PCI SSF - software security Standard
Secure Software Standard applies to Payment Software products that is sold, distributed, or licensed to multiple organizations. Our Security professional at CBL are qualified Secure Software Assessors performs Secure Software validation testing and Consulting.
- Assessor Type
- Governing Body
- Data Type
- SSS QSA
- SOFTWARE DEVELOPERS
- 3 Years
- PCI SSC
- CARDHOLDER DATA
The Secure Software Standard defines a set of security objectives, and control objectives to ensure the security of the Payment software. This is one of the standards under the PCI Software Security Framework. It covers application security features and functionality. The Secure Software Standard is also Known as S3 or SSS.
Secure Software Standard is applicable to Payment Software products that is sold, distributed, or licensed to multiple organizations.
Secure Software Standard supports wide range of payment application that involved in or directly supporting or facilitating payment transactions that store, process, or transmit clear-text account data.
Payment Software types
Secure Software Standard requirements are categorized into Core Requirements, Module A, and Module B.
The Core Requirements and Module A is applicable to all eligible payment software. Module B includes additional requirement for Terminal Software.
How can CBL Help?
Our Secure Software Assessors have vast experience in consulting and validating wide range of payment software.
Based on the current threat landscape which ensures that the application development policy, process, and software security controls that you have is validated with SSF Secure Software Standard control objective.
We also offer continual support to perform annual validation, and also to maintain the changes to the validated payment software ensure that your payment software latest version stays SSF Secure Software Standard validated
Crossbow Labs teams can conduct bespoke trainings on the implementation and adherence to the PCI SSF standard. Trainers have years of experience on cybersecurity advisory for securing applications and will be able to impart tremendous experiential knowledge required to quickly achieve the objectives of the PCI SSF standard.
PCI SOFTWARE SECURITY FAQs
PCI Software Security Framework (SSF) consist of two standard, Secure Software Standard (SSS), and Secure SLC Standard (Secure SLC). These are two different, and independent standard.
- Secure software standard is applicable to payment software validation. The SSS defines the software security objective for the application security feature, secure functionality, and sensitive data protection.
- Secure SLC standard is applicable to secure software development processes of payment application.
Currently mobile payment application that are designed and developed to use in consumer mobile devices are not eligible for Secure Software Standard validation. The example of eligible application and ineligible application information are given in the PCI Secure Software Standard program guide.
For both SSF Secure Software validation listing, and Secure SLC Qualified vendor listing the validity is for 3 Years.
There is annual re-validation process to check for changes in the application / listing is applicable for both Secure Software validation listing, and Secure SLC Qualified vendor listing.
Secure Software changes are categories into High impact, low impact and administrative changes.
High impact changes – Changes to the software architecture, source code, or components that handle or interact with Sensitive Data, Sensitive Functions, or Sensitive Resources will fall under High impact change category.
High Impact changes require the Payment Software to undergo a Full Software Assessment.
Low Impact changes – Changes to the software architecture, source code, or components that do not trigger High-impact Change criteria will fall under low impact changes.
Low Impact changes may be eligible for partial or Delta Assessment.
Administrative changes – changes to the Payment Software name or Vendor’s corporate entity name in the listing.