objectives and the security controls of the PCI SSF Framework.
Table of Contents
Security Objective: Minimizing the Attack Surface
The objective of the PCI SSF framework is to minimize the risk by implementing security control to protect the integrity and the confidentiality of sensitive data that is stored, processed, or transmitted in association with payment transactions. The security control objectives include
- Identifying Critical Asset
- Secure Defaults
- Sensitive Data Retention
Security Objective: Software Protection Mechanisms
PCI SSF Secure Software Standards aims at ensuring the software application designed and developed is secure for payment transactions. To achieve this, the standard requires the implementation of security controls. The security control objective of software protection mechanism includes
- Protecting the Critical Asset
- Implementing Authentication and Access Control
- Sensitive Data Protection
- Use of Cryptography
Security Objective: Secure Software Operations
The Framework is designed to ensure that the software applications developed to protect the sensitive data that is stored, processed, or transmitted through the payment application. This will require the implementation of necessary security controls. The security control objective of Secure Software Operations include
- Tracking of the Activities
- Quick Detection of Attack
Security Objective: Secure Software Lifecycle Management
The Secure SLC Standard requires payment software vendors to integrate security throughout the entire software lifecycle, ensuring that the software is secure by design, withstands attacks, and facilitates secure payment transactions. The Security Objective of Secure Software Lifecycle Management is to ensure-
- Manage the Threat and Vulnerability
- Regular Secure Software Updates
- Vendor Security
In addition to this, there are specific security modules of which the one which is currently established includes-
Module A – Account Data Protection 2
The structured module is designed to ensure the security of the sensitive account and payment data which includes protecting the Sensitive Authentication Data and the Cardholder Data.
Conclusion
Vendors looking to validate against either of the two PCI SSF programs SSS or Secure SLC will have to demonstrate documentation and process evidence showing the measures taken for mitigating risk. The PCI SSC recognized the need for an objective and risk-focused security for modern software development and which is why the PCI SSF framework was designed accordingly. For vendors looking to validate their applications will need to understand each of the programs and know against which program they need to validate their software application.
Here consulting a professional assessor at this point will help you attain your goals and get you in the right direction. Qualified PCI SSF security assessors like us from VISTA InfoSec can guide you in the compliance journey. Being a PCI SSC qualified PCI SSF Assessor we have the knowledge and experience of helping clients achieve compliance.
Our assessors have been through a rigorous assessment and training process after which are now qualified to offer services to validate and certify the effectiveness of the software and application development vendor solutions against PCI SSF Compliance. So, for any guidance or assistance on software and application validation against PCI SSF, you can reach out to us by dropping us a mail at info[@]vistainfosec.com