The Payments Card Industry Security Standards Council (PCI SSC) has announced the launch of two new validation programs for payment software vendors.
The new programs, the Secure Software Lifecycle (Secure SLC) and Secure Software Programs, will allow assessors to evaluate vendors and their payment software products to ensure that they comply with PCI Secure SLC and Secure Software Standards. The programs are part of the PCI Software Security Framework (SSF), which is a collection of standards and programs to ensure the secure design, development and maintenance of payment software.
“These programs work together with the PCI Secure SLC and Secure Software Standards to help vendors address the security of both their development practices and their payment software products. We’re pleased to have the Secure SLC and Secure Software Programs documentation available now as the initial step toward providing the industry with validated listings of trusted payment software vendors and products under the PCI Software Security Framework,” PCI SSC Chief Operating Officer Mauro Lance said in a press release Wednesday (June 26).
He continued, “In the meantime, PCI SSC recognizes that transitioning from PA-DSS to the Software Security Framework will take time, and we want to reassure PA-DSS vendors, PA-QSAs and users of PA-DSS validated payment applications that the PA-DSS Program remains open and fully supported until October 2022, with no changes to how existing PA-DSS validated applications are handled.”
The SSF will ultimately replace PA-DSS when it is retired in 2022. During the interim period, the PA-DSS and SSF Programs will run in tandem, with training for the new program available in early 2020. SSF will initially be specific to payment software products that store, process or transmit clear-text account data, and are commercially available and developed by the vendor for sale to multiple organizations. However, as new modules are added, the program will be expanded to include them.