PCI SSF Advisory Services


center for internet security

If you’re a payment software vendor, you’ll need to ensure payment software you sell complies with the PCI SSF standard. Payment software includes programs or apps that store, process, or transmit payment data. Payment data is the data created, captured, or exchanged for the explicit purpose of conducting an electronic payment transaction. If it meets those criteria, it must comply.

The PCI Security Standards Council (SSC) has developed several frameworks to ensure security across all payment infrastructure. The PCI Secure Software Framework (SSF) is applicable specifically to payment software and payment software vendors.

PCI SSF Advisory services help payment software vendors prepare for PCI SSF validation.

What is PCI SSF?

The PCI Software Security Framework is a comprehensive and widely-applicable set of regulations that enables security across programs and payment software that process payment data. It comprises two unique standards, the Secure Software Standard and Secure Software Lifecycle Standard (SLC), which govern the deployment and development of software, respectively.

These standards, and the PCI SSF as a whole, have replaced the Payment Application Data Security Standards (PA-DSS). They apply to all environments that the PA-DSS had applied to, as well as other environments that produce or incorporate payment software.

Why is PCI SSF Important?

The PCI Software Security Framework is critical because it protects payment software that is used to process payment data in daily operations while also ensuring safe conditions for its development.

PCI SSF compliance ensures end users that their payments and related payment data are being handled by payment software that has been tested and meets a consistent set of security standards, both in handling payment data securely, and by secure software design.

In practice, the PCI SSF is important because it provides greater security across a wider variety of environments in which payment data is processed—regardless of the infrastructure that is used.

Schedule A FREE Consultation

How PCI SSF Works

The PCI SSF enables security by vetting payment software vendors and their payment software development processes to verify they meet certain baseline requirements. To be assessed and listed, payment software developers and vendors work with a certified PCI SSF Assessor to assess their software and development methodologies per the requirements of either or both standards.

Prior to the assessment, organizations may opt to work with a PCI SSF Advisor on a readiness or gap assessment, as well as targeted remediation for any gaps identified.

The PCI SSF Standards

The PCI SSF comprises two programs: the Secure Software Standard and the Secure Software Lifecycle (Secure SLC) Standard. The former pertains to software deployment, whereas the latter pertains to software development. Each Program is made up of three parts:

  • Standards: Defined objectives within the standard
  • Validation Process: This includes a program guide and reporting templates
  • Listings: Verified payment software can be listed on the PCI SSC website

Note: Not all vendors with a Report on Validation (ROV) are listed on the PCI SSC website. Listing may be reserved for payment software that meets PCI SSC’s definition of a payment application.


The Secure Software Standard v1.2 was published in December 2022. It comprises 12 Core Control Objectives, distributed across four core functions. These break down as follows:

Minimizing the Attack Surface

  • Control Objective 1: Identifying critical assets
  • Control Objective 2: Securing default options
  • Control Objective 3: Retaining sensitive data

Software Protection Mechanisms

  • Control Objective 4: Protecting critical assets
  • Control Objective 5: Controlling authentication and access
  • Control Objective 6: Protecting all sensitive data
  • Control Objective 7: Using cryptographic controls

Secure Software Operations

  • Control Objective 8: Tracking activity
  • Control Objective 9: Detecting attacks

Secure Software Lifecycle Management

  • Control Objective 10: Managing threats and vulnerabilities
  • Control Objective 11: Maintaining secure software updates
  • Control Objective 12: Providing guidance for implementation

Additional requirements for account data, terminal, and web application management are listed across Modules A, B, and C, respectively. Module C is completely new, introduced with v1.2.

The Secure SLC Standard v1.1 was published in February 2021. It comprises 10 Control Objectives, likewise distributed across four primary functions. They break down as follows:

Software Security Governance

  • Control Objective 1: Defining responsibilities and resources
  • Control Objective 2: Implementing policies and strategies

Secure Software Engineering

  • Control Objective 3: Identifying and mitigating threats
  • Control Objective 4: Detecting and mitigating vulnerabilities

Secure Software and Data Management

  • Control Objective 5: Managing changes
  • Control Objective 6: Protecting integrity
  • Control Objective 7: Protecting sensitive data

Security Communications

  • Control Objective 8: Providing guidance for vendors
  • Control Objective 9: Communicating with stakeholders
  • Control Objective 10: Providing information about updates

Depending on your organization’s relationship to the payment software, it may need to comply with both the Secure Software and Secure SLC Standards.


Value and Benefits of Using PCI SSF Advisory Services

By partnering with a qualified PCI SSF Advisor, your organization will reap benefits like:

  • Gap assessment to scope out gaps in your payment software or development processes
  • Streamlined approach to payment application development
  • Risk reduction and mitigation
  • Training and education for impacted stakeholders
  • Preparation for SSF assessment to minimize actual assessment costs

These amount to greater security assurance and faster certification, often at lower overall security spend, allowing you to keep users of your apps safe and focus on your direct business objectives.

Our PCI SSF Advisory Services

Partnering with a PCI SSF Advisor is the best way to determine and minimize the scope of your PCI SSF compliance, identify gaps, and be prepared for the assessment process.

RSI Security’s PCI SSF Advisory Services include but are not limited to:

  • General PCI SSF scope review and scope reduction
  • Secure Software Standard gap analysis
  • Secure SLC gap analysis

Working with a PCI SSF Advisor will ensure your organization will be prepared to meet all PCI SSF requirements while minimizing overlap between its standards—and other applicable regulatory frameworks.


Why Businesses Need PCI SSF Compliance

Developers and vendors of payment software need to ensure that end users’ data is secure. Individual consumers and clients who rely on the payment software your organization has developed or deployed need to trust that their payment cards and personal information are safe. Likewise, organizations overseeing these transactions have legal and moral obligations to protect their consumers’ information. Your compliance may be required for their business.


Why Choose RSI Security for PCI SSF Advisory Services?

RSI Security has helped countless organizations comply with PCI SSF and other regulations for over a decade. We’re recognized by the PCI SSC as an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA), with extensive experience with the PCI DSS and PA-DSS, the precursor to the PCI SSF’s standards. Our specialists will work with your team to ensure all requirements are met, providing around-the-clock communication and serving your organization until the job is done. In short, we’ll help you rethink your PCI compliance.

Request a FREE Consultation

PCI Software Security Framework (SSF) Advisory FAQs:

The PCI SSF comprises two standards, the Secure Software Standard and the Secure Software Lifecycle (Secure SLC) Standard. The Secure Software Standard applies primarily to payment software vendors and comprises 12 Core Control Objectives, along with other Modules. The Secure SLC Standard applies primarily to payment software developers and comprises 10 Control Objectives.

The PCI SSF is intended to be more comprehensive and widely applicable than the PA-DSS, which it replaces. The biggest difference between them is that the PA-DSS was built from the PCI DSS, whereas the PCI SSF was developed from the ground up with a focus on application security and application development.

If your payment software is intended to be deployed in a cardholder data (CHD) environment, it may be assessed with the PCI SSF standard. The same eligibility requirements for PA-DSS software will apply with respect to listing. But, in terms of assessments, the new modules of PCI SSF will only increase the scope of which applications are eligible.

If your organization develops payment software, the Secure SLC Standard likely applies to you.

If you engage in both development and deployment of payment software, you may need to comply with both standards of the PCI SSF, the Secure Software and Secure SLC Standards


Organizations that trust RSI Security

Screenshot 2023-10-13 142906