PCI Software Security Framework (PCI SSF) 

Securing Payment Software Today

A new approach for securely designing, developing and maintaining existing and future payment software.


The PCI SSF standards extend PA-DSS limits to address overall software security resiliency. PCI SSF supports a broader array of payment software types, technologies, and development methodologies in use today and those to come.

Software Security Framework

Enough marketing chit-chat, find out what our long standing customers have to say about how we help them achieve cybersecurity success.

Foregenix Consulting and Compliance team

True Cybersecurity Experts, working with a vast array of clients ranging from small retail merchants to complex industrial environments and large international banks. 


Remarkable individuals with lifetime of experience as cybersecurity consultants, penetration testers, analysts, developers and engineers for all kinds of industries.

A unique working environment

Our people's technical experience coupled with a unique work environment is the foundation of our services: a complex machinery designed to assist our customers avoid disruption while managing risk. 


Foregenix has been closely involved with the leading cybersecurity frameworks since its inception, including the Payment Card Industry (PCI), ISO, NIST and several country-specific regulatory bodies, earning a reputation of excellence in every program it participates.


While we insist that experience is what makes the difference on this business, our consultants still hold a myriad of certifications, including PCI, SWIFT and ISO, cloud-vendor specific ones, and more general technology credentials like CSSLP, CISM, CISA, CISSP, and many more.


Be part of the elite in the industry by attesting your strong cybersecurity posture and bring the right type of attention for your business. 

  • Reliance: Most effective security
    Your payment software will be conceived with attack scenarios in mind and is able to detect and response to unexpected conditions and sustain attacks.
  • Recognition: You are in the list!

    After validation, either your payment software or your company's lifecycle, or both will be listed in the PCI SSF Standards Council's website for 3 years.

  • Resiliency: Ease of mind
    Both your processes for developing software and the resulting payment software will become more effective at protecting sensitive data.
Get support from native-speaking consultants in English, French, Spanish, Italian, Afrikaans, Greek, Gujarati, Hebrew, Hindi, Hungarian, Portuguese, Punjabi, Romanian, Russian, Ukrainian and Urdu

A mature, structured methodology


PCI SSF Transitioning Workshop

Designed to educate and prepare our clients for the evaluation of payment software under this new Compliance Program.


GAP Analysis

Our PCI SSF Assessors will provide an expert analysis of your company's current compliance status and security posture by defining the scope for the Compliance Assessment Service (CAS) to validate compliance with the PCI SSF Secure Software standard. 


Payment Software Testing

Foregenix will evaluate the software code or the operation of the software using a variety of security-testing tools and techniques. This test will validate each control objective. 

The results of this phase will provide a detailed report on the environment and any remediation steps that should be taken. 


Compliance Assessment Service (CAS)

A complete set of services to assist you with achieving and maintaining PCI SSF Compliant status. 


Report On Compliance (ROV)

It ensures that both your entity and Foregenix keep compliance with the PCI Secure Software Standard to the highest level.

We have supported many companies to achieve PCI SSF Compliance. Become one of them.


If you require further information, we offer the PCI Software Security Framework (PCI SSF) Workshop, which is designed to cover all particularities of the SSF framework and its two programs.


We receive a significant number of questions about PCI Software Security Frameworks Standards Compliance. Below, you will find the answers to the most frequently asked ones.

While both provide a three (3) year validation period they focus on different aspects of Software Security.

The Secure SLC Standard validates the security controls and practices with your software design and execution methodology. As such, we are validating processes, policies and procedures - this is not a technical review.

The Secure Software Standard, on the other hand, is a review of the overall security of a specific piece of software.

This means that, as an organization, you could be validated for having a Secure Software Lifecycle and you could have separate Secure Software Standard validations for each payment software you develop.

Your organisation/company does not need to be validated under the Secure SLC Standard to have your software validated. Having the Secure SLC validation, however, can simplify the process of maintaining the validation of your payment software when making changes. I’ll explain this a little.

The Secure Software Framework does not allow the use of wildcards. Any changes made to payment software will be high impact (if affecting sensitive assets – i.e. data, functions or resources) or low impact.

If you are Secure SLC validated, you can make low impact changes and submit the relevant documentation to the SSC to update the software version listing, without paying fees.

If you are not Secure SLC validated, these low impact changes must be reviewed by an assessor who must complete associated documentation and submit to the SSC on your behalf and each change requires you to pay a fee.

Payment software that stores, processes, or transmits clear-text Account Data, intended to be installed on customer systems as well as payment software deployed to customers ‘as a service’ over the Internet.

In order for an assessor to validate the standard objectives, the business must demonstrate documentation, processes and evidence showing the scope of each subject area in relation to their software and show the processes involved in measuring exposure and mitigating risk.


Need help? Or have any questions?

We're here to assist you. We aim to understand your data security challenges - no matter the size of your project.

Start your PCI Project Today!