What does the new PCI SSF mean for the Software Vendors?

Published on : 17 Aug 2021

PCI SSF Software Vendors

Payment Card Industry Software Security Framework (PCI SSF) is a new Payment Software standard designed for software vendors and merchants. Effective from October 2022, the new framework will be replacing the PA-DSS Standard that was initially launched to help merchants secure applications and cardholder data.

PA DSS was a standard meant for software vendors who developed software that stored, processed, or transmit cardholder data or any sensitive authentication data. However, PCI SSF which is now introduced by the PCI Council is a new framework set to improve the security standards of applications that accept payments and use payment data in the environment. Elaborating more on the new standard we have today also explained what does the introduction of the new PCI SSF means for the software vendors. But before that let us first understand how PCI SSF impacts software vendors. 

How does PCI SSF impact, Software Vendors?

PCI SSF is a combination of traditional and evolving software security framework requirements. It is a framework that supports the latest technology, software, and development techniques. The objective behind establishing the new software security framework was to ensure the standard supports both old and new application security and best development practices for payment applications in the industry.

With the establishment of the new security framework, it will provide the software vendors and merchants the flexibility to align their secure application development practices in line with the industry best practices and standard. 

Further, it will provide the software vendors an opportunity to offer PCI-validated payment software that shall give merchants confidence about the security of the software and being PCI DSS Compliant. PCI SSF validation impacts both the merchants and software vendors in a way that the framework is beneficial to identify security validated software that is secure to use in the PCI DSS Compliant payment industry.

Unlike PA-DSS, the SSF supports a wide range of security initiatives that essentially focuses on secure design and development payment application. So, with this, the framework facilitates vendors a broad range of payment platforms, and the flexibility in the change of controls to support the environments and the software development process and techniques.

The PCI SSF provides an objective assessment and approach that is highly flexible. With the new approach to the security requirements, they will be applicable throughout the design, development of software, and modules that are specific to certain functions or platforms can be assessed separately. Currently, vendors can be validated against either of the two PCI SSF programs namely Payment Software Security Standard (SSS) and Secure Software Lifecycle Standard (SLC). 

The SSS applies to software vendors who design and develop products that support or facilitate payment transactions that store, process, or transmit data or software developed by the vendor that are commercially sold to multiple organizations. The validation against the SSS Standard is to ensure that the payment software is designed in a way to protect the integrity of the software and the confidentiality of sensitive data it captures, stores, processes, and transmits.

On the other hand, the SLC Standard applies to any software vendors that develop payment software and wish to achieve a validation against SLC to ensure that the software development lifecycle processes, procedures, and practices are compliant as per standards.

What does PCI SSF Imply for Software Vendors?

  • Software vendors that are validated against the Secure Software Lifecycle Standard can enjoy the flexibility of low impact change in controls to applications and also perform delta assessment themselves, without the need of a QSA company’s intervention. This also gives the vendor the convenience to provide the delta assessment results directly to the PCI SSC thereby reducing additional professional assessment expenses of a QSA company. 
  • In comparison with the old PA DSS Standard, the eligibility criteria for validation against SSS is much wider. PCI SSF validation does not just support applications that facilitate authorization and/or settlement, but also broadly covers the payment applications that are involved in or directly facilitate payment transactions that store, process, or transmit payment data. 
  • On the other hand, the Secure SLC Standard is one of a kind PCI standard that validates the software vendor’s process, technique, and technology of developing payment application.  So, now vendors will not just be validated for their software applications but also the process, methodology, and technology adopted by them to develop payment applications. This provides an opportunity for vendors for demonstrating the maturity of their process and practices of designing and developing payment applications. Bringing in more transparency, PCI SSF Validation provides a sense of confidence to merchants about the security of the software vendors they deal with. This further brings in more efficiency and reliability in the industry and a secure choice of vendors to deal with for payment applications in the payment ecosystem.


Given the benefit that the new PCI SSF security framework offers both Merchants and Software Vendors, it can be seen as a good initiative from the PCI Council to establish such a dynamic, flexible, and robust security framework that aligns with the evolving payment security requirements of the industry.  Although the initial phase of transition from PA DSS to PCI SSF may be challenging this will benefit software vendors in the long run and give them a competitive edge in the industry.

For organizations looking to achieve compliance with PCI SSF Standard it is strongly recommended especially by the PCI Council to approach Qualified PCI SSF Assessors listed on their website for guidance and assessment. That said, VISTA InfoSec is a reputed Global Cybersecurity Consulting firm qualified by the PCI Council as a PCI SSF Assessor for valid evaluation and assessment against the PCI Standard. Having years of industry experience and expertise in various PCI Standards we are confident about helping clients in their journey of PCI SSF compliance. So, for more information on PCI SSF and its two programs, you can check our blogs and for any queries or assistance pertinent to the PCI SSF program, you can drop us a mail at [email protected] 

2.5/5 - (2 votes)
Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.