The security standard is changing. The new SSF (Software Security Framework) is a security standard published by the Payment Card Industry (PCI) with the aim of better protecting card data. The SSF sets requirements for software development methods, processes, and payment applications related to card payments. It also introduces new obligations in terms of reporting and process monitoring.
The new security standard serves different kind of businesses better
The previous version of the information security standard, PA-DSS, is being phased out, since the standard expired on 28 October 2022. All systems audited to the previous PA-DSS information security standard will lose the validity of the accreditation associated with the standard. Compared to PA-DSS, the most obvious differentiator of the new SSF is that it consists of two parts. There is a core part of the standard, all requirements of which must be met, regardless of the type of company involved. In addition to the core part, there are modules that must be met depending on the type of data the company handles and the services it provides.
The positive aspects of the reform are the broader possibilities it brings, which will make the standard clearer. The previous PA-DSS contained requirements at a more general level, some of which were unclear because they had to be applicable to all types of businesses. The revised security standard takes better account of the needs and characteristics of each business.
The revised standard requires companies to provide more detailed documentation
PCI SSF requires more detailed documentation than the previous PA-DSS. The architecture of the payment applications must be documented and critical assets, i.e. data vital to the operation of the application and sensitive data, must be documented and classified. The documentation requirements are useful for the further development of payment applications. In the previous security standard, documentation was not as comprehensive or clear.
PCI SSF primarily affects companies processing card data
For a company like Seitatech, updating the security standard is a requirement that must be met in order to continue delivering and deploying new software and terminals. All payment application developers will have to go through a new validation process when moving to a new security standard. This is a major change process for all payment application developers.
Of course, other types of companies can also obtain a certificate. Obtaining a certificate reinforces the image of secure payments. For example, applications within which purchases are made can be validated against the PCI SSF standard.
For Seitatech, security requirements are a prerequisite for business continuity
Seitatech started the PCI SSF application process about a year ago, and the project has been slowly moving forward. The audit was conducted and passed in May. Notification of the approved system was sent out in September, after the auditor had gone through the documentation related to the process. The PCI Council granted Seitatech the world’s first PCI SSF payment terminal software approval on October 27, just one day before all PA-DSS certificates expired globally.
Seitatech’s operations will not be significantly affected by the security reform. Security requirements are a prerequisite for the operation of Seitatech and other card payment companies. Whereas Seitatech used to apply for PA-DSS certificate validation, it now applies for PCI SSF validation at regular intervals. Validation is carried out at least every three years, but changes to the payment application, for example in terms of application encryption, may lead to the need for a new assessment. The security requirements remain similar, but the reform introduces more extensive documentation requirements.
New security requirements protect customer card data
From the customer’s perspective, it makes sense to choose a company with a new PCI SSF certification, as it indicates that the company is up to date with security requirements. PCI SSF is a requirement set by the payment system, and compliance is mandatory for newly implemented systems. By using an outdated system, the customers are putting themselves at significant risk, which in the worst case scenario will materialize as a security problem.This also means that with the new security standard, the customers’ card details are more likely to be safe from hackers and data leaks.
Hackers’ attack techniques are constantly evolving and security requirements will therefore need to increase and become better. Data breaches occur all the time around the world. In addition to the data itself, data breaches target customers’ money and identity. A data breach is also always a huge reputational risk for the target company, and potential claims for compensation could bankrupt the entire company. Data breaches are always reviewed and new security requirements are developed, meaning that the latest security standards include the latest information to protect customer transactions.