Cloud

Attention Payment Application Developers: Begin Your Transition from the PA-DSS to the PCI SSF Today

Coalfire Assessment Team

February 20, 2020
Blog Images 2022 02 20 Tile

This content is provided "as is" and is more than a year old. No representations are made that the content is up-to date or error-free. 

The Payment Card Industry (PCI) Council plans to formally retire the Payment Application Data Security Standard (PA-DSS) in October 2022 and replace it with the PCI Software Security Framework (SSF). For vendors, the new framework expands program eligibility with improved support for evolving architectures \/ deployment models, streamlines the assessment process, and simplifies listing management. It also provides greater flexibility for meeting security requirements and modernizes the notion of application security for payment applications and the companies that develop them.

Today's software development requires objective-focused security to support flexible development and update cycles, which is a huge benefit of the new framework that will support both traditional and modern payment software. It's based on a new methodology for validating software security and a separate Secure Software Lifecycle (SLC) qualification for vendors with rigorous security development practices.

Coalfire is the first accredited firm to conduct assessments against the new framework, and we’re geared up to help vendors prepare for both Secure SLC and Secure Software assessments. Adopting the SSF early on helps demonstrate your commitment to the highest level of payment data security for your merchant and acquirer customers.

Let’s look at the timeline, which can help you develop a transition plan.

Source: PCI SSC website | Click to enlarge 

The first step is to check your payment applications’ expiration dates and develop a plan to evolve to the SSF. The PCI Security Standards Council (SSC) will continue to accept PA-DSS Full Validations until June 30, 2021. In addition, existing PA-DSS validated applications will remain on the Validated Payment Applications list until their expiration dates, providing that vendors continue to submit their annual revalidation forms and can submit Delta Assessments until the end of October 2022. At that time, PA-DSS-validated payment applications will be moved to the “Acceptable Only for Pre-Existing Deployments” tab on the Validated Payment Applications list, and the PA-DSS Program will close.

As Software Security Assessors, we can assist with advisory services as you begin the journey from PA-DSS to the SSF. We can help evaluate your development processes as part of a Secure SLC assessment or ensure your payment applications are aligned to the SSF.

The second step for existing PA-DSS vendors, we will be to perform a specialized transition assessment to move your PA-DSS listing to the Secure Software Standard (SSS). Depending on the standard you choose to pursue, and after successful submission of a Secure SLC ROC or SSS ROV, the PCI SSC will list both Secure SLC Qualified Vendors and Validated Payment Software on the PCI SSC website as resources for merchants.

Transitioning from the PA-DSS to the SSF may take time to adjust to the differences between the two programs, so we encourage you to reach out for help with developing a customized plan for the evolution.

For more information from the PCI SSC, please visit these links below:

PCI Security Standards Council Launches New Assessor Qualification Program to Support The PCI Software Security Framework

New Assessor Opportunity: PCI Software Security Framework

Understanding the PCI Software Security Framework: New Educational Resources