Software Security Framework blog

Blog: PCI-SSF: Enhanced Protection and Stronger Standards

October 02, 2023  |  BRENT GAMBLE

In 2019, PCI unveiled a new standard referred to as the PCI Security Software Framework (SSF). After a decade, it was time to replace the ground laying PCI Payment Application Data Security Standard (PA-DSS) with a stronger standard to address the evolving complexity of protecting sensitive and payment data. With a sunset date of October 2022 for PA-DSS, the new SSF standard modernized security protections, expanded the scope of eligible software, all separating the validation of the vendor from the eligible software product.

The framework is a collection of standards and validation programs that 1) define the required security features and attributes of vendor developed payment software (Secure Software Standard- SSS), and 2) define requirements for processes and capabilities that the vendor must have in place to self-approve development of that software (Secure Software Lifecycle Standard - SLC). By separating the framework into its two parts, vendors who produce payment software that must comply to SSS and are qualified for SLC are able to bring certain enhancements to market under their own validation, while the remainder can be validated through an independent agency to demonstrate product adherence to the SSS. The approach is designed for a more dynamic, faster-time-to-market process, giving vendors that are qualified on a broader array of software types to validate, plus a more streamlined way to manage and publish updates. For those vendors, like Diebold Nixdorf, it is encouraged that they are validated for both standards.

The new SSF approach is objective-based rather than prescriptive like PA-DSS. So, there is no exact recipe that a vendor must take to meet the standard, only that they must fulfill the security objectives. An example of such control objective is authentication methods be ‘sufficiently strong and robust to protect authentication credentials from being forged, spoofed, leaked, guessed, or circumvented.’ Under PA-DSS, parameters such as minimum length and composition were specified for passwords. The change to objective-based security standards allows each vendor to select which industry-accepted method best suits their organizations unique business requirements and capabilities. This also allows the assessors more flexibility in how they confirm that the objective was met. SLC-approved vendors, such as Diebold Nixdorf, are independently reviewed to ensure the definition of ‘sufficiently’ is indeed sufficient. Alternative tools and methods can be used versus adhering to a specified test or tools if thoroughness of the test is not compromised, and it properly validates the control objective.

Originally PA-DSS was implemented to protect data for the card-based environment, and software that specifically delt with card-based data; but as we know payments are no longer bound to cards. SSF covers a broader range of security principles as it applies to payment software types, technologies, and development methodologies independent of card data. Fundamentally, it focuses on integrating security into the software development cycle as well as the product itself.  The result will be a more secure software designed, developed, and maintained to protect payment transactions and data, to minimize vulnerabilities, and to defend against attacks.

Diebold Nixdorf was an early adopter of both the SSS and SLC standards, and in 2022 was the first ATM vendor to have an SSS-approved product on the market in addition to being earlier qualified as an SLC-approved vendor. Diebold Nixdorf continues to meet and deliver to both standards. To date Diebold Nixdorf's Vynamic Connection Point family of ATM Software (VCP-Lite, VCP-Pro) and our cloud -native payments platform, Vynamic Transaction Middleware are approved. Validated Payment Software

Let's Connect

I am interested in

Connect with Sales

  • Connect with Sales
  • Current Customer Support