Maybe you're familiar with the PA-DSS. Maybe you're learning about what the SSF is. Well, the software security framework is replacing the payment application data security standard. What does this mean? How are they different? In this video, we'll explore that and more.
Hello, I'm Sully Perella, a Senior Manager here at Schellman, and we're here to discuss the differences between the PA-DSS and the SSF.
Security evolves over time, so security standards do too. It's best to think of the secure software framework as an evolution of the payment application data security standard. Where the PA-DSS had a prescriptive-based approach, the SSF takes an objective-based approach. This flexibility allows not only for vendors to address those security concerns unique to their software with how their software is written, but also allows assessors more flexibility in how they test those controls to verify that they're met.
One of the most notable differences between the PA-DSS and the software security framework is the way that threat analysis and risk assessments are done. While risk assessments are not new to security, identifying the critical assets in the way that data is handled is new in how vendors must document what they're doing and how they're doing it.
This includes:
- Dependencies
- The handling of data
- What can impact the security of those critical assets
There's a lot to discuss when thinking about what an assessment contains nowadays instead of trying to identify each of those, and we know the devil's in the details when it comes to these standards. Fill out the form on our page and we'll discuss the differences, how it pertains to your software, and how we can work with you in the future.
About the Author
More Content by Sully Perella
