Skip to main content
September 14, 2020

The Migration From PA-DSS to SSF: Everything You Need to Know

Technology is constantly changing and advancing. Payment platforms are no exception. As these new platforms emerge, the software supporting the platform must be reliable and secure. Without secure payment platforms, payment transactions and data could be compromised.

The PCI Software Security Framework (SSF) sets standards and requirements for both traditional and modern payment software. The security standards, aimed at vendors, are in place to protect payment transactions and data, minimize vulnerabilities, and defend against cyberattacks.

To ensure that vendors are following the standards, Software Security Framework Assessors (SSF Assessors) perform evaluations of the payment software products against the Secure Software Lifecycle (Secure SLC) and Secure Software Standards. [The Secure SLC provides security requirements for payment software vendors to integrate security throughout the software development lifecycle. The Secure Software Standard provides security requirements for building secure payment software that protects the confidential data stored, processed, or transmitted using payment transactions.] Following the evaluations, the PCI Software Security Council (SSC) lists both Secure SLC Qualified Vendors and Validated Payment Software on the PCI SSC website for merchants to reference.

The SSF encompasses the same requirements as the Payment Application Data Security Standard (PA-DSS) – such as software development and lifecycle management principles for security in traditional payment software – but at a broader scale. SFF not only validates traditional payment software but also provides a methodology and approach for evaluating modern and future payment software. The methodology for new and future payment software encourages nimble developments, developer training and secure coding practices, and integration and automation of security into the software development lifecycle.

Since separate standards for PA-DSS are no longer necessary, the PCI SSC will retire PA-DSS at the end of October 2022. To help you prepare for the transition from PA-DSS to SSF, here are some need-to-know facts listed on the PCI webpage:

  • Existing PA-DSS validated applications will remain on the List of Validated Payment Applications until their expiry dates. At the end of October 2022, PCI SSC will move PA-DSS validated payment applications to the “Acceptable Only for Pre-Existing Deployments” tab. 
  • You can submit new payment applications for PA-DSS validation until June 30, 2021.
  • PCI SSC now lists both Secure SLC Qualified Vendors and Validated Payment Software on the PCI SSC website.
  • PCI will recognize payment software that meets the Secure Software Standard on the PCI SSC List of Validated Payment Software, which will supersede the current List of Validated Payment Applications at the end of October 2022.

If you are a PA-DSS validated vendor – or not yet validated by PCI – and need help meeting the new SSF requirements, Veracode can help. A good place to start is our three-tiered Veracode Verified™ program, which offers a proven roadmap to a mature and comprehensive AppSec program and includes many elements required for compliance with security regulations, including PCI SSF.

Check out our Veracode Verified webpage to learn more about the program.

Hope is part of the content team at Veracode, based in Burlington, MA. In this role, she focuses on creating engaging AppSec content for the security community.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.