EFTlab achieves PCI SSF Certification: Explaining its significance


We're excited to announce that EFTlab has achieved compliance with the PCI DSS - Secure Software Standard v1.1. We're now proudly listed on PCI Security Standards, having transitioned from the old PA DSS program.

The PCI Software Security Framework (SSF) is designed to boost software security within the payments sector. It combines the Secure Software Standard—which details necessary security features for payment software—and the Secure Software Lifecycle (Secure SLC) Standard—which defines security processes for secure software development. Importantly, the SSF replaces the PCI Payment Application Data Security Standard (PA-DSS).

Why Did PA-DSS Retire?:

PA-DSS, groundbreaking in its inception, set the foundation for software security in the payment industry, serving for over a decade. However, the evolving needs of the industry required an updated approach to address modern software architectures, methodologies, and to fortify defenses against growing software threats.

While PA-DSS aimed to facilitate PCI DSS compliance for payment applications within a cardholder data environment, the SSF offers broader coverage. It addresses a wider range of security subjects, applies to payment software and its vendors, and remains relevant regardless of the environment where the software is implemented.

Benefits of PCI SSF over PA-DSS:

The SSF enhances many concepts from PA-DSS, providing software vendors and assessors with a more adaptable and efficient security validation approach. Unlike the PA-DSS—which only validated software involved in payment authorization—the SSF validates software performing additional functions, such as fraud monitoring or cardholder authentication.

By segregating software requirements from vendor requirements, the SSF allows vendors to showcase strong software security practices even if their software doesn't qualify under the Secure Software Standard.

For optimal security assurance, the PCI SSC advises software vendors to validate both their software development lifecycle (SDLC) practices and payment software as per the SSF standards. This ensures the software's security at validation and throughout its lifecycle. Additionally, the SSF facilitates a streamlined listing management process, enabling qualified vendors to update their payment software listings faster than under PA-DSS.

For a deeper dive into the benefits and other related information, you can check the Program Guides in the Software Security section of the PCI SSC Document Library.