The
PCI
Security
Standards
Council
recently
hit
a
significant
milestone
of
100
products
validated
to
the
Secure
Software
Standard.
Why
is
this
an
important
milestone
for
global
payment
security?
Jake
Marcinko:
Payment
software
must
be
secure
to
ensure
reliable
and
accurate
transactions.
Products
validated
to
the
Council’s
Secure
Software
Standard
demonstrates
that
the
payment
software
is
designed,
engineered,
developed,
and
maintained
in
a
manner
that
protects
payment
transactions
and
data,
minimizes
vulnerabilities,
and
defends
against
attacks.
We’re
encouraged
to
see
the
list
of
secure
software
products
grow
to
over
100
listings.
The
growth
of
this
program
reinforces
the
important
role
that
security
plays
when
developing
payment
software
and
we’re
looking
forward
to
this
list
continuing
to
grow
in
the
near
future.
The
growing
list
can
be
found
here:
PCI
SSC
List
of
Validated
Payment
Software
What
is
the
value
of
becoming
a
Validated
Secure
Software
product?
Jake
Marcinko:
Security
of
payment
software
is
a
crucial
part
of
the
payment
transaction
flow
and
is
essential
to
facilitate
reliable
and
accurate
payment
transactions.
Validation
to
the
Secure
Software
Standard
shows
that
a
product
is
designed,
engineered,
and
developed
in
a
way
that
protects
transactions
and
minimizes
vulnerabilities.
Why
should
merchants
and
service
providers
use
validate
payment
software
in
their
environments?
Jake
Marcinko:
Payment
security
is
at
the
heart
of
the
PCI
SSC’s
standards.
Payment
products
validated
to
the
Secure
Software
Standard
provides
merchants
and
service
providers
with
confidence
that
the
listed
products
have
been
assessed
against
a
stringent
set
of
software
security
requirements.
What
is
the
process
of
becoming
listed?
Jake
Marcinko:
Software
vendors
can
use
the
PCI
SSC
website
to
choose
a
qualified
Software
Security
Framework
(SSF)
Assessor
company
to
work
with.
The
SSF
Assessor
company
will
work
with
the
vendor
to
fully
assess
their
software
product
against
the
Secure
Software
Standard.
The
SSF
Assessor
will
submit
the
report
to
PCI
SSC
and,
following
a
satisfactory
review,
the
product
will
be
listed.
Validated
Payment
Software
has
been
assessed
in
adherence
to
the
PCI
Secure
Software
Standard.
The
PCI
Secure
Software
Standard
is
one
of
the
two
standards
included
in
the
Council’s
Secure
Software
Framework.
Can
you
provide
some
background
on
the
Secure
Software
Framework?
Jake
Marcinko:
In
2019,
PCI
SSC
launched
the
PCI
Software
Security
Framework
(SSF)
as
a
planned
replacement
for
the
Payment
Application
Data
Security
Standard
(PA-DSS)
and
program.
PA-DSS
was
one
of
the
first
software
security
standards
to
be
published
and
it
has
been
an
important
program
for
the
payments
industry
for
over
ten
years.
Changes
in
how
the
industry
designs
and
develops
modern
payment
software,
however,
eventually
necessitated
a
new
approach
to
software
security
validation.
So,
the
PCI
Secure
Software
Standard
and
PCI
Secure
Software
Lifecycle
Standard
and
their
respective
validation
programs
were
introduced
to
fulfill
the
industry
need
for
a
more
comprehensive
yet
flexible
standard
and
program.
There
has
been
a
significant
increase
in
listed
solutions
since
PA-DSS
was
retired
in
October
2022.
Learn
more
about
the
Secure
Software
Framework
here:
At-a-Glance:
Secure
Software
Framework
Once
an
organization
has
a
product
listed
as
a
Validated
Payment
Software,
what
should
be
their
next
step?
Matt
O’Connor:
Having
a
product
listed
is
a
great
first
step
towards
securing
payment
data.
As
mentioned
earlier,
the
second
standard
within
the
Secure
Software
Framework
is
called
the
Secure
Software
Lifecyle
(Secure
SLC)
Standard.
Validation
to
the
Secure
SLC
Standard
illustrates
that
the
software
vendor
has
secure
software
lifecycle
management
practices
in
place.
Validation
to
the
Secure
SLC
Standard
provides
industry
stakeholders
additional
assurance
that
their
payment
software
products
will
remain
secure
throughout
their
lifecycle.
Stakeholders
can
check
to
see
if
their
partner
is
validated
to
the
Secure
SLC
Standard
by
viewing
the
official
PCI
SSC
List
of
Secure
SLC
Qualified
Vendors.
View
the
growing
list
of
software
validated
to
the
Secure
Software
Standard:
About Author
