Document Comparison
FAQs-for-PCI-Software-Security-Framework-v2.pdf
→
PCI_Secure_Software_v1.x_Technical_FAQs_May2025.pdf
4% similar
10 → 5
Pages
3641 → 1146
Words
12
Content Changes
From Revision History
- May 2023 Initial publication.
- May 2025 © 2023-2025 PCI Security Standards Council, LLC. All rights reserved. Page 1 PCI Secure Software Standard: Technical FAQs
- May 2025 © 2023-2025 PCI Security Standards Council, LLC. All rights reserved. Page 2 General
- May 2023: Do all control objectives in the Secure Software Standard need to be met? A It is the expectation that all control objectives must be satisfied for payment software to be considered “compliant” with the Secure Software Standard. It may be possible, however, for alternative approaches to be considered acceptable if it can be demonstrated through
- May 2023: When is it appropriate to mark a control objective in the Secure Software ROV as “N/A” (Not Applicable)? A Some control objectives may be based on the existence of certain conditions that do not exist in all payment software implementations. For example, control objective A.2.2 is based on
- May 2023: What should be done if a control objective cannot be met as stated due to a technical constraint? A In some software implementations, it may be impossible for the assessed payment software to meet a particular control objective due to legitimate technical constraints. For example,
- May 2025 © 2023-2025 PCI Security Standards Council, LLC. All rights reserved. Page 3 In such circumstances, all such constraints must be documented and justified in the ROV.
- May 2023: What is the deadline for new Secure Software v1.1 submissions? A The deadline for new submissions to the Secure Software Standard v1.1 has been extended from June 30 to August 31, 2023. As of September 01, 2023, all new Secure Software submissions must be completed using the latest versions of the Secure Software Standard,
- May 2025: Is a Full Software Assessment always required as part of a High Impact change? A No, it may not always be required. The vendor and assessor work together to determine the impact of the software change and all PCI Secure Software Standard requirements
- May 2025: Is the term 'Internet Accessible Interfaces’ in the Secure Software Standard intended to restrict the applicability of the Web Software Module solely to software that is exposed to the Internet? A No.
Content Changes
12 content changes. 12 administrative changes (dates, page numbers) hidden.
Added
p. 1
Payment Card Industry (PCI) Secure Software Standard Technical FAQs for use with the Secure Software Standard v1.x
Added
p. 2
May 2023 Initial publication.
May 28 2025 New Technical FAQ(s): General: Q5 Module C: Q1
PCI Secure Software Standard: Technical FAQs This document addresses common questions related to the PCI Software Security Framework: Secure Software Requirements and Assessment Procedures (i.e., the Secure Software Standard) version 1.x and its associated validation and listing program. This document is an integral part of the Secure Software Standard and Program and must be fully considered during a Secure Software assessment.
Technical FAQs are a mechanism to provide additional clarifications regarding the interpretation and application of security and program requirements between major revisions of a given PCI security standard. Clarifications provided in Technical FAQs are typically incorporated into a given standard or program upon the next major revision.
New or updated questions and/or answers since the last revision of this document are shown in red.
Q1 May 2023: Do all control objectives in the Secure Software Standard need to be …
May 28 2025 New Technical FAQ(s): General: Q5 Module C: Q1
PCI Secure Software Standard: Technical FAQs This document addresses common questions related to the PCI Software Security Framework: Secure Software Requirements and Assessment Procedures (i.e., the Secure Software Standard) version 1.x and its associated validation and listing program. This document is an integral part of the Secure Software Standard and Program and must be fully considered during a Secure Software assessment.
Technical FAQs are a mechanism to provide additional clarifications regarding the interpretation and application of security and program requirements between major revisions of a given PCI security standard. Clarifications provided in Technical FAQs are typically incorporated into a given standard or program upon the next major revision.
New or updated questions and/or answers since the last revision of this document are shown in red.
Q1 May 2023: Do all control objectives in the Secure Software Standard need to be …
Added
p. 5
If the implementation of such mitigations requires user input or interaction, then it is expected that the software vendor provide, at a minimum, guidance on how to implement such mitigations and/or direct the user to where appropriate configuration information can be obtained.
If the additional risk(s) cannot be mitigated to a reasonable degree, then the control objective cannot be considered met (“In Place”).
If the additional risk(s) cannot be mitigated to a reasonable degree, then the control objective cannot be considered met (“In Place”).
Added
p. 5
All ‘In Process’ submissions (i.e., those submitted, and fees paid to PCI SSC prior to September 01, 2023) will have until November 29, 2023 to complete those submissions.
Q5 May 2025: Is a Full Software Assessment always required as part of a High Impact change? A No, it may not always be required. The vendor and assessor work together to determine the impact of the software change and all PCI Secure Software Standard requirements potentially affected by the change.
The assessor performs all the required assessment activity based on the software change, and as part of the delta assessment, completes a redlined ROV (i.e., not a new ROV), along with all other required documentation as part of the delta submission.
Module C
• Web Software
Q1 May 2025: Is the term 'Internet Accessible Interfaces’ in the Secure Software Standard intended to restrict the applicability of the Web Software Module solely to software that is exposed …
Q5 May 2025: Is a Full Software Assessment always required as part of a High Impact change? A No, it may not always be required. The vendor and assessor work together to determine the impact of the software change and all PCI Secure Software Standard requirements potentially affected by the change.
The assessor performs all the required assessment activity based on the software change, and as part of the delta assessment, completes a redlined ROV (i.e., not a new ROV), along with all other required documentation as part of the delta submission.
Module C
• Web Software
Q1 May 2025: Is the term 'Internet Accessible Interfaces’ in the Secure Software Standard intended to restrict the applicability of the Web Software Module solely to software that is exposed …
Removed
p. 2
The FAQs in this document are organized as follows:
2. Secure Software Standard
3. Secure Software Lifecycle Standard
4. Relationship between PCI Software Security Framework and other PCI Standards
2. Secure Software Standard
3. Secure Software Lifecycle Standard
4. Relationship between PCI Software Security Framework and other PCI Standards
Removed
p. 3
2. Secure Software Standard
Q1 What is the PCI Software Security Framework? A The PCI Software Security Framework is a collection of related software security standards, and associated validation and listing programs. There are currently two standards under the PCI Software Security Framework:
• Secure Software Standard
• Secure Software Lifecycle (Secure SLC) Standard
Q2 When is the Validation Program for the PCI Secure Software Framework expected to launch? A Initial program materials for the PCI Software Security Framework (including Program Guides and Assessor Qualification Requirements) were published in June 2019. Companies wishing to become a Software Security Framework (SSF) Assessor Company will be able to submit applications beginning October 2019 and assessor training will be available shortly afterwards. See Section 6 for further information on Assessor Qualification.
Q3 What is a Software Security Framework (SSF) Assessor Company? A SSF Assessor Companies are qualified by PCI SSC to perform assessments to the Secure Software Standard, …
Q1 What is the PCI Software Security Framework? A The PCI Software Security Framework is a collection of related software security standards, and associated validation and listing programs. There are currently two standards under the PCI Software Security Framework:
• Secure Software Standard
• Secure Software Lifecycle (Secure SLC) Standard
Q2 When is the Validation Program for the PCI Secure Software Framework expected to launch? A Initial program materials for the PCI Software Security Framework (including Program Guides and Assessor Qualification Requirements) were published in June 2019. Companies wishing to become a Software Security Framework (SSF) Assessor Company will be able to submit applications beginning October 2019 and assessor training will be available shortly afterwards. See Section 6 for further information on Assessor Qualification.
Q3 What is a Software Security Framework (SSF) Assessor Company? A SSF Assessor Companies are qualified by PCI SSC to perform assessments to the Secure Software Standard, …
Removed
p. 4
Q6 What is the process for evaluating software to the Secure Software Standard? A Software vendors initiate the process by selecting a company qualified to perform Secure Software assessments from the PCI SSC’s list of SSF Assessor Companies on the PCI SSC website, and negotiating any costs and agreements necessary to perform the assessment directly with the assessor company. Then the software vendor and the assessor company determine the scope of the assessment (i.e., what aspects of the payment software should be assessed), including identifying all applicable requirements and materials necessary to effectively perform the assessment. Once scope has been determined and all necessary materials and evidence have been collected, the assessor begins the software evaluation.
Payment software evaluation includes analyzing all security functions, features, and capabilities provided by the software to determine whether the software complies with all applicable requirements within the Secure Software Standard. If the assessor determines that …
Payment software evaluation includes analyzing all security functions, features, and capabilities provided by the software to determine whether the software complies with all applicable requirements within the Secure Software Standard. If the assessor determines that …
Removed
p. 5
3. Secure Software Lifecycle Standard
b) store, process, or transmit clear-text account data, and can therefore be validated against both the Secure Software Standard and the currently published Module A
• Account Data Protection, and c) be a commercially available product that is developed by the software vendor for sale to multiple organizations.
The following software is not eligible for validation at the time of initial program launch:
• In-house developed payment software that is used only by the company that developed it.
• Payment software that operates on any consumer electronic mobile device that is not solely dedicated to payment acceptance for transaction processing.
• Software products that are operating systems, databases or platforms; even those that may store, process, or transmit account data.
• Payment software intended for use on hardware terminals.
Future modules are planned to support some of these use cases. Software that is ineligible for validation at initial program launch will not necessarily …
b) store, process, or transmit clear-text account data, and can therefore be validated against both the Secure Software Standard and the currently published Module A
• Account Data Protection, and c) be a commercially available product that is developed by the software vendor for sale to multiple organizations.
The following software is not eligible for validation at the time of initial program launch:
• In-house developed payment software that is used only by the company that developed it.
• Payment software that operates on any consumer electronic mobile device that is not solely dedicated to payment acceptance for transaction processing.
• Software products that are operating systems, databases or platforms; even those that may store, process, or transmit account data.
• Payment software intended for use on hardware terminals.
Future modules are planned to support some of these use cases. Software that is ineligible for validation at initial program launch will not necessarily …
Removed
p. 7
Q16 Who is qualified to perform Secure SLC Assessments? A Secure SLC Assessor Companies and their Secure SLC Employees. Secure SLC Assessor Companies are independent security organizations that have been qualified by PCI SSC to validate software vendor adherence to the Secure SLC Standard. Secure SLC Assessors are employees of Secure SLC Assessor Companies that have satisfied and continue to satisfy the requirements defined in the PCI Software Security Framework Qualification Requirements for Assessors.
The list of SSF Assessor Companies on PCI SSC’s website identifies entities that are qualified as a Secure SLC Assessor Company
Q17 Does PCI SSC provide a list of payment software vendors who are validated to the Secure SLC Standard? A Yes. Upon successful validation to the Secure SLC Standard, software vendors are added to the List of Secure SLC Qualified Vendors on the PCI SSC website.
4. Relationship between PCI Software Security Framework and other
Q18 What is the …
The list of SSF Assessor Companies on PCI SSC’s website identifies entities that are qualified as a Secure SLC Assessor Company
Q17 Does PCI SSC provide a list of payment software vendors who are validated to the Secure SLC Standard? A Yes. Upon successful validation to the Secure SLC Standard, software vendors are added to the List of Secure SLC Qualified Vendors on the PCI SSC website.
4. Relationship between PCI Software Security Framework and other
Q18 What is the …
Removed
p. 8
Q22 Should vendors continue using PA-DSS or wait until the PCI Software Security Framework is launched before initiating assessments? A Transitioning from PA-DSS to the PCI Software Security Framework may take some software vendors time to adjust to the differences between the two programs. Therefore, software vendors are encouraged to continue to submit changes to currently validated applications via the PA-DSS program. Additionally, software vendors who have initiated PA-DSS assessments for new payment applications are encouraged to complete those assessments under the PA-DSS program. New PA-DSS validations will be accepted through mid-2021 and be valid through late 2022. Assessments against the PCI Software Security Framework are anticipated to begin in Q1 2020 and will have a three-year validity period.
Removed
p. 8
6. Assessor Qualification
Removed
p. 9
Q25 Is there a pre-requisite requirement to be a QSA or PA-QSA Company before becoming an SSF Assessor Company? A No, companies do not need to participate in the QSA or PA-QSA programs before becoming an SSF Company. However, companies which do participate in the QSA or PA-QSA programs may benefit from reduced training requirements for their assessor employees who wish to be, qualified to perform assessments under the PCI Software Security Framework.
Q26 What are the criteria for becoming a Secure SLC Assessor? A QSAs and PA-QSAs who wish to become Secure SLC Assessor are required to complete computer-based training and successfully pass the appropriate exam.
Other individuals who wish to become Secure SLC Assessors
•that is, individuals who do not hold QSA or PA-QSA status
•are required to attend instructor-led training and successfully pass the associated exams.
In addition to the training and exam requirements, all individuals and companies must meet the requirements …
Q26 What are the criteria for becoming a Secure SLC Assessor? A QSAs and PA-QSAs who wish to become Secure SLC Assessor are required to complete computer-based training and successfully pass the appropriate exam.
Other individuals who wish to become Secure SLC Assessors
•that is, individuals who do not hold QSA or PA-QSA status
•are required to attend instructor-led training and successfully pass the associated exams.
In addition to the training and exam requirements, all individuals and companies must meet the requirements …