PCI SSF Assessments; we are ready when you are! Call +1 (888) 896-7580 today.
The new PCI Software Security Framework (PCI SSF) is a collection of standards and programs for the secure design and development of payment software. While similar to the original PA DSS, this new standard was built to support both traditional software development practices and modern agile methodologies.
PCI SSF (Payment Card Industry Software Security Framework) is a security framework designed to help software vendors develop and distribute secure payment applications to their customers. PCI SSF provides a new approach to validating the security of traditional and future payment software and applications.
As a PCI SSF Qualified Security Assessor Company, Lazarus Alliance has been approved by the PCI Security Standards Council (SSC) to help you with any part of your PCI SSF compliance program.
Trustworthiness is vital to your customers. Demonstrate it with a Lazarus Alliance PCI SSF compliance assessment.
PCI SSF is focused on particular software security details. It was created with the understanding that software security should be addressed throughout the entire software development lifecycle -- not just at the end.
The framework consists of two standards:
- Secure Software Standard -- designed for traditional application testing. It is a revamped version of PA DSS, with modern requirements that support the latest technologies and a wide range of payment software types.
- Secure Software Lifecycle (Secure SLC) Standard -- an optional standard that focuses on implementing security concepts and activities throughout the entire software development lifecycle.
It’s important to note that these two components are mutually exclusive. While an organization may require an assessment of their payment applications developed and distributed to their customers through a Secure SLC assessment, it does not necessarily require a separate assessment of the entity’s software through an SSA assessment.
The Secure Software Life Cycle (SLC) Standard
The PCI Secure SLC Standard defines a baseline of security requirements with corresponding assessment procedures and guidance for building secure payment applications. The Secure SLC Standard will aid your organization in building the necessary processes to help meet the Secure Software Assessment (SSA). This component of the PCI SSF assessment includes Penetration Testing to ensure any vulnerabilities in your payment applications and infrastructure can be identified, giving you confidence that all critical data is protected.
Our auditors will perform both on-site and remote testing procedures outlined by the PCI Security Standards Council. Testing procedures include but are not limited to, interviewing and observing company personnel, inspecting evidence, and testing a Company’s controls to ensure compliance with PCI SSF Secure SLC Standard. Completion results in:
- Secure SLC Assessment Report on Compliance
- Secure SLC Attestation of Compliance
- Secure SLC certifications are valid for three years
The Secure Software Assessment (SSA)
The PCI Secure Software Assessment is related to the PCI Secure SLC standard but focuses on the payment software itself as opposed to only the security controls associated with the development of the software. The Secure Software Assessment is a modular system and includes variable certification elements for different types of products as it relates to the security of the payment software itself.
Our auditors will perform both on-site and remote testing procedures outlined by the PCI Security Standards Council. Testing procedures include but are not limited to, interviewing Company personnel, inspecting evidence, such as Company payment application development policies and procedures and related secure development records, observing Company personnel, and testing of Company’s payment applications to ensure compliance with PCI SSF Secure Software Standard. Completion results in:
- Secure Software Report on Validation (ROV)
- Secure Software Attestation of Validation (AOV)
Just the facts ...
Provides your organization with inclusion in either the Validated Payment Software registry and or the Secure SLC-Qualified Vendor registry.
The SLC-certified vendor is authorized to self-attest to low-impact changes to its software without the need for re-validation by an assessor.
Helps reduce the risk associated with penalties and data breach complications.
Ensures better protection against security threats and adaptation to any changes in regulatory standards.
Want to learn more?
Our primary purpose is to help organizations attain, maintain, and demonstrate compliance and information security excellence – in any jurisdiction. Lazarus Alliance specializes in IT security, risk, privacy, governance, cyberspace law, compliance leadership, and solutions and is fully dedicated to global success in these disciplines.