Everything you need to know about PCI SSF Secure Software Lifecycle (SSLC)

Published on : 17 Aug 2021


The PCI Secure Software Lifecycle Standard is one of the two programs which is also a part of the PCI Software Security Framework (“SSF”) introduced by the PCI Council. The standard provides security requirements and assessment procedures for software vendors to meet for integrating their software development lifecycles.

This ensures and further validates that the secure lifecycle management practices are well established by the vendors. It is a Standard that plays a key role in promoting secure software development processes and methodologies when developing the payment application. The Secure SLC is the first of the kind PCI standard that focuses on the vendor’s software development process and not the payment application itself. The aim of developing this standard was to ensure the implementation of payment application security principles at an early stage of the application development process.

The standard offers security guidelines for implementation with the current industry best Software Development Lifecycle practices covering more about the standard, we have in today’s article shared in detail about the Secure Software Lifecycle Standard, its Assessment and Compliance process. 

Version 1.1- PCI Secure Software Lifecycle Standard

PCI SLC is designed to support a wide range of technologies, payment software types, and development methodologies in comparison to the previous PA-DSS standard. This fairly new standard which is set to be enforced in 2022 addresses the key security principles such as Governance, Threat Identification, Vulnerability Detection and Mitigation, Security Testing, Change Management, Secure Software updates, to name a few. Further, in the recent release of version 1.1 of PCI SSLC, the program expanded the eligibility criteria beyond the payment software vendors.

So, currently as per the revised eligibility criteria it includes software vendors who develop software applications and other related components for the payment card industry. With this, it facilitates a wider vendor adoption and participation in the PCI Secure SLC where vendors can leverage the Secure SLC qualification to their credibility. Understanding more about the program let us now move on to learning about the assessment of secure SLC Assessment. 

Secure SLC Assessments

Secure SLC Assessments are performed by Secure SLC Assessor Companies Qualified by the PCI Council. The Secure SLC Assessment process involves a complete analysis of the Vendor’s Secure SLC processes. The assessment is carried out to validate whether the vendor can meet all the requirements outlined by the PCI Council for complying with PCI Secure SLC Standard. Here is an overview of the process for initiating and completing a Secure SLC Assessment. 

  • Firstly the software vendor has to initiate the process of shortlisting a Secure SLC Assessor Company from the PCI Council website to conduct the assessment. 
  • Once shortlisted and agreed upon, the Secure SLC Assessor Company together with the Vendor determines the scope of the Assessment. 
  • The Secure SLC Assessor validates the Vendor’s Secure SLC processes, including planning, development, testing, implementation, maintenance, patching, etc. This is to determine whether or not the Vendor meets the requirements of the PCI Secure SLC Standard. 
  •  The Assessor then prepares a corresponding Report on Compliance (ROC) including all test results, opinions, and conclusions along with an Attestation of Compliance (AOC) if the results were found to meet all the requirements. Thereafter the documents will be submitted to PCI SSC for review. 
  • PCI SSC issues an invoice for the review of the submission to the vendor and the invoice must be paid in full before PCI SSC will commence the submission review process
  • PCI SSC reviews the ROC, all test results, Vendor evidence, Assessor opinions, and conclusions to confirm testing was performed satisfactorily and that the requirements meet the PCI Secure SLC Standard. 
  •  Subject to successful completion of the submission review process and final acceptance and approval of the Secure SLC Assessment ROC by PCI SSC, the Council will add a listing identifying the Vendor to the List of Secure SLC Qualified Vendors on their Website. 
  • Each Listing is valid for a period of three years as long as the Vendor continues to meet all Secure SLC Program requirements and remains compliant. 


PCI SSF coming into effect in 2022, software vendors will now have to prepare for not just the grueling transition from PA DSS Standards to PCI SSF but also ensure they meet the requirements of the PCI SSF program Secure Software Lifecycle as applicable. The PCI Council strongly recommends vendors to approach qualified PCI SSF Assessors listed on their website for guidance and assessment in the transition and compliance process.  Selecting the right assessor for your PCI SSF assessment is crucial.

That said, VISTA InfoSec is a global cybersecurity consulting firm having the industry experience of nearly 16+. Being a qualified PCI QSA, PCI QPA & PCI SSFA, we hold a good line of expertise and experience in this field. Vendors looking for assistance in the PA DSS to PCI SSF transition or to achieve PCI Secure SLC Compliance or remain compliant with Secure SLC Standards, our experts can guide you and handhold you through the entire process. With us by your side, we can make it a hassle-free Compliance process for your business. For more details on the program, you can check our blog post on https://www.vistainfosec.com/blog/ or drop us a mail at info[a]vistainfosec.com

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.