Flavio Bonfiglio Sorans
2 min read

Foregenix's cybersecurity experts have been deeply involved in supporting the PCI Council during the development of the new PCI Software Security Framework (SSF), and today we are proud to announce we are fully enabled to help your organisation align and achieve compliance with this new program.

Subscribe to our Blog

The PCI Software Security Framework (SSF)

The Software Security Framework (SSF), represents a new approach for securely designing, developing and maintaining existing and future payment software. Whilst PA-DSS was designed specifically for payment applications used in a PCI DSS environment, the PCI SSF extends PA-DSS limits to address overall software security resiliency. The PCI SSF is designed to support a broader array of payment software types, technologies, and development methodologies in use today and also support future technologies and use cases.

There are currently two standards in the Software Security Framework, the Secure Software Lifecycle Standard (Secure SLC) and the Secure Software Standard, which are two separate, independent standards. Each standard has its own Program Guide, requirements and validation processes as well as own public listing in the SSC Portal.

The Secure SLC Standard is intended for validating the lifecycle practices for software vendors that develop software for the payments industry. Validation to the standard by a Secure SLC Assessor can result in the vendor being listed on the PCI SSC website as a Secure SLC Qualified Vendor.

Another difference is that Secure SLC Qualified Vendors will be allowed to perform and self-attest to their own software “delta” assessments (as part of validation of their payment software products compliance with the Secure Software Standard) with reduced assessor involvement or oversight.

The Secure Software Standard defines a set of security requirements and associated test procedures to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data. The initial release of the Secure Software Standard also includes an account data protection “module” that applies to software that stores, processes, or transmits account data. Additional modules will be added to the Secure Software Standard to address other software types, use cases, or technologies.

What happens to PA-DSS?

The PCI Software Security Framework has no immediate impact on PA-DSS validated payment applications, although PA-DSS will eventually be replaced by the validation programs within the PCI Software Security Framework.

Transitioning from PA-DSS to the PCI Software Security Framework may take some time whilst software vendors adjust to the differences between the two programs. Therefore, software vendors are encouraged to continue to submit changes to currently validated applications via the PA-DSS program. New PA-DSS validations will be accepted through mid 2021 and be valid through late 2022. Assessments against the PCI Software Security Framework are anticipated to begin in the first quarter of 2020, and will have a three-year validity period.

After October 2022, PA-DSS validated applications will be moved to the "Acceptable Only for Pre-Existing Deployment" list when the validation expires. For applications validated to PA-DSS version 3.2 this will occur at the end of October 2022 and the PA-DSS program will close.

See further information about applications listed as "Acceptable Only for Pre-Existing Deployments" on the PCI Security Standards Council FAQ page.

Get in touch

Foregenix has developed an agile methodology to accelerate your transition from PA-DSS to SSF Standards validation. Discover the portfolio of solutions that we have prepared to help you certify your processes or your payment software.


Contact Us

Access cybersecurity advisory services


Flavio Bonfiglio Sorans
Flavio Bonfiglio Sorans

See All Articles

Subscribe to our blog

Security never stops. Get the most up-to-date information by subscribing to the Foregenix blog.