SSF has Changed the Game for Application Security
Software Security Framework focuses on security throughout the software lifecycle.
Software powers the world of Payments—from the firmware and applications residing on point-of-sale devices, to middleware that provides the fabric for connections, to SaaS solutions that authorize, capture, tokenize and provide valuable back-office reporting for merchants and acquirers. Now more than ever, with the growth in the attack surface of our ecosystem due to use of such valuable third-party tools and services, the importance of software security cannot be overstated.
Historically, the division of responsibilities for application security has been either to the vendors of off-the-shelf payment applications, or else a loose set of best practices for any application which may be custom-coded or otherwise fail to meet eligibility criteria as a payment application. Software that doesn’t specifically perform authorization using clear-text account data were ineligible for validation, and did not address non-PCI sensitive data types, such as PII or PHI. What’s worse, any changes to the underlying codebase would require incremental assessments to avoid leaving open a door for attacks on the underlying transaction infrastructure and cardholder data.
These shortcomings are now actively addressed through the PCI Security Standards Council's new Software Security Framework (SSF) program. The framework starts with a separate assessment for Secure Software Lifecycle (Secure SLC) which allows a vendor to confirm a baseline of security practices in how software is architected, developed and maintained. An incremental assessment for Secure Software can then be used to test the application for resistance to attack, cryptographic protection of stored data, authentication, and logging capabilities. When combined, a vendor can then deploy incremental updates with a mere self-assessment and attestation, rather than undergoing time-consuming assessments with each release.
ControlScan is one of the first Software Security Framework Assessor companies qualified to test Secure SLC and Secure Software. Our combined assessment methodology allows us to quickly and confidently collect the needed evidence and test the security of your application for listing as an SSF Vendor and/or SSF Software. Our SSF advisory services also support gap analyses against either or both assessment types providing a clear path to compliance and listing under the new SSF program, or white papers that spell out the impact of your SSF compliance to support your customers' PCI compliance.
To learn more about ControlScan’s SSF validation services, simply complete the form on this page or call us at 1-800-825-3301, ext. 2.