Significant Milestone Hit for Payment Software Security


The PCI Security Standards Council recently hit a significant milestone of 100 products validated to the Secure Software Standard. We sat down with Jake Marcinko, Senior Manager, Solutions Standards and Matt O’Connor, Director, Products and Solutions to discuss what this benchmark means for payment security.  

The PCI Security Standards Council recently hit a significant milestone of 100 products validated to the Secure Software Standard. Why is this an important milestone for global payment security?   

Jake Marcinko: Payment software must be secure to ensure reliable and accurate transactions. Products validated to the Council’s Secure Software Standard demonstrates that the payment software is designed, engineered, developed, and maintained in a manner that protects payment transactions and data, minimizes vulnerabilities, and defends against attacks. We’re encouraged to see the list of secure software products grow to over 100 listings. The growth of this program reinforces the important role that security plays when developing payment software and we’re looking forward to this list continuing to grow in the near future. The growing list can be found here: PCI SSC List of Validated Payment Software

What is the value of becoming a Validated Secure Software product?

Jake Marcinko: Security of payment software is a crucial part of the payment transaction flow and is essential to facilitate reliable and accurate payment transactions. Validation to the Secure Software Standard shows that a product is designed, engineered, and developed in a way that protects transactions and minimizes vulnerabilities.  

Why should merchants and service providers use validate payment software in their environments?

Jake Marcinko: Payment security is at the heart of the PCI SSC’s standards. Payment products validated to the Secure Software Standard provides merchants and service providers with confidence that the listed products have been assessed against a stringent set of software security requirements.

What is the process of becoming listed?  

Jake Marcinko: Software vendors can use the PCI SSC website to choose a qualified Software Security Framework (SSF) Assessor company to work with. The SSF Assessor company will work with the vendor to fully assess their software product against the Secure Software Standard. The SSF Assessor will submit the report to PCI SSC and, following a satisfactory review, the product will be listed.  

Validated Payment Software has been assessed in adherence to the PCI Secure Software Standard. The PCI Secure Software Standard is one of the two standards included in the Council’s Secure Software Framework. Can you provide some background on the Secure Software Framework?

Jake Marcinko: In 2019, PCI SSC launched the PCI Software Security Framework (SSF) as a planned replacement for the Payment Application Data Security Standard (PA-DSS) and program. PA-DSS was one of the first software security standards to be published and it has been an important program for the payments industry for over ten years. Changes in how the industry designs and develops modern payment software, however, eventually necessitated a new approach to software security validation. So, the PCI Secure Software Standard and PCI Secure Software Lifecycle Standard and their respective validation programs were introduced to fulfill the industry need for a more comprehensive yet flexible standard and program. There has been a significant increase in listed solutions since PA-DSS was retired in October 2022.  Learn more about the Secure Software Framework here: At-a-Glance: Secure Software Framework

ssf-training 600x150

Once an organization has a product listed as a Validated Payment Software, what should be their next step?

Matt O’Connor: Having a product listed is a great first step towards securing payment data. As mentioned earlier, the second standard within the Secure Software Framework is called the Secure Software Lifecyle (Secure SLC) Standard. Validation to the Secure SLC Standard illustrates that the software vendor has secure software lifecycle management practices in place. Validation to the Secure SLC Standard provides industry stakeholders additional assurance that their payment software products will remain secure throughout their lifecycle. Stakeholders can check to see if their partner is validated to the Secure SLC Standard by viewing the official PCI SSC List of Secure SLC Qualified Vendors.

View the growing list of software validated to the Secure Software Standard: 

PCI SSC List of Validated Payment Software