Payment Card Industry Software Security Framework (PCI SSF) is a new Payment Software standard designed for software vendors and merchants. Effective from October 2022, the new framework will be replacing the PA-DSS Standard that was initially launched to help merchants secure applications and cardholder data.
PA DSS was a standard meant for software vendors who developed software that stored, processed, or transmit cardholder data or any sensitive authentication data. However, PCI SSF which is now introduced by the PCI Council is a new framework set to improve the security standards of applications that accept payments and use payment data in the environment. Elaborating more on the new standard we have today also explained what does the introduction of the new PCI SSF means for the software vendors. But before that let us first understand how PCI SSF impacts software vendors.
How does PCI SSF impact, Software Vendors?
PCI SSF is a combination of traditional and evolving software security framework requirements. It is a framework that supports the latest technology, software, and development techniques. The objective behind establishing the new software security framework was to ensure the standard supports both old and new application security and best development practices for payment applications in the industry.
With the establishment of the new security framework, it will provide the software vendors and merchants the flexibility to align their secure application development practices in line with the industry best practices and standard.
Further, it will provide the software vendors an opportunity to offer PCI-validated payment software that shall give merchants confidence about the security of the software and being PCI DSS Compliant. PCI SSF validation impacts both the merchants and software vendors in a way that the framework is beneficial to identify security validated software that is secure to use in the PCI DSS Compliant payment industry.
What does PCI SSF Imply for Software Vendors?
Software vendors that are validated against the Secure Software Lifecycle Standard can enjoy the flexibility of low impact change in controls to applications and also perform delta assessment themselves, without the need of a QSA company’s intervention. This also gives the vendor the convenience to provide the delta assessment results directly to the PCI SSC thereby reducing additional professional assessment expenses of a QSA company.
In comparison with the old PA DSS Standard, the eligibility criteria for validation against SSS is much wider. PCI SSF validation does not just support applications that facilitate authorization and/or settlement, but also broadly covers the payment applications that are involved in or directly facilitate payment transactions that store, process, or transmit payment data.
On the other hand, the Secure SLC Standard is one of a kind PCI standard that validates the software vendor’s process, technique, and technology of developing payment application. So, now vendors will not just be validated for their software applications but also the process, methodology, and technology adopted by them to develop payment applications. This provides an opportunity for vendors for demonstrating the maturity of their process and practices of designing and developing payment applications. Bringing in more transparency, PCI SSF Validation provides a sense of confidence to merchants about the security of the software vendors they deal with. This further brings in more efficiency and reliability in the industry and a secure choice of vendors to deal with for payment applications in the payment ecosystem.
.png)
No comments:
Post a Comment