How Long Does a PCI SSLC Assessment Take?

 In racing, the general idea for drivers is to improve their lap times as best they can—shaving off tenths of seconds can mean all the difference at the checkered flag. But there’s only so much they can control—the track layout is what it is, the setup of their car is set by their engineers.

Racecar drivers do their best to be as efficient as possible, but there’s still a basic expectation of how long it’ll take them to make their way around the track. The same is true for compliance projects—you want to be done with them as soon as possible, but there will always need to be time spent to get assurances for your customers.

It’s no different when it comes to the new PCI SSF. There are two different standards within the framework, and you’ve decided to go with PCI SSLC—an assessment of the overall SDLC process to ensure that your payment software was developed under a validated secure software lifecycle.

Now, you need to set conditions for your involved personnel and other resources—you’re asking, “how much time should you budget for my teams?”

As assessors of this standard, we can give you a starting point. In this article, we’re going to break down how long a PCI SSLC assessment takes—both the readiness and the full. Every assessment is different due to timing, scope, and size of environments, but we can at least set a baseline for you, as well as two lists of factors that will affect the overall necessary review period.

With this information on the different phases and the rough timeline, you’ll be able to communicate with your team on how long they’ll need to endure this assessment.

How Long Does a PCI SSLC Readiness Assessment Take?

If this will be your first time undergoing a PCI SSF assessment, we recommend performing a readiness assessment. Why? The two standards under the PCI SSF—including SSLC—are replacing PA-DSS, which featured prescriptive requirements. These new standards do not, and such a shift might pose a major challenge.

Rather than a singular set of security controls against a payment application, the PCI SSF standards evaluate software security. They’re incredibly different than anything the industry has ever seen before and in our experience with similar shifts in standards, we have found that the full assessment goes a lot smoother if you perform a readiness assessment ahead of it.                                          

So how long will this readiness assessment take? Around 2 to 3 weeks, and here’s how that breaks down:

  • One week dedicated to interviews and collecting evidence.
  • One week for closing out evidence requests and providing clarification to your assessor.
  • Additional time (as needed) for preparation of the readiness assessment report.

But that’s a starting point, and as we said—every assessment is different and tailored to the organization performing it. Some factors that can affect this baseline timing:

  • Number of SDLC processes being assessed
  • The complexity of your processes
  • Size of your scope
  • Number of evidence items successfully submitted during the assessment

The 3 Phases of a PCI SSLC Assessment

That’s the readiness assessment out of the way, but it’s not going to provide the assurances you need to your customers. So, you’ll finish that one, correct any findings, and implement each of the assessor’s recommendations. Then, you’ll move on to the full assessment.

For your planning purposes, a PCI SSLC assessment will take at least 3 weeks. Here’s the breakdown for that period:                                            

  • One week dedicated to interviews and collecting evidence.
  • One to two weeks dedicated to closing out evidence requests.
  • One to two weeks (aggregately) for reporting, QA, and submission to PCI SSC.

Of course, some factors can affect the amount of time necessary to complete your SSLC assessment:

  • Completion of readiness assessment
  • Whether or not you have previously completed a PA-DSS assessment
  • Your implementation of control objectives
  • Remediation and criticality of findings (if applicable).
    • If there are major issues found during the assessment, they will take more time to fix.
  • Number of operating systems
  • The complexity of user interfaces
  • Embedded modules
  • Deployment options

No matter which of these—if any—play a part in your assessment, in truth, your timeline does not stop there. As noted above, upon completion of the report, your assessor will submit the signed ROC to the PCI SSC for review, and that review by the Council will incur additional time. Though this is not technically part of your process timeline, you should also expect around a 30-day turnaround for quality assurance on your submitted ROC—that’s in addition to the 3+ weeks.

Moreover, it’s possible that if PCI SSC requires major changes, this will mandate even more time depending on their findings. If you’re working with Schellman, our team will interface with PCI SSC during the submission process and support you until approval.

Next Steps for Your PCI SSLC Assessment

Time spent is an important factor when booking an assessment, especially when you need to allocate resources to the effort. What we’ve provided here are general ranges and factors—there is never a “One Size Fits All” for assessments and situations. But like a racecar driver can learn what to expect in terms of the track layout, now you too can set basic conditions when it comes to your upcoming PCI SSLC assessment.

Once you’ve spoken with and chosen an assessor, you’ll then likely have a conversation regarding the scope of your evaluation, which is meant to help them better understand your company and processes—at that point, you should also get a clearer, more accurate schedule for the assessment.

To learn more about the SSLC—as well as the great PCI SSF—make sure you check out our other content:

And of course, if you’d like to speak with Schellman regarding any more specific questions you may have, please reach out to us. Our experts would be happy to address your concerns about assessment scheduling or any other particulars involving the PCI SSF.

About the Author

Joe O'Donnell

Joe O'Donnell is a Manager with Schellman mainly dedicated to the PCI and PCI specialty service lines. Prior to joining Schellman & Company in 2015, Joe worked at an industry within the Enterprise Risk Management consulting practice. He managed IT Reviews in support of the financial audit but helped with various engagements including but not limited to: SOC reports, penetration testing and vulnerability scanning, SOX, HIPAA, and bank audits. Before focusing his career on IT auditing services, Joe worked as an Enterprise Operations Computing Analyst where he gained experience in IT systems analysis and data center operations.

More Content by Joe O'Donnell
Previous Video
Transitioning from PA-DSS to PCI SSF
Transitioning from PA-DSS to PCI SSF

Next Article
What is a "Significant Change" Within an Environment?
What is a "Significant Change" Within an Environment?

Not sure if an update you've made is a "significant change?" We overview PCI DSS's definition of such while...