You are here:

PCI SSF validation

PCI Software Security Framework (SSF) is a collection of two different and independent programs.  The requirements, validation criteria, and SSC listing are divided into two standards - developed to secure the design and development of payment software.
The SSF currently comprises two separate standards:

  • The Secure Software Lifecycle Program (SSL)

  • The Secure Software Standard (SSS or 3S)

PCI  SSC  will list the company, the products developed under these processes, and what kind of product categories the vendor develops.
The PCI Secure Software assessment  will result in a list of the specific products that were validated.

SC2labs provides PCI SSF and PCI SSS validation services as a qualified

PCI SSA and PCI SLCA Assessor

certified by the PCI Security Standards Council.

The Secure Software Standard is applied to software products involved in or directly supporting or facilitating payment transactions that store, process, or transmit clear-text account data that is sold, distributed, or licensed to third parties.

Secure software core requirements:
Applicable to all software being certified to Secure Software Standard

Module A:
Applicable to software that processes clear cardholder data

Module B:
Designed and applicable to software that runs on PCI-PTS certified payment terminals

Module C:
Applicable to software with web-based interfaces

Secure Software Standard (SSS) and Secure Software Lifecycle (SLC) are both three years programs that focus on different aspects of software security validation.
While SLC validates the security controls and practices of the software design and development, the SSS reviews the overall effectiveness of the security of the software. Vendors  may be validated for Secure Software Lifecycle and may be validated for a separate Secure Software Standard for payment software’s developed.
Secure SLC validation can simplify the process of maintaining the validation of your payment software when making changes. If you are SLC validated, you can make low-impact changes and submit the relevant documentation to the PCI SSC to update the software version listing, without paying fees. If you are not Secure SLC validated, the low impact changes must be reviewed by an assessor and relevant documents will need to be submitted to the PCI SSC.

Kickoff  and Planning
The kickoff is considered the start of the engagement after the agreement is executed. We will discuss certification proces,  identify the point of contact from both organizations, timelines for assessment,   define a project roadmap and plan next steps.
Preparation Phase
In preparation  phase we offer tailor – support approach. It can consist of:
- SSF training / workshop  - our dedicated to the project SSF auditors will conduct the training   at an early stage and to explain all requirements of the  SSF Standard,  which will lead to better understanding  of proces and proper preparation to formal validation
- SSF scoping – it’s a crucial element - identify the scope of assessment,complexity of environment  and inclusion and dependency of any third party.
-  Pre-Assessment or full Gap Assessment. Pre-assessment consists of  interviews, reviews of documentation and broadly  walk-through to identify gaps and provide recommendations. The GAP Analysis  is more detailed proces, we will  conduct an “as-is” assessment  of your organization to identify gaps in security controls, systems, documentation  and the environment against  all PCI SSF compliance requirements. The GAP executive summary   includes any identified discrepancies and  necessary recommendations for action.
- Remediation/ Advisory Support. Assistance  to provide advisory support for mitigating gaps and collecting evidence software development.
Formal validation
Once all controls are confirmed to be in place, the on-site assessment  will begin. It is the formal process in which accredited auditors check  company’s processes and applications within the scope for compliance with the requirements of the SSF standards. Testing and gathering is the core of the compliance engagement. The results of the on-site assessment are documented.

The report will be provided within 3 weeks of the last day of successful completion (all required documents are delivered and  collected by the SSF auditor).  Than  the report is sent to the PCI Council for review. After approval by the PCI Council, you will receive a certificate issued by your Assessor. PCI SSLC will list the company on the PCI website.

Deliverables include: 

Report on Compliance (RoC) 
Report on Validation (RoV)
Attestation of Compliance(AoC) 
Attestation of Validation (AoV)
Certificate of Compliance Certificate of Compliance

Continual Support
After your successful certification, we provide continual  support  in the ongoing maintenance of organization’s compliance - we will provide and discuss changes the security standard itself, as well as explain and  support  with emerge issues and questions.