Part Two: Technical Differences Between SSF and PA-DSS

7 months ago AndyC

In a follow up to a previous blog article on Part One: Conceptual Differences Between SSF and PA-DSS

Part Two: Technical Differences Between SSF and PA-DSS

In a follow up to a previous blog article on Part One: Conceptual Differences Between SSF and PA-DSS, PCI SSC’s Senior Manager, Public Relations Alicia Malone and Senior Manager, Solution Standards Jake Marcinko discuss some of the technical differences between the now retired Payment Application Data Security Standard (PA-DSS) and Program, and the replacement for PA-DSS effective as of Oct 28, 2022: The PCI Software Security Framework (SSF).

Alicia Malone: In our first discussion, you described some of the key conceptual differences between PA-DSS and SSF. As many payment software vendors are still in the process of transitioning their Validated Payment Applications from PA-DSS to SSF, what are some of the key technical differences between the two standards from a requirements perspective? 

Jake Marcinko: Most of the fundamental concepts and requirements in the Secure Software Standard and the Secure Software Lifecycle (Secure SLC) Standard – the two standards comprising the Software Security Framework – were derived and evolved from PA-DSS. For example, both PA-DSS and the two SSF standards cover topics such as secure software development, user authentication, protection of sensitive data during storage and transmission, logging, security roles and responsibilities, and stakeholder guidance. In most cases, the software security controls that were implemented to satisfy PA-DSS requirements can be repurposed to satisfy applicable requirements under the Software Security Framework. 

There are, however, a number of requirements in the Secure Software Standard and Secure SLC Standard that expand on fundamental concepts and requirements from PA-DSS. Examples include the requirements within Module C – Web Software Requirements of the Secure Software Standard.

There are also several new requirements in the two SSF standards, such as the attack detection requirements (Objective 9) in the Secure Software Standard, which may require new software security controls above and beyond those required in PA-DSS.

Payment software vendors transitioning from PA-DSS to SSF are encouraged to perform a gap analysis between their existing software security controls and capabilities, and those required by the Secure Software Standard and Secure SLC Standard. Performing a gap analysis can help determine whether controls used to satisfy PA-DSS requirements may be repurposed, and where new controls and practices may be required. 

Alicia Malone: Have there been any changes in the way security requirements can be met between PA-DSS and SSF?

Jake Marcinko: Yes. PA-DSS was often explicit in the techniques, methods, or technologies that were required to satisfy a particular PA-DSS requirement. The two standards under the Software Security Framework are different in that their focus is on the expected security outcomes rather than specific techniques, methods, or technologies that must be used.

The SSF approach provides payment software vendors more flexibility than PA-DSS by allowing them to determine how best to meet the security requirements based on their business and technical needs and capabilities. The trade-off is that SSF requires payment software vendors to have a robust risk management process for identifying potential threats and weaknesses and implementing appropriate software security controls to mitigate those risks.

Payment software vendors who need assistance with performing a gap analysis or identifying appropriate security controls and practices to satisfy applicable requirements within the SSF standards are encouraged to engage a PCI SSC-qualified Secure Software Assessor or Secure SLC Assessor to assist with this process. The PCI SSC’s list of Secure Software Assessors and Secure Software Lifecycle Assessors can be found under the PCI Qualified Professionals section of the PCI SSC website.

Alicia Malone: What are some of the other differences between PA-DSS and SSF from a program perspective?

Jake Marcinko: One of the key differences between the PA-DSS program and the programs under the Software Security Framework is the support for compensating controls. Under the PA-DSS program, all applicable requirements had to be met as stated. While that is also the general expectation under SSF, both SSF standards and programs allow for compensating controls to be used in cases where it is impossible to meet a given control objective due to a technical constraint.

While this SSF implementation of compensating controls is similar to that in PCI DSS, the methods for reporting this information in the Reporting Templates are different under the Software Security Framework. In such cases, the technical constraints preventing the control objective from being met must be documented and justified in the reporting template, and additional security controls must be implemented to mitigate any residual risks to a reasonable level. More information on the use of compensating controls can be found in the Secure Software v1.x Technical FAQs document available in the Document Library section of the PCI SSC website.

Another key difference between the PA-DSS program and the programs under the Software Security Framework is the use of Technical Frequently Asked Questions or “Technical FAQs.” The General FAQs under PA-DSS were considered “informative” or guidance only.  In addition to General FAQs, the Software Security Framework also includes Technical FAQs which are considered “normative” and are an extension of the SSF standard and program to which they are affiliated.

Technical FAQs provide PCI SSC with a mechanism to provide more timely clarifications regarding the interpretation and application of security and program requirements between major revisions of a PCI standard. Technical FAQs are an integral part of the Software Security Framework and must be fully considered during assessments to the Secure Software Standard and Secure SLC Standard.

Alicia Malone: Where can people find more information about the PCI Software Security Framework?

Jake Marcinko: The Document Library section of the PCI SSC website is one of the best places to find more information on the PCI Software Security Framework. We also have numerous other articles in the PCI Perspectives Blog that may prove helpful as well. Simply select “PCI Software Security Framework” under “Categories” to find relevant articles.

Don’t forget that we also have a great resource available on our website through the Global Content Library. This is a great way to access video presentations from our Community Meetings on many different topics including the Software Security Framework.

For more detailed queries, you can reach out directly to the PCI SSC by emailing your questions to info@pcisecuritystandards.org. You can also contact a PCI Qualified Secure Software Assessor or Secure Software Lifecycle Assessor to help address questions that you may have with the applicable standard. As we previously noted, the PCI SSC’s list of Qualified Secure Software Assessors and Secure Software Lifecycle Assessors can be found on the PCI SSC website under “PCI Qualified Professionals.” 

Read more about the PCI Software Security Framework

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , ,

More Stories

Protecting Model Updates in Privacy-Preserving Federated Learning: Part Two

3 days ago AndyC

Take A Tour! NIST Cybersecurity Framework 2.0: Small Business Quick Start Guide

4 days ago AndyC
Coffee with the Council Podcast: Help Shape the Future of Payment Security as a PCI SSC Participating Organization

Coffee with the Council Podcast: Help Shape the Future of Payment Security as a PCI SSC Participating Organization

6 days ago AndyC
Resource Guide: Earn Continuing Professional Education Credits Through the Council

Resource Guide: Earn Continuing Professional Education Credits Through the Council

2 weeks ago AndyC

Giving NIST Digital Identity Guidelines a Boost: Supplement for Incorporating Syncable Authenticators

2 weeks ago AndyC
PCI DSS v4: What’s New with Self-Assessment Questionnaires

PCI DSS v4: What’s New with Self-Assessment Questionnaires

1 month ago AndyC

You may have missed

Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION

Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION

21 mins ago AndyC
GenAI Continues to Dominate CIO and CISO Conversations

GenAI Continues to Dominate CIO and CISO Conversations

22 mins ago AndyC

Pay up, or else? – Week in security with Tony Anscombe

15 hours ago AndyC
Blackbasta gang Synlab Italia attack

Blackbasta gang Synlab Italia attack

18 hours ago AndyC
Microsoft Outlook Flaw Exploited by Russia's APT28 to Hack Czech, German Entities

Microsoft Outlook Flaw Exploited by Russia’s APT28 to Hack Czech, German Entities

1 day ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.