PCI SSLC Services
Prepare for PCI Secure SLC Validation Efficiently
What is PCI SSLC?
The Payment Card Industry (PCI) Security Standards Council (SSC) governs regulations that ensure payment applications and related software are secure. That includes security throughout the development process, which is the focus of the PCI Secure Software Lifecycle (PCI Secure SLC/SSLC) framework.
The SSLC applies to organizations involved in the initial development and/or the ongoing deployment of payment infrastructure. It requires installing, maintaining, and then assessing a rigorous set of controls to keep all SLC processes secure. These are distinct from other PCI-required controls, such as the Data Security Standard (DSS), which might apply simultaneously. And they require a high degree of commitment to security monitoring and governance across your organization.
To help meet these requirements, and minimize the amount of overlap with other compliance needs, many organizations work with third-party PCI SSLC consultants.
Schedule A FREE Consultation
Why Do You Need PCI SSLC Compliance?
The SSLC, released in 2019 and updated to v1.1 in 2021, is one part of the PCI’s Software Security Framework (SSF). The SSLC framework allows eligible developers and vendors to take back their change and release management processes. Once eligible parties complete SSLC assessment and listing, they no longer required assessments for their delta changes. The release process and timing are within their control, rather than dependent on the assessment schedule or potentially delayed listing by the PCI Council.
What Are the Benefits of PCI SSLC Services?
PCI SSLC firms help organizations prepare for, achieve, and maintain PCI SSLC compliance efficiently. There are three primary service areas they offer to organizations seeking validation:
PCI Secure SLC Assessments
To achieve validation, eligible organizations must contact a PCI-approved Secure Software Lifecycle Assessor (SSLCA) to conduct a validation audit. The assessor will inspect all in-scope hardware, software, and systems within the software development lifecycle and environment to determine if and to what extent the required controls are in place and functioning as expected.
Once the assessor has determined that all systems, practices, and processes meet the SSLC Control Objectives, they will generate a Report on Validation (ROV) and Attestation of Validation (AOV). The ROV contains comprehensive details about the specific environment assessed, the methods and findings of the assessment, and additional observations. The AOV, signed by both the assessor and the organization, certifies that the details within the ROV are accurate. Both documents are submitted to the SSC, which then verifies the results and lists the Vendor as a Secure SLC-Qualified Software vendor under the list of qualified solutions.
PCI SLC Control Objectives
As with most compliance frameworks, the PCI SSLC prescribes a suite of security controls that need to be implemented and assessed per the SSC’s specifications, detailed across SSLC v1.1.
The 10 Control Objectives are distributed across four categories, as follows:
- Software Security Governance Requirements
- Control Objective 1: Security Responsibility and Resources
- Control Objective 2: Software Security Policy and Strategy
- Secure Software Engineering Requirements
- Control Objective 3: Threat Identification and Mitigation
- Control Objective 4: Vulnerability Detection and Mitigation
- Secure Software and Data Management Requirements
- Control Objective 5: Change Management
- Control Objective 6: Software Integrity Protection
- Control Objective 7: Sensitive Data Protection
- Security Communications Requirements
- Control Objective 8: Software Vendor Implementation Guidance
- Control Objective 9: Stakeholder Communications
- Control Objective 10: Software Update Information
These Control Objectives all break down further into specific controls (i.e., Control Objective 1.1, 1.2, etc.) along with Test Requirements (i.e., 1.2.a, 1.2.b) and Guidance for implementation.
PCI Secure SLC vs PCI Secure Software
The SSLC is one part of the PCI’s new SSF program, which replaced the PA-DSS. The other framework is the Secure Software Standard, which applies more specifically to the payment software itself and the methods by which it is deployed in relationships between third-party vendors and adopter organizations (including in the “as a service” model). It does not apply to apps and software developed in-house. In addition, the Secure Software Standard and the SSLC may both apply to a given organization, depending on its service provider relationships.
The Secure Software Standard also requires deploying a set of controls, including 12 baseline Control Objectives and three modules of additional requirements for specific software service arrangements. These are also assessed by a qualified assessor, leading to a ROV and AOV.
NOTE: SSLC Controls are similar to the Secure Software Standard’s and DSS’s. Organizations subject to all three frameworks must validate for each separately.
WORK WITH US
Why Choose RSI Security?
RSI Security has helped countless organizations across every industry achieve and maintain PCI compliance. Our expert advisors and assessors leverage their experience of the PA-DSS to facilitate transitions from that framework to either or both parts of the SSF. We also help newer organizations prepare for and navigate their initial SSLC and other compliance processes. We believe that the right way is the only way to approach compliance, for PCI and all regulatory contexts. We’ll help you rethink your cybersecurity to get and stay certified efficiently.