Transition from PA DSS TO PCI SSF

Payment Application Data Security Standard was launched in the year 2008 to guide software vendors in developing a secure payment application for merchants and service providers. It is a standard that was established and designed for all software development vendors creating software applications that store, process, or transmit cardholder data and/or sensitive authentication data.

Recently, the Payment Card Industry Security Standard Council introduced a new framework to improve security standards of applications that accept payments. With the implementation of the new Standards, the PA-DSS Standards would slowly phase out by 2022. Discussing more on this we have shared some tips for the benefit of the organization looking to achieve a smooth transition from PA DSS to PCI SSF. But before that let us first understand the PCI SSF standard. 

What Is PCI SSF?

The PCI Software Security Framework is a new application security standard created to secure the design and development of payment application software. It was a move initiated by the PCI Council towards improving the security standards of payment applications and ensuring customers safe and reliable online payment transactions. Adapting to the evolving security and threat landscape the standard was built to guide software development vendors to create a secure application adopting best practices.

The new framework supports an application design and development practice with a modern approach that supports traditional payment software. It further helps to build and maintain payment software that protects payment transactions, sensitive data and reduces the overall exposure to different threats and vulnerabilities. Following the new standard validates the software security and facilitates robust development practices in the industry. This will in turn help set a strong security defense against various modern threats.

Objective of Introducing the new PCI Software Security Framework

PCI Software Security Framework is a combination of traditional and modern software security requirements that supports new technologies, software types, and development methodologies. Further, adapting to the evolving threat landscape, the new standard helps vendors build a strong defense against the new threats. The software security framework was developed to focus on security practices that can support both the traditional methods of good application security and the latest development practices. 

What organization need to know about the transition from PA-DSS to PCI SSF

PCI SSF replaces the PA-DSS with new requirements that support a variety of payment software types, technologies, and development techniques. However, even though PA-DSS Standards are set to phase out in October 2022, it is important to note that the new Standard will not affect the current payment application within the PCI environment. In the interim period to avoid disruption and ease the transition process for organizations, the standard will be available and fully supported. The below given timeline set by the PCI Council should give organizations a perspective on how PA-DSS will phase out eventually in October 2022. 

Here are some other important points listed out by the council that organizations must know and should keep in mind before taking any decisions and this includes- 

  • Existing PA-DSS validated applications will remain on the list of Validated Payment Applications until their expiry dates.
  • As per the normal process, vendors can submit changes to them until the end of October 2022. However, at that time PA-DSS validated payment applications will be moved to the “Acceptable Only for Pre-Existing Deployments” tab on the list of Validated Payment Applications, and the PA-DSS Program will expire.  
  • Submissions of new payment applications for PA-DSS validation will be accepted until the end of this month which is 30 June 2021, and validation will expire at the end of October 2022.
  • Once SSF Assessors are qualified and listed on the PCI SSC website, vendors can begin the validation process for their Software Lifecycle Management practices and payment software.
  • PCI SSC will list both Secure SLC Qualified Vendors and Validated Payment Software on the PCI SSC website.
  • Payment software that is validated as meeting the Secure Software Standard will be recognized on the PCI SSC List of Validated Payment Software. The list will replace the current list of Validated Payment Applications when PA-DSS expires at the end of October 2022. 
  • The SSF also includes a PCI SSC List of Secure SLC Qualified Vendors, which identifies payment software vendors with software lifecycle development practices that shall be evaluated by a Secure SLC Assessor and validated as meeting the Secure SLC Standard.

Keeping all of this in mind, here are some steps to be taken by organizations to ensure a smooth transition from PA DSS to PCI SSF. 

How can PCI SSC stakeholders prepare for this transition?

  • Understand PCI SSF framework

Organizations need to understand the nuance of the new framework in order to take measures accordingly. Understanding how the new framework works and may impact your business will facilitate your organization in taking necessary steps and re-structuring your business operations and related activities. So, we strongly recommend organizations read the PCI Council guide thoroughly before taking any decisions or actions pertaining to the PCI SSF transition.  

  • Conduct a Gap Analysis 

The next obvious step that we expect the organization to undertake is performing a gap analysis to understand where they stand against the new PCI SSF requirements.  This will give the organization a clear direction towards implementing measures or re-working on their process, policies, and procedures as required by the PCI SSF Standard. 

  • Understand the Difference between PCI SLC and PCI SSF

The PCI Security Standard Framework consists of two different and independent programs each of which has its own standard requirements, validation criteria, and SSC listing. The two programs include Secure Software Lifecycle Program (SSL) and Secure Software Standard (SSS).

Both the programs focus on different aspects of Software Security. Understanding the difference is crucial for vendors to accordingly validate the way they can manage the security of payment software when developing or when implementing security requirements and procedures as required based on their business. This way organizations may be validated for SSL and may be validated for a separate SSS for payment software’s developed based on the software eligibility criteria. To learn more about the difference between Secure Software Lifecycle Program (SSL) and Secure Software Standard (SSS) and their applicability you can read our blog here.   

  • Contact an Experienced Professional

Organizations should contact an experienced professional for technical guidance and preparing for the transition phase slated for the year 2022. Being experienced professionals in the industry, they will be in a better position to understand the new guidelines and help organizations translate the requirements to achieve PCI SSF compliance.

We at VISTA InfoSec are well equipped to help and guide organizations in executing measures and ensuring a smooth transition for the organization. Our team of experts can help organizations identify and fill gaps against the PCI SSF standard requirement. 

  • Keep a tab on the latest updates on PCI SSF by the PCI Council 

It goes without saying that, organizations must regularly keep a tab on any announcements or latest updates made by the PCI Council on PCI SSF. This is to ensure the organization is all equipped and prepared to update their policies, procedures, and processes to comply with the PCI SSF Standard by October 2022.  

Conclusion 

Organizations may seem unsure of the transition from PA DSS to PCI SSF and possibly find it challenging. But, if they follow the guidelines appropriately, the transition phase may hardly have much of an impact on compliance efforts. In fact, PCI SSF was designed to support software vendors and provide them the flexibility to design and develop payment application security as per the industry best practices and standards.

Moreover, PCI Council has taken all the necessary measures to ensure a smooth transition with the initiative of maintaining the PA-DSS and PCI SSF Programs run parallel till the date of expiry. So, we strongly recommend organizations not to panic and simply embrace the initiative towards PCI SSF while consulting with professionals to ensure a successful transition.

For any queries or guidance on PCI SSF and the steps to initiate the transition from PA DSS to PCI SSF, you can contact our experts at VISTA InfoSec. Our team will be more than happy to be part of your compliance journey and make it an easy process for you. 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.