PL EN

PCI SSF

There are two standards that currently make up the Software Security Framework, the Secure SLC Standard and the Secure Software Standard.

Secure SLC Standard – Security of software lifecycle

  • Designed for Payment Software Vendors
  • Focused on software development processes and controls
  • Ideal for software vendors that develop multiple payment applications
  • Provides a way to independently maintain and update listings of new application versions

Secure Software Standard – Security of payment software

  • Certification for software supporting or facilitating transactions, and storing, processing, transmitting clear-text account data
  • Designed for commercially available products
  • Divided into core requirements and additional modules
  • Provides a way to show that your application is certified for and supports PCI DSS environments



What applications can be certified to PCI SSF (Module A):

What applications can be certified to PCI SSF (Module B):

  • Payment applications that operates on payment terminals (PCI PTS certified Point-of-interaction (POI) devices) and
  • Applications on POI devices that have no access to cardholder data (Core requirements + Module B only)
  • Applications on POI devices that have access to cardholder data (Core requirements + Module A + Module B)


Managing Changes Differences:

Administrative Changes

If the vendor is a Secure SLC Qualified Vendor:

  •     Vendor completes self-assessment and submits to PCI SSC
  •     Vendor amends Listing accordingly

Note: Secure SLC Qualified Vendors are only allowed to update the List of Validated Payment Software for software developed using their PCI SSC-qualified software lifecycle management practices.

If the vendor is NOT a Secure SLC Qualified Vendor:

  •     Vendor completes self-assessment and submits to PCI SSC
  •     PCI SSC issues an invoice for the change fee
  •     Vendor pays invoice
  •     PCI SSC amends listing accordingly

Low Impact Changes

Low Impact changes are eligible for partial reassessment or Delta Assessment

Low Impact changes do not handle sensitive data, functions, and resource

If the vendor is a Secure SLC Qualified Vendor, then they perform a self-assessment and submit a Self-Attestation to PCI SSC for review. Then they may amend the List of Validated Payment Software.

If the Vendor of the software is not a Secure SLC Qualified Vendor, all updates to the software must be reviewed by a Secure Software Assessor to confirm the scope of the change.

High Impact Changes

All reviews and assessments must be performed by a Secure Software Assessor (full re-audit)