Moving Your Business from PCI PA-DSS to PCI SFF

• In October 2022, the Payment Card Industry Data Security Standard (PCI DSS) Payment Application Data Security Standard (PA-DSS) v3.2 is expiring, to be replaced by the PCI Software Security Framework (SSF).
• June 2021 marked the deadline for acceptance of any new PCI PA-DSS Submissions. As of publication, these submissions are now closed.
• Learn why it makes sense to transition before your PCI PA-DSS certification expires, and how to take the next steps towards moving to PCI SSF.

The PCI Software Security Council (SSC) created the Software Security Framework (SSF) as an evolution, rather than an update, of the Payment Application Data Security Standard (PA-DSS).

The new framework takes a modernized, objective-based approach to Payment Card Industry (PCI) cyber security, using modules that allow for the assessment of software development practices and products. The new modular structure is a departure from PA-DSS, which necessitated that businesses provide extensive evidence and documentation for an inflexible list of PCI DSS requirements.

Moving from requirements to objectives as a basis for cyber security allows for a more descriptive than prescriptive assessment of payment applications, and for a better picture of how and why security controls and configurations are used to meet the intent of the controls.

However, moving from prescriptive to descriptive comes with a unique set of challenges.

PA-DSS vendors have operated under two PCI DSS standards: one for payment software, and one for a vendor's software development lifecycle.

While there will be more than two standards under PCI SSF, and each will have different and variable processes, there are currently two existing modules which somewhat translate more directly from PA-DSS.

First, there's the Secure Software Lifecycle (SLC) standard, which has a common set of requirements across software development businesses. Second, the Secure Software Standard (SSS) is a set of core requirements with a module specific to applications which store, process, or transmit cardholder data.

The short answer is: if your business will transition from PCI PA-DSS to PCI SSF, there are more reasons to do so sooner rather than later.

1. The impact of PCI SSF is profound, and so is the amount of time and effort behind the transition.

Assuming that you already operate under PA-DSS and have all of your ducks in a row for PCI SSF, there are several variables to consider at the pre-assessment phase. First, moving from a requirement-based approach to an objective-based one means a lot of time will be spend expanding and altering existing work. There's also the decision to test against one or both of the SSF standards, and against the upcoming modules.

If, on the other hand, you haven't done PCI PA-DSS and intend to become SSF-certified, there's an intensive internal education element to consider.

2. Without a PCI SSF pre-assessment with a certified Qualified Security Assessor (QSA), the answers to most of your questions will be, "It depends."

The changes that the SSC made through PCI SSF are massive, but the full impact is difficult to explain with a quick prospecting call. This is because the new objective-based requirements are qualitative and measured by the control's intent. Even the process of choosing which modules are relevant to your business requires extensive questionnaires and work to be completed by a QSA.

That also means that each PCI SSF journey will be different for every vendor and every application (especially if a vendor has multiple applications), and each engagement may have a vastly different budget.

3. The costs of not transitioning will increase as the October 2022 deadline nears.

There are several reasons for this. Primarily, QSAs will increase in demand and decrease in availability as October 2022 approaches, when all PA-DSS listings will expire.

On the other hand, an SSF certification, despite the effort needed at the front-end, will last three years before requiring renewal. When taking this into account, we can determine how urgent it is to start the transition.