Skip to main content

A Guide to the New PCI Software Security Framework

Learn about how to comply with the new PCI Software Security Framework.

Download PDF

The 2019 PCI Software Security Framework provides a set of controls, requirements, and procedures for secure payment software throughout the whole lifecycle. From the guide, you will learn:

  • An overview of the new PCI Software Security Standards
  • The compliance requirements related to the new standards
  • How to comply using SD Elements


The PCI Software Security Council initiated work on the new Software Security Framework in collaboration with our team at Security Compass, Microsoft Corporation, and other stakeholder organizations.

This resulted in the new PCI Software Security Standards which treat software security as a critical need. As a result, they are more comprehensive than ever before in their instructions related to software security.

What are PCI Software Security Standards?

The new PCI Software Security Standards, part of the new PCI Software Security Framework, were built with the understanding that, in order for payment software to be considered secure, it must first be designed, developed, and maintained in a way that protects the integrity of payment transactions and the confidentiality of all sensitive data collected in association with payment transactions. Hence, the software security standards are comprised of both software security requirements and secure software lifecycle (SLC) requirements. Their primary goal is to provide a way to secure payment applications that supports current as well as future industry technologies and best practices.

What do the new PCI Software Security Standards cover?

The PCI Software Security Standards’ coverage is comprehensive, addressing all payment software functionality and identification and implementation of security controls. The new standards outline the responsibility of outside vendors in guiding customers’ security practices. They also detail the necessary tools and functions that are used by the software to access critical assets, while discussing execution environments, code libraries, requirements, and dependencies.

The standards are presented as part of a Secure Software Framework (SSF), a series of three documents:

  1. The Secure Software Lifecycle (Secure SLC or SSLC) Requirements and Assessment Procedures, or the Secure Software Lifecycle (SLC) Standard
  2. The Secure Software Requirements and Assessment Procedures, or the Secure Software Standard
  3. The Validation Program, which is expected to be released mid-2019. This is a program for software vendors to validate how they can properly manage the security of payment software throughout the entire software lifecycle.

How will the PCI Software Security Framework benefit the industry?

As payments evolve, PCI SSC continues to transform the PCI Security Standards and programs for securing payment transactions and data.

PCI Software Security Framework provides payment applications developers better support for modern software development techniques, ensuring greater transparency into the security capabilities of payment software and payment software vendors.

*Source: PCI SSC Blog

What happens to PA-DSS?

Ultimately, the PA-DSS and its validation program will be incorporated into the PCI Software Security Standards. But for the time being, PA-DSS and its supporting program will remain in place.

More information on this will be made available when the PCI Software Security Standards validation and qualification programs are released in 2019.
*Source: PCI SSC Blog

What do the PCI Software Security Standards mean for software application vendors?

The new PCI Software Security Standards represent the payment card industry’s effort to create an elevated standard pertaining to software security in the payments ecosystem, supporting validation programs for software products and qualification programs for software vendors.

The new standards also focus on a more agile approach to software development techniques and release cycles.

How do we comply with requirements specified by PCI Software Security Standards?

Software developers are adopting more competitive software lifecycle management techniques with faster release cycles, and the PCI Software Security Standards were designed to better support this development environment. In the advent of the new framework, the payment industry will see more consistency in how software is evaluated for security. To help organizations comply with the PCI Software Security Standards, we offer our own solution: our flagship policy-to-procedure platform, SD Elements.

Using our policy-to-execution platform, SD Elements helps with:

  1. Minimizing the Attack Surface: confidentiality and integrity of all software critical assets are protected, and all unnecessary features and functionality are removed or disabled.
  2. Software Protection Mechanisms
  3. Secure Software Operations
  4. Secure Software Lifecycle Management
  5. Account Data Protection