The Payment Application Data Security Standard was introduced in 2008 to help software developers create safe payment applications for businesses and service providers. It is a standard that was devised and created for all software development companies producing software applications that store, process, or send sensitive authentication information as well as cardholder data. In order to raise the security requirements for applications that handle payments, the Payment Card Industry Security Standard Council recently unveiled a new architecture. The PA-DSS Standards would gradually be phased out by 2022 due to the adoption of the new Standards. After talking about this in greater detail, we've provided some advice for the organisation wanting to make the move from PA DSS to PCI SSF as painless as possible. However, let's first comprehend that.
What Is PCI SSF?
To protect the design and development of payment application software, the PCI Software Security Framework is a new application security standard. The PCI Council took measures to raise the security requirements for payment applications and provide clients with secure and dependable online payment services. The standard was created to help software development suppliers construct a safe application by implementing best practises in order to adapt to the changing security and threat landscape.
The new framework enables a modern approach to application design and development that works with conventional payment software. Additionally, it aids in the development and upkeep of payment software that safeguards sensitive data, payment transactions, and overall exposure to risks. Adhering to the new standard verifies the security of the software.
Goals of the New PCI Software Security Framework
Traditional and contemporary software security criteria are combined in the PCI Program Security Framework to enable new technologies, software kinds, and development techniques. The new standard also aids suppliers in fortifying their defences against the new threats by reacting to the changing threat landscape. In order to enable both the conventional approaches to effective application security and the most recent development techniques, the software security framework was created with an emphasis on security practises.
What organisations need to be aware of in relation to the change from PA-DSS to PCI SSF
With expanded criteria that accommodate a range of payment software types, technologies, and development methodologies, PCI SSF replaces PA-DSS. The new Standard won't have an impact on the current payment application within the PCI environment, despite the fact that PA-DSS Standards will phase out in October 2022. The standard will be available and fully supported during the transition time to prevent interruption and make the transition process easier for enterprises. The PCI Council's schedule, which is provided below, should help organisations understand how PA-DSS will eventually be phased down in October 2022.
Before making any decisions, businesses should consider the following additional factors that the council has identified as being crucial.
- Applications that have already been PA-DSS validated will continue to appear on the list of Validated Payment Applications until their expiration dates.
- Vendors have until the end of October 2022 to submit revisions in accordance with standard procedure.
- The PA-DSS Program will, however, end at that point, and all PA-DSS validated payment apps will be relocated to the "Acceptable Only for Pre-Existing Deployments" page on the list of Validated Payment Applications.
- The deadline for new payment application submissions for PA-DSS validation is this month's 30th of June 2021, after which the validation will expire.
- Vendors can start the validation process for their Software Lifecycle Management processes and payment software once SSF Assessors are certified and listed on the PCI SSC website.
- Both Validated Payment Software and Secure SLC Qualified Vendors will be included on the PCI SSC website.
- On the PCI SSC List of Validated Payment Software, payment software that has been verified as conforming to the Secure Software Standard will be listed. When PA-DSS expires at the end of October 2022, the list will take the place of the present list of Validated Payment Applications.
- The SSF also contains a PCI SSC List of Secure SLC Qualified Vendors, which lists companies that sell payment processing software and whose software lifecycle development procedures have been approved as satisfying the Secure SLC Standard.
Here are some actions that enterprises should take to achieve a seamless transition from PA DSS to PCI SSF while keeping everything in mind. 
How should PCI SSC stakeholders get ready for this change? Read Here