In the year 2019, the PCI Security Standards Council released the PCI Software Security Framework (SSF) for ensuring a secure design and development of payment software. The PCI SSF is a new standard rolled out with the purpose to secure payment application software. This is a crucial move towards improving the security of payment applications and ensuring reliable online payment transactions. With this new framework in place, it can support the security requirements of both modern and traditional payment software. The SSF provides vendors a comprehensive security standard for building and maintaining payment software that protects payment transactions. It also helps secure against data vulnerabilities and sets a strong defense against attacks. PCI SSF is a methodology that facilitates robust security development practices in the industry. The PCI Security Standard Framework consists of two different and independent programs each of which has its own standard requirements, validation criteria, and SSC listing. The two programs include the Secure Software Lifecycle Program (SSL) and Secure Software Standard (SSS). Vendors will have to evaluate and determine which standards are applicable to them and accordingly comply with either of two PCI SSF programs.
Taking into account all the relevant business, regulatory, and compliance we spend significant time with your senior management in defining scope which includes setting timelines, responsibilities, and budget for the implementation.
We conduct an “as-is” Gap Analysis of your organization to identify gaps in security controls, systems, and the environment against PCI SSF Compliance requirements.
We provide your business and software development team a brief Awareness Training on PCI SSF and further discuss their roles, responsibilities, and timelines.
Our automated code review software checks source code for compliance with a predefined set of rules or best practices. Our analytical methods inspect and review source code to detect commonly known programming bugs.
We augment tool-assisted scans with a manual review of the underlying software architecture which cannot be evaluated by tools and especially without special engineering. We follow a proprietary methodology to discover and critique security points of interest relevant to the application’s architecture.
We focus on the underlying frameworks and toolkits the application depends on for critical functions. Our team then reviews the functional and non-functional behavior of these frameworks, models information flow, component interaction, and communication paths to detect weaknesses in the framework.
We conduct both automated and manual vulnerability assessments d in an Advanced Code Review and further explore attack surfaces and frameworks. This level of analysis is ideal for high-risk, business-critical software that cannot afford even low-severity security vulnerabilities.
Our team assesses and scans your web application to accurately identify vulnerabilities like an attacker. Using the top-end commercial tool and an in-house developed semi-automatic assessment portal, we ensure the possibility of false-positive or false-negative is the bare minimum.
As we believe it is just as important to fix bugs as it is to find them, our consultants provide you with a document outlining remediation guidance. We further support your team for queries during the actual remediation of weaknesses.
With all data in hand, our team then creates the document set as per PCI SSF requirements. Your inputs are required only to validate the same.
Our expert conducts a User Training program for business personnel and the software development personnel for applications covered in scope in their specific responsibilities. This being an ongoing exercise, the training video shall be recorded and provided to you for future reference and training.
After a reasonable gestation period, a separate team of experts conducts a Pre-assessment of your setup.
Once all controls are confirmed to be in place, we help you get certified with our dedicated and duly separated team of auditors for PCI SSF.
We can provide you continual support (Managed Compliance Services) and help you stay compliant.
PCI Software Security Framework (SSF) is a collection of standards and programs developed to secure the design and development of payment software. It is a standard that ensures a robust and secure development practice of payment software in the industry.
PCI SSF replaces the PA-DSS with additional requirements that support a variety of payment software types, technologies, and development techniques. It is a payment security standard that includes elements of PA DSS, supporting the existing ways to demonstrating good development of application while also supporting a variety of new payment software and development processes. So, basically, PCI SSF is an improved version of the PA DSS Standard.
PA-DSS is expected to be phased out at the end of October 2022 and will formally replace by PCI SSF.
The PCI Security Standard Framework consists of two different and independent programs each of which has its own standard requirements, validation criteria, and SSC listing. The two programs include-
Secure Software Standard (SSS) and Secure Software Lifecycle (SSL) are both three years programs that focus on different aspects of software security validation period they focus on different aspects of Software Security. While SLC validates the security controls and practices of the software design and development, the SSS reviews the overall effectiveness of the security of the software. So, organizations may be validated for Secure Software Lifecycle and may be validated for a separate Secure Software Standard for payment software’s developed.
The organization does not necessarily require validation under the Secure Software Lifecycle Standard (SSL) if validated for Secure Software Standard (SSS). However, Secure SLC validation can simplify the process of maintaining the validation of your payment software when making changes. If you are SLC validated, you can make low-impact changes and submit the relevant documentation to the PCI SSC to update the software version listing, without paying fees. If you are not Secure SLC validated, the low impact changes must be reviewed by an assessor and relevant documents will need to be submitted to the PCI SSC. Further, each change will incur a fee.
Payment software that stores, processes, or transmits sensitive account data intended to be installed on customer systems and payment software deployed to customers as a service over the Internet should be assessed and validated under Secure Software Standard.