What is PCI SSF

Payment applications were previously assessed under the PA-DSS, well those days are over and now you have the software security framework or SSF. What does that mean? In this video, we're going to explore that and more.

Hello, I'm Sully Perella a manager here at Schellman, and we're here to talk about what the software security framework is. Previously, payment applications were assessed under the PA-DSS, which applied requirements that were pretty stringent, and as with all of these standards, is a one size fits all. The software security framework takes a different tack than PA-DSS. By looking at a control objective, vendors are able to apply the controls inherent to what they're doing and things that are built into their platforms to address those controls, address those concerns, and demonstrate how payment data is secured.

"...you could easily make the argument that the secure software lifecycle dovetails directly into the secure software standard."

The risk based approach of the SSF allows for a lot more flexibility for vendors, making it a more functional standard, in addition to providing two different means. On one side, we have the secure software standard. This most closely emulates PA-DSS and evaluates the payment software itself. On the other side, we have the secure software lifecycle, which reviews how software is actually written. Think of this as the development side of the house. There's a lot of overlap between these two. In fact, you could easily make the argument that the secure software lifecycle dovetails directly into the secure software standard.

We imagine you have questions. Is your software eligible to be assessed? What does this mean? What does an assessment look like? Well, we'd love to answer all of those questions, reach out to us.

About the Author

Sully Perella

Sully Perella is a manager at Schellman who leads the PIN and P2PE service lines. His focus also includes the Software Security Framework and 3-Domain Secure services. Having previously served as a networking, switching, computer systems, and cryptological operations technician in the Air Force, Sully now maintains multiple certifications within the payments space. Active within the payments community, he helps draft new payments standards and speaks globally on payment security.

More Content by Sully Perella
Previous Video
The Risks of a Low-Cost Audit Partner
The Risks of a Low-Cost Audit Partner

Next Video
What to Expect from Your FedRAMP Penetration Test
What to Expect from Your FedRAMP Penetration Test