Document Comparison
FAQs-for-PCI-Software-Security-Framework-v1_0.pdf
→
FAQs-for-PCI-Software-Security-Framework-v2.pdf
65% similar
7 → 10
Pages
2491 → 3641
Words
24
Content Changes
Content Changes
24 content changes. 10 administrative changes (dates, page numbers) hidden.
Added
p. 3
Q3 What is a Software Security Framework (SSF) Assessor Company? A SSF Assessor Companies are qualified by PCI SSC to perform assessments to the Secure Software Standard, the Secure SLC Standard or both. The SSF Assessor Company List on PCI SSC’s website indicates whether a company is qualified as a Secure Software Assessor Company and/or as a Secure SLC Assessor Company.
Added
p. 4
Q6 What is the process for evaluating software to the Secure Software Standard? A Software vendors initiate the process by selecting a company qualified to perform Secure Software assessments from the PCI SSC’s list of SSF Assessor Companies on the PCI SSC website, and negotiating any costs and agreements necessary to perform the assessment directly with the assessor company. Then the software vendor and the assessor company determine the scope of the assessment (i.e., what aspects of the payment software should be assessed), including identifying all applicable requirements and materials necessary to effectively perform the assessment. Once scope has been determined and all necessary materials and evidence have been collected, the assessor begins the software evaluation.
Q7 Who is qualified to perform assessments to the Secure Software Standard? A Secure Software Assessor Companies and their employees. Secure Software Assessor Companies are independent security organizations that have been qualified by PCI SSC …
Q7 Who is qualified to perform assessments to the Secure Software Standard? A Secure Software Assessor Companies and their employees. Secure Software Assessor Companies are independent security organizations that have been qualified by PCI SSC …
Added
p. 8
6. Assessor Qualification
Added
p. 9
Q25 Is there a pre-requisite requirement to be a QSA or PA-QSA Company before becoming an SSF Assessor Company? A No, companies do not need to participate in the QSA or PA-QSA programs before becoming an SSF Company. However, companies which do participate in the QSA or PA-QSA programs may benefit from reduced training requirements for their assessor employees who wish to be, qualified to perform assessments under the PCI Software Security Framework.
Q26 What are the criteria for becoming a Secure SLC Assessor? A QSAs and PA-QSAs who wish to become Secure SLC Assessor are required to complete computer-based training and successfully pass the appropriate exam.
Other individuals who wish to become Secure SLC Assessors
•that is, individuals who do not hold QSA or PA-QSA status
•are required to attend instructor-led training and successfully pass the associated exams.
In addition to the training and exam requirements, all individuals and companies must meet the requirements …
Q26 What are the criteria for becoming a Secure SLC Assessor? A QSAs and PA-QSAs who wish to become Secure SLC Assessor are required to complete computer-based training and successfully pass the appropriate exam.
Other individuals who wish to become Secure SLC Assessors
•that is, individuals who do not hold QSA or PA-QSA status
•are required to attend instructor-led training and successfully pass the associated exams.
In addition to the training and exam requirements, all individuals and companies must meet the requirements …
Added
p. 10
Q30 What fees are associated with becoming an SSF Assessor? A Fees for becoming qualified as an SSF Assessor are provided on the PCI SSC website.
Removed
p. 3
Validation to the Secure Software Standard is not intended for software applications developed in-house for the sole use of the company that developed the application, nor is it intended for software applications developed and sold to a single customer for the sole use of that customer. Even though in-house or custom payment software is not intended for validation, organizations designing and developing such software are encouraged to follow the principles and objectives in the Secure Software Standard.
Modified
p. 3
• Secure Software Lifecycle (SLC) Standard
• Secure Software Lifecycle (Secure SLC) Standard
Modified
p. 3
Q2 When is the Validation Program for the PCI Secure Software Framework expected to launch? A All program-related materials for the PCI Software Security Framework (including the Program Guide, Assessor Qualification Requirements, reporting templates, etc.) are scheduled for publication in mid-2019.
Q2 When is the Validation Program for the PCI Secure Software Framework expected to launch? A Initial program materials for the PCI Software Security Framework (including Program Guides and Assessor Qualification Requirements) were published in June 2019. Companies wishing to become a Software Security Framework (SSF) Assessor Company will be able to submit applications beginning October 2019 and assessor training will be available shortly afterwards. See Section 6 for further information on Assessor Qualification.
Modified
p. 3
Q4 What is the Secure Software Standard? A The Secure Software Standard defines a set of security requirements and associated test procedures to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data.
Modified
p. 3
The Secure Software Standard includes a set of “core” requirements that apply to all types of payment software submitted for validation under the PCI Software Security Framework, regardless of the software’s functionality or underlying technology. The initial release of the Secure Software Standard also includes an account data protection “module” that applies to software that stores, processes, or transmits account data. Requirement modules are a collection of requirements to address a specific software type, use case, or technology. Where payment …
The Secure Software Standard includes a set of “core” requirements that apply to all types of payment software submitted for validation under the PCI Software Security Framework, regardless of the software’s functionality or underlying technology. The initial release of the Secure Software Standard also includes an account data protection “module” that applies to software that stores, processes, or transmits account data. Modules are a collection of requirements to address a specific software type, use case, or technology. Where payment software …
Modified
p. 3
Q5 To whom does the Secure Software Standard apply? A The Secure Software Standard is intended for payment software that is sold, distributed, or licensed to third parties. This includes payment software intended to be installed on customer systems as well as payment software deployed to customers ”as a service” over the Internet.
Removed
p. 4
Q5 What is the process for evaluating software to the Secure Software Standard? A Software vendors initiate the process by selecting a PCI-qualified assessor company from the PCI SSC’s list of qualified assessors on the PCI SSC website, and negotiating any costs and agreements necessary to perform the assessment directly with the assessor company. Then the software vendor and the assessor company determine the scope of the assessment (i.e., what aspects of the software should be assessed), including identifying all applicable requirements and materials necessary to effectively perform the assessment. Once scope has been determined and all necessary materials and evidence have been collected, the assessor begins the software evaluation.
Q6 Who will be qualified to perform assessments to the Secure Software Standard? A PCI-qualified Secure Software Assessor Companies and their employees. PCI Secure Software Assessor (SSA) Companies are independent security organizations that have been qualified by PCI SSC to validate …
Q6 Who will be qualified to perform assessments to the Secure Software Standard? A PCI-qualified Secure Software Assessor Companies and their employees. PCI Secure Software Assessor (SSA) Companies are independent security organizations that have been qualified by PCI SSC to validate …
Modified
p. 4
Payment software evaluation includes analyzing all security functions, features, and capabilities provided by the software to determine whether the software complies with all applicable requirements within the Secure Software Standard. If the assessor determines that the software has met all applicable requirements, the assessor then prepares a corresponding Report on Validation (ROV) which details all of the requirements tested, the tests performed and their results, and any other opinions or conclusions the assessor may have. Additionally, the assessor shall also …
Modified
p. 4
Q8 Does PCI SSC provide a list of payment software that is validated to the PCI Secure Software Standard? A Yes. Upon successful validation to the Secure Software Standard, payment software is added to the List of Validated Payment Software on the PCI SSC website.
Modified
p. 5 → 6
Q13 To whom does the Secure SLC Standard apply? The Secure SLC Standard is intended for software vendors that develop software for the payments industry. Software vendors who have their software lifecycle management practices validated will be recognized on the PCI SSC’s List of Secure SLC Qualified Vendors. Additionally, Secure SLC Qualified Vendors will be empowered to perform and self-attest to their own software “delta” assessments (as part of validation of their payment software products to the Secure Software Standard) …
Modified
p. 5 → 6
Q14 What is the relationship between the Secure Software Standard and the Secure SLC Standard? A The Secure Software Standard and Secure SLC Standard are two separate, independent standards. While both standards address some of the same concepts, each standard approaches those concepts from a different perspective (i.e., secure software development processes in the Secure SLC Standard, secure functionality and security features in the Secure Software Standard). Additionally, validation to one standard does not imply or result in validation to …
Modified
p. 5 → 6
Q15 What is the process for Secure SLC Qualification? A Similar to Secure Software validation, Secure SLC qualification is initiated by the software vendor by selecting a company qualified to perform Secure SLC Assessments from the PCI SSC’s list of SSF Assessor Companies on the PCI SSC website, and negotiating any costs and agreements necessary to perform the assessment directly with the assessor company. Then the software vendor and the assessor company determine the scope of the assessment (i.e., what …
Modified
p. 5 → 6
The SSLC assessment involves evaluating the vendor’s secure software lifecycle management practices to determine whether the vendor complies with all applicable requirements within the Secure Software Lifecycle Standard. If the assessor determines that the vendor has met all applicable SSLC requirements, the assessor then prepares a corresponding Report on Validation (ROV) which details all of the requirements tested, the tests performed and their results, and any other opinions or conclusions the assessor may have. Additionally, the assessor shall also prepare …
The Secure SLC Assessment involves evaluating the vendor’s secure software lifecycle management practices to determine whether the vendor complies with all applicable requirements within the Secure SLC Standard. If the assessor determines that the vendor has met all applicable Secure SLC requirements, the assessor then prepares a corresponding Report on Compliance (ROC) which details all of the requirements tested, the tests performed and their results, and any other opinions or conclusions the assessor may have. Additionally, the assessor shall also …
Removed
p. 6
Q12 Who is qualified to perform SSLC assessments? A PCI-qualified Secure Software Lifecycle Assessor Companies and their employees. PCI Secure Software Lifecycle Assessor (SSLCA) Companies are independent security organizations that have been qualified by PCI SSC to validate software vendor adherence to the Secure Software Lifecycle Standard. Secure Software Lifecycle Assessors are employees of SSLCA Companies that have satisfied and continue to satisfy all requirements of the SSLCA program.
Ultimately PA-DSS and its validation program will be incorporated into the PCI Software Security Framework. A gradual transition path will be implemented to ensure continued support for PA- DSS applications until transition is complete. See Section 5, “PA-DSS Transition” for more information on the transition from PA-DSS to the PCI Software Security Framework.
Ultimately PA-DSS and its validation program will be incorporated into the PCI Software Security Framework. A gradual transition path will be implemented to ensure continued support for PA- DSS applications until transition is complete. See Section 5, “PA-DSS Transition” for more information on the transition from PA-DSS to the PCI Software Security Framework.
Modified
p. 6 → 7
Q17 Does PCI SSC provide a list of payment software vendors who are validated to the Secure SLC Standard? A Yes. Upon successful validation to the Secure SLC Standard, software vendors are added to the List of Secure SLC Qualified Vendors on the PCI SSC website.
Modified
p. 6 → 7
Q18 What is the relationship between the PCI Software Security Framework and PA-DSS? A The PCI Software Security Framework is separate and independent from PA-DSS. While the PCI Software Security Framework includes elements of PA-DSS, the Framework represents a new approach for securely designing and developing both existing and future payment software. PA-DSS was designed specifically for payment applications used in a PCI DSS environment. The PCI Software Security Standards extend beyond this to address overall software security resiliency. The …
Modified
p. 6 → 7
Q19 What is the relationship between the PCI Software Security Framework and PCI DSS? A Validation to the Secure Software Standard and the Secure SLC Standard provides merchants, acquirers, and other payment industry stakeholders assurance that validated payment software is developed securely and with security functions to protect the integrity of the software and the confidentiality of sensitive data it stores, processes, and transmits.
Modified
p. 7 → 8
Q20 Does validation or qualification under the PCI Software Security Framework result in validation to any other PCI standards? A Validation or qualification under the PCI Software Security Framework does not imply or result in validation to any other PCI standard. However, elements of other PCI standards and programs may be incorporated under the PCI Software Security Framework at some point in the future. If and when that will occur will be communicated well in advance of any transition from …
Modified
p. 7 → 8
Q22 Should vendors continue using PA-DSS or wait until the PCI Software Security Framework is launched before initiating assessments? A Transitioning from PA-DSS to the PCI Software Security Framework may take some software vendors time to adjust to the differences between the two programs. Therefore, software vendors are encouraged to continue to submit changes to currently validated applications via the PA-DSS program. Additionally, software vendors who have initiated PA-DSS assessments for new payment applications are encouraged to complete those assessments …