The era of PA-DSS is ending.

In 2019, PCI Security Standards Council (PCI SSC) released the PCI Software Security Framework (SSF) – a collection of standards and programs for the secure design and development of payment software.

The SSF replaces the Payment Application Data Security Standard (PA-DSS) with modern requirements that support a broader array of payment software types, technologies, and development methodologies.

SSF introduces a modular approach to the application compliance, where every application in scope should be assessed against core standard requirements and those SSF modules that apply to that software. Therefore, SSF provides extra flexibility for software developers to incorporate payment application security with current industry-accepted SDLC practices and frequent update cycles.

A transition period has been defined and existing PA-DSS listed applications will remain PA-DSS validated status until October 2022. After this date, all applications validated against PA-DSS will go to “Valid for pre-existing deployments only” or will completely disappear from the listing.

In October 2019, the SSF assessor company application process has started; training for SSF assessors will start very soon, so we may expect the first validations against SSF to happen in early 2020.

Secure Software Standard


The Secure Software Standard provides security requirements for building secure payment software to protect the integrity and the confidentiality of sensitive Account Data that is stored, processed, or transmitted in relation to payment transactions. It is intended for vendors that develop payment software that supports or facilitates payment transactions. Similarly to PCI DSS v4.0, Secure Software Standard is based on Control Objectives, which give a vendor extra flexibility while achieving compliance with the standard – Control Objective approach is a great step ahead in comparison to PA-DSS.

Secure Software Lifecycle (Secure SLC) Standard

The Secure SLC Standard provides security requirements for payment software vendors to integrate information security throughout the entire software lifecycle, which results in software that is secure by design and able to withstand attacks. It is intended for vendors that are developing payment software that supports or facilitates payment transactions.

Important note: vendors of Validated Payment Software are not required to be Secure SLC Qualified Vendors in order to submit their Payment Software for Secure Software Assessment.

What does SSF introduction mean for the software vendors?

1. Software vendors that are validated against the Secure Software Lifecycle (Secure SLC) Standard are allowed to validate low impact changes to their applications and perform delta assessment themselves, without dealing with the QSA companies. The results of the delta assessments may be submitted to PCI SSC directly by the vendors, eliminating extra expenses.

2. The eligibility criteria for Secure Software Standard is wider than it used to be in PA-DSS. In addition to the applications that facilitate authorization and/or settlement, SSF also covers the payment applications that are involved in or directly supporting or facilitating payment transactions that store, process, or transmit clear-text account data. This enables fraud monitoring and prevention software or card personalization applications, for example, to be eligible for SSF validation.

3. Mobile payment applications running on a multi-purpose mobile device are still out of SSF scope. However, this may change as soon as new modules are added to the PCI Secure Software Standard.

4. The Secure Software Lifecycle (Secure SLC) Standard is a first-ever PCI standard that is intended to validate not the payment application produced by a vendor, but the vendor itself, its processes and methodologies. It really brings a great opportunity for software vendors that offer outsourced development services to demonstrate the maturity of their secure software development processes and compete against established players, offering a bigger and better choice to the players in the payment ecosystem.

Our experts are always up to date when it comes to new information security standards. Contact us if you need help or consultation to improve your cybersecurity posture.

Oleg Aksyonenko

Written by Oleg Aksyonenko

I am a Managing Consultant at Advantio.

During my 18-year IT career, I have been lucky to work with the United Nations for over three years on a field mission as well as spend ten years focused on project management, information security, capacity planning, disaster recovery and businesses continuity.

In Advantio I apply my well-developed analytical, troubleshooting and problem-solving skills. I also can draw on my background in data processing, network and systems architecture as well as IT security.

My certifications include: CISA, PCI QSA, PA-QSA, QSA (P2PE), PA-QSA (P2PE), 3DS Assessor.