PA-DSS to Software Security Framework: What You Need to Know

Bhavna Sondhi, Senior Consultant, Commercial Services, Coalfire

The Payment Application Data Security Standard (PA-DSS) developed by the Payment Card Industry Security Standards Council (PCI SSC) applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data and/or sensitive authentication data. The list of various payment applications that are currently validated for software vendors is located on the PCI SSC Website.

Even though the PA-DSS program is coming to an end (PA-DSS submissions acceptance comes to an end mid-2020 and PA-DSS 3.2 listings expire in 2022), it doesn’t mean payment application security within the PCI DSS environment will suffer. PCI SSC announced the Software Security Framework release in Jan 2019. The new framework takes a unique approach to support both traditional and modern payment software including cloud and mobile platforms. The framework was developed to allow for validation of both modern as well as traditional payment software and uses an “objective-based” approach to confirm applications security and development practices. The new framework requires granular review through evidence collection, observation, and interviews for the various control objectives defined within the two standards listed below, which have been released.

  1. Secure Software Standard: This standard was designed to ensure that payment software protects the integrity and confidentiality of payment transactions and data. The intent of the Secure Software Standard is similar to PA-DSS, which confirms how the software protects payment data. The new Secure Software Standard offers a progressive approach providing additional alternatives to demonstrate secure software practices.

    If a software vendor plans to undergo this assessment, full assessments as well as interim or “Delta” assessments will be required.
  2. Secure Software Life Cycle (Secure SLC) Standard: This standard was developed to determine whether a vendor is properly managing the security of their payment software throughout the entire software lifecycle. It can help demonstrate that the software’s security concepts are mature and that the processes and methodologies leveraged produce secure software.

    Secure SLC assessments are optional; however, validation of the software lifecycle process and listing on the PCI SSC portal assures entities planning to utilize software vendors’ payment applications within PCI DSS environments or for any other compliance framework. Secure SLC assessments have a three-year validity period; vendors must re-validate every three years to be listed as an SSLC-qualified software vendor.

    Note: These standards can apply to applications beyond just payments software (which store, process, or transmit clear text cardholder data by itself). They can be leveraged to validate other applications that are a part of the payment software suite but do not store, process, or transmit payments data as a part of their own functionality.

Payment software validated to the PCI Secure Software Standard can be used to support the security posture of an organization’s cardholder data environment but does not make it PCI DSS compliant. This is similar to how PA-DSS applications are reviewed within a PCI DSS environment. Qualified Security Assessors (QSAs) still need to ensure software is configured appropriately and that it meets applicable PCI DSS requirements.

Although the control objectives align with the PA-DSS standards, the new standards require payment software vendors to develop a robust risk management strategy that helps provide sufficient evidence to support risk-based decision making.

Impact to your organization and transition

Currently listed PA-DSS applications will remain in effect under the PA-DSS programs until the applications reach their expiration date (for PA-DSS 3.2, the expiration date for payment applications is 2022). However, new PA-DSS submissions will not be accepted starting mid-2020. Admin or low-impact changes can still be submitted for currently valid applications until their expiration date has been reached. When the expiration date for applications is met, all PA-DSS validated payment applications will be moved over to the “Acceptable Only for Pre-Existing Deployments” tab on the PCI SSC website.

PCI SSC is working toward providing a transition plan for migration of current PA-DSS applications to the new security framework validation program.

Coalfire was one of the contributing organizations to provide feedback for the PCI Software Security Framework. As a respected PCI-QSA and PA-QSA company, we would be happy to get the discussion started to help you transition to the new framework.

Bhavna Sondhi


Bhavna Sondhi — Senior Consultant, Commercial Services, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS