Advantio joins the Elite List of PCI SSF Assessors

We are delighted to announce that Advantio has been listed as a Payment Card Industry – Software Security Framework (PCI SSF) Assessor company by the PCI Security Standards Council. Advantio joins an elite list of PCI SSF service providers with only 24 other companies in the world who hold this certification. 

What is PCI SSF?

Instances of data breaches and cybersecurity threats are increasing with every passing year. It is more critical than ever to safeguard payment transactions, by ensuring the software that is processing and transmitting your data is secure. Modern software development practices require ‘objective-focused security’ to support nimble development and frequent update cycles.

PCI Software Security Framework (SSF) provides vendors with security standards for developing and maintaining payment software to protect data as well as payment transactions. The new framework will also help improve transparency and consistency in testing payment applications to defend against data breaches and minimise vulnerabilities.

By June 2021 PCI SSF will replace all PA-DSS (Payment Application – Data Security Standard) certifications. This means companies will no longer be able to submit a new application for PA-DSS.

What is the future of PA-DSS?

Payment Application – Data Security Standard (PA-DSS) was designed specifically for payment applications used in a Payment Card Industry- Data Security Standard (PCI-DSS) environment. The PCI Software Security Framework extends beyond this function to address the overall resiliency of your software security.

The PCI Software Security Framework has been designed to support a broader array of payment software types, technologies, and development methodologies and support future technologies and use cases.

It is also worth noting that all PA-DSS validated applications will continue being supported till the end of October 2022. All existing PA-DSS validated applications will remain on the ‘List of Validated Payment Applications’ until their expiry dates.

How do you become PCI SSF certified?

The initial step requires validation as per the ‘Secure SLC Standard’. This is a crucial step as it validates that the software vendor has a mature secure software lifecycle management practice in place. This ensures software is capable enough to protect payment transactions and data. It also minimises vulnerabilities and protects against brutal cyber-attacks.

After being successfully evaluated by a ‘Secure SLC Assessor’ software vendors are recognised on the PCI SSC list of ‘Secure SLC Qualified Vendors’. This allows vendors to self-attest to delta changes for their products that are listed as ‘Validated Payment Software’ under the ‘Secure Software Program.’

A ‘Secure Software Standard’ validation demonstrates that the payment software product is designed, engineered, developed, and maintained in a manner that protects payment transactions and data. Validations against the ‘Secure Software Standard’ have a 3-year expiration.

Finally, after being successfully evaluated by a Secure Software Assessor, the validated payment software is recognised by PCI SSC on their list of Validated Payment Software.

Summary

Transitioning from PA-DSS to the PCI Software Security Framework (SSF) may take some software vendors time to adjust to the differences between the two programs. However, software vendors are encouraged to continue to submit changes to currently validated applications via the PA-DSS program. Additionally, software vendors who have initiated PA- DSS assessments for new payment applications are encouraged to complete those assessments under the PA-DSS program.

As the new year approaches and further information is published by PCI Security Standards Council, Advantio looks forward to solving all your PCI SSF requirements ‘on-time’ and ‘on-budget’.