A modern security standard introduced by the Payment Card Industry Security Standards Council (PCI SSC). It replaces the older PA-DSS (Payment Application Data Security Standard) and is designed to provide a more flexible and comprehensive approach to securing payment software in today’s evolving technology landscape.
The SSF consists of two key components:
- Secure Software Standard (SSS): This defines the security attributes that payment software must possess, such as secure authentication and encryption.
- Secure Software Lifecycle (Secure SLC) Standard: This ensures that software developers follow secure practices throughout the software development lifecycle, helping maintain the software’s security over time.
The SSF applies to a broader range of software types than PA-DSS, including software used for fraud detection and cardholder authentication. This new framework allows for a more dynamic approach to security by focusing on overall software security objectives rather than rigid, prescriptive requirements, giving vendors more flexibility in achieving compliance.