Attention Payment Application Developers: Begin Your Transition from the PA-DSS to the PCI SSF Today

Nick Trenc, Director, Payments – Solution Validation, Coalfire

The Payment Card Industry (PCI) Council plans to formally retire the Payment Application Data Security Standard (PA-DSS) in October 2022 and replace it with the PCI Software Security Framework (SSF). For vendors, the new framework expands program eligibility with improved support for evolving architectures / deployment models, streamlines the assessment process, and simplifies listing management. It also provides greater flexibility for meeting security requirements and modernizes the notion of application security for payment applications and the companies that develop them.

Today's software development requires objective-focused security to support flexible development and update cycles, which is a huge benefit of the new framework that will support both traditional and modern payment software. It's based on a new methodology for validating software security and a separate Secure Software Lifecycle (SLC) qualification for vendors with rigorous security development practices.

Coalfire is the first accredited firm to conduct assessments against the new framework and we’re geared up to help vendors prepare for both Secure SLC and Secure Software assessments. Adopting the SSF early on helps demonstrate your commitment to the highest level of payment data security for your merchant and acquirer customers..

Let’s look at the timeline, which can help you develop a transition plan.

Source: PCI SSC website  |   click to enlarge image

The first step is to check your payment applications’ expiration dates and develop a plan to evolve to the SSF. The PCI Security Standards Council (SSC) will continue to accept PA-DSS Full Validations until June 30, 2021. In addition, existing PA-DSS validated applications will remain on the Validated Payment Applications list until their expiration dates, providing that vendors continue to submit their annual revalidation forms and can submit Delta Assessments until the end of October 2022. At that time, PA-DSS-validated payment applications will be moved to the “Acceptable Only for Pre-Existing Deployments” tab on the Validated Payment Applications list, and the PA-DSS Program will close.

As Software Security Assessors, we can assist with advisory services as you begin the journey from PA-DSS to the SSF. We can help evaluate your development processes as part of a Secure SLC assessment or ensure your payment applications are aligned to the SSF.

The second step for existing PA-DSS vendors we will be to perform a specialized transition assessment to move your PA-DSS listing to the Secure Software Standard (SSS). Depending on the standard you choose to pursue, and after successful submission of a Secure SLC ROC or SSS ROV, the PCI SSC will list both Secure SLC Qualified Vendors and Validated Payment Software on the PCI SSC website as resources for merchants.

Transitioning from the PA-DSS to the SSF may take time to adjust to the differences between the two programs, so we encourage you to reach out for help with developing a customized plan for the evolution.

For more information from the PCI SSC, please visit these links below:

PCI Security Standards Council Launches New Assessor Qualification Program to Support The PCI Software Security Framework

New Assessor Opportunity: PCI Software Security Framework

Understanding the PCI Software Security Framework: New Educational Resources

Nick Trenc


Nick Trenc — Director, Payments – Solution Validation, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS