PCI Security Standards Council®

Return to Newsroom


PCI Security Standards Council Announces New Validation Programs for Payment Software Vendors and Products Under PCI Software Security Framework

New Secure SLC and Secure Software Program Requirements Now Available for Software Vendors and Assessors; PA-DSS Program Remains Open Until October 2022

WAKEFIELD, Mass., 26 June 2019 — Today the PCI Security Standards Council (PCI SSC) announced two new validation programs for use by payment software vendors to demonstrate that both their development practices and their payment software products address overall software security resiliency to protect payment data. Under the Secure Software Lifecycle (Secure SLC) and Secure Software Programs, Software Security Framework Assessors will evaluate vendors and their payment software products against the PCI Secure SLC and Secure Software Standards. PCI SSC will list Secure SLC Qualified Vendors and Validated Payment Software on the PCI SSC website as a resource for merchants.

PCI SSC is introducing these programs as part of the PCI Software Security Framework (SSF), a collection of standards and programs for the secure design, development and maintenance of existing and future payment software. The SSF expands beyond the scope of the Payment Application Data Security Standard (PA-DSS) and will replace PA-DSS, its program and List of Validated Payment Applications when PA-DSS is retired in 2022. During the interim period, the PA-DSS and SSF Programs will run in parallel, with the PA-DSS Program continuing to operate as it does now.

Secure SLC Program and Secure Software Program documentation is now available on the PCI SSC website. This includes Program Guides and FAQs, with information on the vendor and payment software validation process, and Qualification Requirements for SSF Assessors. PCI SSC plans to start accepting applications from assessors by the end of 2019. Training will be available in early 2020, first for Payment Application Qualified Security Assessors (PA-QSA) and QSAs, and then for new assessors. Once SSF Assessors are in place, vendors can begin the validation process for their software lifecycle practices and payment software.

Secure SLC Program

Secure Software Program

Learn more on the PCI Perspectives blog, New Software Security Framework Programs: Timeline & Key Milestones.

“These programs work together with the PCI Secure SLC and Secure Software Standards to help vendors address the security of both their development practices and their payment software products. We’re pleased to have the Secure SLC and Secure Software Programs documentation available now as the initial step towards providing the industry with validated listings of trusted payment software vendors and products under the PCI Software Security Framework,” said PCI SSC Chief Operating Officer Mauro Lance. “In the meantime, PCI SSC recognizes that transitioning from PA-DSS to the Software Security Framework will take time, and we want to reassure PA-DSS vendors, PA-QSAs and users of PA-DSS validated payment applications that the PA-DSS Program remains open and fully supported until October 2022, with no changes to how existing PA-DSS validated applications are handled.”

The PCI Software Security Framework will be a key discussion topic at the 2019 PCI Community Meetings. For more information and to register, visit: https://events.pcisecuritystandards.org.

About the PCI Security Standards Council
The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help businesses detect, mitigate and prevent cyberattacks and breaches. Connect with the PCI SSC on LinkedIn. Join the conversation on Twitter @PCISSC. Subscribe to the PCI Perspectives Blog.


Our website uses both essential and non-essential cookies (further described in our Privacy Policy) to analyze use of our products and services. By clicking “ACCEPT” below, you are agreeing to our use of non-essential cookies to provide third parties with information about your usage and activities. If you click “DECLINE” below, we will continue to use essential cookies for the operation of the website.