Transitioning from PA-DSS to PCI SSF

Maybe you're familiar with the PA-DSS. Maybe you're learning about what the SSF is. Well, the software security framework is replacing the payment application data security standard. What does this mean? How are they different? In this video, we'll explore that and more.

Hello, I'm Sully Perella, a manager here at Schellman, and we're here to discuss the differences between the PA-DSS and the SSF.

Security evolves over time, so security standards do too. It's best to think of the secure software framework as an evolution of the payment application data security standard. Where the PA-DSS had a prescriptive-based approach, the SSF takes an objective-based approach. This flexibility allows not only for vendors to address those security concerns unique to their software with how their software is written, but also allows assessors more flexibility in how they test those controls to verify that they're met.

One of the most notable differences between the PA-DSS and the software security framework is the way that threat analysis and risk assessments are done. While risk assessments are not new to security, identifying the critical assets in the way that data is handled is new in how vendors must document what they're doing and how they're doing it.

This includes:

  • Dependencies
  • The handling of data
  • What can impact the security of those critical assets

There's a lot to discuss when thinking about what an assessment contains nowadays instead of trying to identify each of those, and we know the devil's in the details when it comes to these standards. Fill out the form on our page and we'll discuss the differences, how it pertains to your software, and how we can work with you in the future. 

About the Author

Sully Perella

Sully Perella is a manager at Schellman who leads the PIN and P2PE service lines. His focus also includes the Software Security Framework and 3-Domain Secure services. Having previously served as a networking, switching, computer systems, and cryptological operations technician in the Air Force, Sully now maintains multiple certifications within the payments space. Active within the payments community, he helps draft new payments standards and speaks globally on payment security.

More Content by Sully Perella
Previous Video
What to Expect from Your FedRAMP Penetration Test
What to Expect from Your FedRAMP Penetration Test

Next Video
What is CMMC?
What is CMMC?