Blog

PA-DSS Transformation to SSF

Date published:

Mar 29, 2022

Alexander Norell

Global Security Architect

SHARE ON
SHARE ON

In the realm of payment processing, security is of the utmost importance. Merchants and service providers have been able to get assurance by using applications that adhere to and are validated against the Payment Application Data Security Standard (PA-DSS). PA-DSS is now deprecated, and the new set of standards is the Secure Software Framework (SSF), which consists of the Secure Software Standard and Secure SLC standard.

One of the challenges we are seeing is that the industry has been relatively slow to adopt the new standards, and currently, only 131 applications are listed.

For Merchants, this limits the options for merchants looking to deploy new POIs (Point of Interaction/Payment Terminal), as the selection of POIs that run Secure Software-approved applications are rather limited.

For Payment-Service Providers, Processors, and Merchants that want to run their own switch the selection of already Secure Software-approved solutions is even smaller.

What about PA-DSS?

PA-DSS is a set of requirements that payment application vendors could validate their software against to demonstrate that they met a set of security-related controls. The standard had its sunset date in October 2022, and PA-DSS validated software has been moved to the list of software validated for pre-existing deployments only.

What is SSF?

SSF is a replacement standard for PA-DSS. It's made up of Secure Software Standard and Secure SLC standard, and the Secure Software Standard is the standard that is similar to PA-DSS.

Secure Software Standard consists of the core standard and currently has three modules and outside the core standard include appendixes that include account data, applications on POIs as well as web applications.

The Secure SLC Standard is aimed at the SLC processes used by a vendor. Once validated, the vendor will be able to be more agile when it comes to changes in their validated payment applications.

Merchants using PA-DSS approved applications

If you are a merchant with brick-and-mortar operations, it is likely that your POI is running a PA-DSS approved payment application. If so, that software is now only valid for pre-existing deployments. This means you can replace or add POIs and even add a retail location. However, if you are looking to deploy a new type of POI, it's likely that it's not included as a device the PA-DSS approved application is approved to run on, and as the standard has had its sunset date, your vendor can't validate it against PA-DSS.

As a merchant, your first step should be to reach out to your vendor and ask them for a transformation plan to SSF.

If you are deploying new POIs running a payment application, you need to ensure it is an approved Secure Software application or, better yet, a P2PE approved application.

Payment-Service Providers, Processors, and Merchants using PA-DSS approved processing applications

If you are utilizing off the shelf payment processing software in your central switch that is validated against the PA-DSS standard, you should check that it's listed as eligible for pre-existing deployments and hasn't been delisted for any reason. On top of that you should check with the vendor that they are still maintaining the version that you are using and that they vendor has a plan for their transformation to the Secure Software Standard for the application.

If you are looking at setting up a new solution and are planning to utilize an off the shelf application, you need to ensure that the vendor has gone through a secure software review and is listed on the SSC website.

Do the card brands mandate the use of approved applications?

Visa encourages merchants to run PA-DSS or SSF approved applications.

MasterCard mandates the use of PA-DSS or SSF approved applications.

Payment Application Vendors

If you are a payment application vendor and haven't started a transformation to have your payment applications validated under the SSF, you should do so now. It will likely be requested by your merchants very soon (if it hasn't already).

Also, if you want to add new or updated POI models, you can no longer add them to your PA-DSS listings as the standard has reached its sunset date.

Conclusion

The transition from PA-DSS to SSF represents a significant step for payment application vendors and merchants. SSF is a more comprehensive, flexible, and future-proof standard that offers enhanced payment application security. By switching to SSF, payment application vendors can ensure the security of their applications, and merchants can rest easy knowing their payment systems are protected.

For more information about VikingCloud's secure and compliant payment solutions visit https://www.vikingcloud.com/compliance-risk/secure-payment-solution or contact the VikingCloud team.

SHARE ON
Andrea Sugden
Chief Sales and Customer Relationship Officer
Let’s Talk
To get started with a VikingCloud cybersecurity and compliance assessment, email, call or click:
Contact Us