The paradigm shift of PCI SSF: what executive leaders need to know now

B Sondhi 70px jpg

Bhavna Sondhi

Sr Manager, Technical Solutions, Coalfire

Blog Images 2022 PCI SSF tile

PCI’s new secure software framework (SSF) shifts validation standards. Companies need to adapt their payments software development process to meet both requirements and consumer demand.

Key takeaways:

  • Moves the standard from point-in-time compliance to continuous integration throughout the SDLC
  • New strategies will require more "people/process/technology" changes than ever
  • "Shifting left" to an agile development process is no longer optional

As a security leader who lives and breathes security controls, protocols, and compliance standards, you’re probably aware of the upcoming Payment Card Industry (PCI) Software Security Framework (SSF) transition that’s been coming for some time. In fact, I posted a blog about the phase-out of the venerable Payment Application Data Security Standard (PA-DSS) three years ago: PA-DSS to Software Security Framework: What You Need to Know.

Fast forward to present day — are decision makers and C-level executives aware of the business implications of this transition? The reality is that few in the professional community understand the historic significance of this payment application security and compliance paradigm shift, and even fewer are prepared to develop secure software as per the new framework requirements. Effectively communicating this new security narrative is mission-critical for any organization’s CISO.

Moving from point-in-time to CI/CD

The original focus of PA-DSS was to confirm that the software deployed in payments ecosystems protected sensitive cardholder data. In the new SSF standard, the focus is less on a point-in-time, check-the-box approach and more on a progressive demonstration of secure software practices throughout the entire product lifecycle. The goal is to ensure that developers are using the most mature, state-of-the-art controls for continuous integration and deployment of digital assets. The implementation of new controls can affect operations, budgets, and resource allocations for virtually every department in the modern enterprise, from the CFO’s projections and compliance spend, to the COO’s logistics and planning disciplines, to the CMO’s marketing and sales pipeline.

The most important concept is that the new standards for validating payments software at both the transaction level and during the entire development lifecycle are far more objective than those standards under PA-DSS. Evolving architectures deployed in multi-cloud environments have forced new oversight models and necessitated streamlining assessment processes. With the consequences of breach, loss, and legal damages, officers and directors must have a better grasp on these processes, as well as the how’s and why’s of resources allocated to developing secure software.

An accelerating threat landscape

The pandemic hangover, pressures on supply chains, expansion of attack surfaces, and the proliferation of new technologies like 5G and AI are occurring much faster than originally anticipated when the PCI SSF was first announced in 2019. This new reality compels all departments in companies that develop payment software to form robust risk management strategies, and for managers to identify and prioritize distinct vulnerabilities within their areas of authority.

Companies cannot stop every attack, but by sorting and modeling threats, and then creating response protocols, companies can mitigate the attack surface of payment applications and better protect consumer cardholder data. These strategies will be different for every business and will require far more “people/process/technology” input and coordination than ever.

Key CISO-to-C-level communications takeaways

Consider these communication takeaways for every organization developing payment software as they transition to SSF:

  • Vulnerabilities are everywhere. PCI SSF acknowledges this fact about digital transformation in the cloud: code is present and vulnerable at every point along the global production, distribution, and commerce chain, and at every connectivity point between buyer and seller.
  • Code is dynamic. Workloads spinning up and down in the cloud are integral to “Industry 4.0” and the automation of all tasks in the cloud. Legacy systems remain, but there is no turning back or sitting still. SSF standard requirements exemplify this objectivity and maturing of enterprise security awareness and lead to a more efficient fine-tuning of cyber control and oversight.
  • The new framework requires more detail. Though streamlined and flexible, the new framework for validating all payment applications requires far more granular supervision. This will be accomplished through evidence collection, observation, and interviews with department heads to ensure the various control objectives for securing software as well as the product lifecycle identified within the two new standards under the SSF are achieved. As a result, more people across the enterprise will need to be involved to develop and manage software under the new SSF.
  • “Shift-left” is no longer optional. Developers are not going to make changes and programming updates without a solid “shift left” of the security team into their agile development processes. No enterprise wants to, or can afford to, have a glitch that leads to a breach, nor can an enterprise afford to break business continuity and erode customer trust with operational disruptions and shutdowns.
  • Frictionless payment is now the norm. Businesses morphed in reaction to the pandemic and new cyber risks over the last two years. From curbside pickup and delivery to cashier-less checkout and in-store applications, merchants, payment service providers, banks, processors, and acquirers are acting quickly on new opportunities to enhance the customer experience and to ensure software security. Sellers are looking for creative promotions and loyalty programs, and frictionless, error-free commerce that finds and exploits competitive points of differentiation.
  • Assurance is mandatory for businesses to prosper. Vendors, partners, supply chain players, and consumers have a heightened awareness of the need for threat mitigation and privacy protection. Demand for assurance is rising fast, and those needs must be met between the enterprise and other PCI SSF-compliant partners.


With the upcoming PCI SSF, global business stands at a strategic crossroads between hyperscale network complexity, the coming speeds with 5G, and a multitude of wild cards including IoT, cryptocurrency, Web 3.0, and more AI/ML. Retailers with physical and online presences must keep up with consumer demand by re-inventing the customer experience and investing in new payments capabilities. The new PCI framework reflects this maturity and the “moving target” reality of today’s payments ecosystem.

As one of the original contributors to the PCI Security Standards Council and one of the most experienced PCI-QSA and PA-QSA companies, Coalfire has provided feedback to PCI SSC since the early stages of the SSF and was the first firm accredited to conduct assessments against the new framework. Coalfire offers targeted workshops and advisory assistance to help bring companies up to speed and to continually improve their security posture.