A Quantum Leap in Payment Application Validation
SSF Secure Software is more flexible and ensures increased software security.
The launch of PCI’s Software Security Framework (SSF) program as the replacement for the PA-DSS program (which is set to retire in 2022) streamlines the process to support efficient and agile code releases and defend against constantly evolving security attacks. As a software vendor for point-of-sale, middleware, payment switch, kiosks, shopping carts, call center, fuel dispenser transaction, and other transaction-related applications, an SSF Secure Software application listing provides your merchant and acquiring customers complete assurance that your software will support their PCI DSS compliance.
The requirements for SSF Secure Software validation and listing include meeting all of the requirements for Secure SLC, and submitting your application and supporting documentation for review and testing by ControlScan’s Secure Software Assessor team. While most of the software tests are performed by the software vendor themselves (who provides this evidence to the SSF Secure Software Assessor), additional testing must be performed in ControlScan’s application lab, or under certain conditions, on-site at the vendor’s lab.
Applications that meet all the criteria for Secure Software qualify for listing on the PCI SSC SSF Secure Software listing. Among the documented requirements for listing are secure handling of sensitive data, authentication credentials, and key material; vulnerability testing of all interfaces and APIs; threat modeling for possible attack scenarios; and implementation of appropriate security controls to mitigate these risks.
Migrate your PA-DSS App to SSF
For new payment applications, or for vendors migrating their application from PA-DSS, ControlScan SSF Assessors can help ensure application readiness by providing a full gap analysis for all SSF requirements, including the new and evolving requirements. Our actionable recommendations and gap reporting can be used as a roadmap to plan your assessment for SSF Secure Software validation and listing.
Please note that while the current SSF Secure Software Standard v1.0 only includes the testing procedures applicable for Payment Software sold or distributed for performing support of transaction authorization, future modules are expected that may allow SSF validation of other application types. Until such time as these additional modules are available, vendors can be listed as Secure SLC Vendors, prepare against the core requirements, or ControlScan can prepare a custom testing approach utilizing the SSF assessment model for release as an informative security white paper.
To learn more about ControlScan’s SSF validation services, simply complete the form on this page or call us at 1-800-825-3301, ext. 2.