Press Release

PCI Security Standards Council Publishes Version 1.1 of Secure Software Lifecycle (SLC) Standard and Program

Update Expands Program Eligibility to Include Software Vendors Who Develop Software Products for the Payment Card Industry

WAKEFIELD, Mass., 18 February 2021 — The PCI Security Standards Council (PCI SSC) has published version 1.1 of the PCI Secure Software Lifecycle (SLC) Standard and its supporting program documentation. The PCI Secure SLC Standard is one of two standards that are part of the PCI Software Security Framework (SSF). It provides security requirements and assessment procedures for software vendors to integrate into their software development lifecycles and to validate that secure lifecycle management practices are in place.

The version 1.1 update to the PCI Secure SLC Program Guide expands program eligibility beyond payment software vendors. The revised eligibility includes software vendors who develop software products for the payment card industry. This expansion of the program enables more vendors to leverage Secure SLC qualification and facilitates broader vendor adoption and participation in the Secure SLC Program.

“At the rate at which software is evolving, a different approach is required to validate that the development of payment software adheres to strong security practices,” said Emma Sutcliffe, SVP Standards Officer, PCI Security Standards Council. “This update to our Secure SLC Standard and Program is a key step in promoting greater implementation by expanding eligibility to vendors that produce software and software components that may share resources within a payment environment.”

The PCI Secure SLC Standard v1.1 also addresses errata, adds minor clarifications, and aligns key terms and definitions across the standard and program documentation.

“One of the most important aspects of the Secure SLC Standard, and a common issue identified in recent compromises, is maintaining good software security, even as software is updated and security threats continue to evolve,” said Troy Leach, SVP Engagement Officer, PCI Security Standards Council.  “This is especially true with the increased dependency on third-party software developers. Organizations rely upon these companies to protect payment data against various compromises such as online digital skimming and supply-chain vulnerabilities. Validation against the Secure SLC Standard demonstrates a public commitment to maintain the security posture of the software throughout its entire lifetime.”

Vendors should download the current documentation and reference v1.1 of the Program Guide when working with v1.1 of the standard. The following documents can be found in the PCI SSC document library:

About the PCI Security Standards Council
The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help businesses detect, mitigate and prevent cyberattacks and breaches. Connect with the PCI SSC on LinkedIn. Join the conversation on Twitter @PCISSC. Subscribe to the PCI Perspectives Blog.