PCI-SSF Standard

About PCI-SSF STANDARD

PCI SSF is a Payment Card Industry Software Security Framework

The PCI Software Security Framework (SSF) is a collection of security standards and associated validation and listing programs for promoting software security in the payments industry. The SSF is comprised of the Secure Software Standard and the Secure Software Lifecycle (Secure SLC) Standard.

The Secure Software Standard defines the security features and attributes that payment software must possess, and the Secure SLC Standard defines the security processes and capabilities that a software vendor must have in place to ensure its software is developed securely.

The PCI Secure Software Standard is intended for software vendors and others that develop Payment Software that is sold, distributed, or licensed to third parties. This includes Payment Software intended to be installed on customer systems as well as Payment Software sold, distributed, or licensed to third parties, regardless of how the software is delivered.

Eligible for Validation Under the Secure Software Program:

– Software products involved in or directly supporting or facilitating payment transactions that store, process, or transmit clear-text account data;
– Software products developed by the vendor that are commercially available for sale to multiple organizations;
– Payment Software intended for use on PCI- approved PTS POI devices.

The PCI Secure Software Standard is not intended for Payment Software developed in-house for the sole use of the company that developed the software, nor is it intended for Payment Software
developed and sold to a single customer for the sole use of that customer, nor is it intended for Payment Software that operates on any consumer electronic mobile device that is not solely dedicated to payment acceptance for transaction processing.

In other words, if you are developing Payment Software for the sole use of the company, then the requirements of the PCI DSS standard will apply to it. However, if you sold, distributed, or licensed to third parties off-the-shelf Payment Software for multiple customers, then such Payment Software must meet the requirements of the Secure Software Standard.

There are two types of Secure Software Assessments within the PCI Secure Software Program:
– Full Software Assessments;
– Delta Assessments.

Full Software Assessments are performed by a PCI-qualified Secure Software Assessor of a Secure Software Assessor Company. “Delta Assessments,” as the name suggests, are required upon changes to Validated Payment.
Software that occurs between Full Secure Software Assessments. Delta Assessments confirm that software updates do not introduce new vulnerabilities and the software continues to meet applicable
PCI Secure Software Requirements. Delta Assessments can be performed independently by a vendor (self-assessment to confirm Low Impact changes) with the status of Secure SLC Qualified Vendor. To obtain this status, a separate standard is provided — Secure SLC Standard.

  • Compliance Control will help you to implement best practices and processes, show you the way to ensure your app is developed in accordance with PCI-SSF requirements, give adviсes on the way to prepare the Implementation Guidance and support you in the full compliance process.
  • Compliance Control is authorized to audit both SSF standards.




Contact us to get consulted on PCI-SSF audit and we will contact you within 30 minutes.

Fill the form

Project stages

Stage 1

The current state assessment and revealing the shortcomings, according to PCI-SSF requirements.

We will start the payment app validation process with consulting on PCI-SSF requirements and looking through the app. Then we’ll review the app code and view the log file and database records. Finally, we’ll provide several recommendations for eliminating the shortcomings on the first stage result basis.

Stage 2

Certification audit and PCI-SSF compliance report preparation.

The current report (Report of Validation for Secure Software Standard or\and Report of Compliance for Secure SLC Standard) will be submitted to PCI SSC for app\vendor inclusion to the certified apps\vendors list after successful review and validation.

Project results

Our auditors will provide an Attestation of Validation for Secure Software Standard\Attestation of Compliance for Secure SLC Standard and prepare reporting documentation for the payment app\vendor inclusion to the certified payment apps\vendors list on the certification audit results basis.

Interested in a service? Contact us right now!