Payment applications were previously assessed under the PA-DSS, well those days are over and now you have the software security framework or SSF. What does that mean? In this video, we're going to explore that and more.
Hello, I'm Sully Perella a Senior Manager here at Schellman, and we're here to talk about what the software security framework is. Previously, payment applications were assessed under the PA-DSS, which applied requirements that were pretty stringent, and as with all of these standards, is a one size fits all. The software security framework takes a different tack than PA-DSS. By looking at a control objective, vendors are able to apply the controls inherent to what they're doing and things that are built into their platforms to address those controls, address those concerns, and demonstrate how payment data is secured.
"...you could easily make the argument that the secure software lifecycle dovetails directly into the secure software standard."
The risk based approach of the SSF allows for a lot more flexibility for vendors, making it a more functional standard, in addition to providing two different means. On one side, we have the secure software standard. This most closely emulates PA-DSS and evaluates the payment software itself. On the other side, we have the secure software lifecycle, which reviews how software is actually written. Think of this as the development side of the house. There's a lot of overlap between these two. In fact, you could easily make the argument that the secure software lifecycle dovetails directly into the secure software standard.
We imagine you have questions. Is your software eligible to be assessed? What does this mean? What does an assessment look like? Well, we'd love to answer all of those questions, reach out to us.
About the Author
More Content by Sully Perella
