PCI SSF
Your certification according to the Software Security Framework
Payment software providers can prove with certifications according to the Software Security Framework (SSF) that both their payment software and their development processes meet comprehensive and strict security standards to protect payment data. The SSF currently comprises two separate standards:
The Secure Software Standard
in its current version concerns payment applications that store, process or transmit credit card data. Further additions, for example tailored to specific technologies, will be added in the future.
The Secure Software Lifecycle Standard (Secure SLC)
ist eine optionale Unternehmenszertifizierung, mit der Softwarehersteller nachweisen, dass sie umfassende Sicherheitsmaßnahmen in den kompletten Software-Lebenszyklus integriert haben.
Your certification process
Nicht bearbeiten!
Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.
Kick-off
Introduction to the Software Security Framework. Together with you, we will discuss the certification relevance of your applications or development processes within the scope of a Scope Workshop, depending on the certification you are aiming for. Any directly recognizable deviations from the specifications of the SSF standards will be named.
Preparation
In preparation for your certification, we check compliance with the requirements of the SSF standards with the aid of a Gap Analysis. This gives you the opportunity to detect existing deviations in the software and in the relevant processes for development, testing, deployment and support, as well as in the associated documentation, at an early stage and to correct them before the official certification is granted.
In addition, we offer to test your application or your systems with a Pentest for technical weak points and vulnerabilities.
Certification
The on-site assessment itself is the formal process in which accredited auditors check your company’s processes and applications within the scope for compliance with the requirements of the SSF standards.
The results of the on-site assessment are documented, including any necessary recommendations for action. You then correct any documented deviations from the SSF standards. Your corrections are subsequently reviewed by your auditor who at he same time produces the official assessment report.
Once you have given your go-ahead, the report is sent to the PCI Council for review. After approval by the PCI Council, you will receive a certificate issued by your assessor and a seal of approval which you can embed on your website.
Compliance
After your successful certification, we support you in the ongoing maintenance of your compliance. We will discuss relevant changes at your company or changes to the security standard itself and discuss the resulting measures to maintain your compliance.
How to get started
SSF scope workshop
We always start with a Scope Workshop, in which you receive a comprehensive introduction to the topic. The workshop provides information on the relevant certification scope and forms the basis for estimating the cost of the offer.
SSF Gap Analysis
We recommend that you have an SSF Gap Analysis performed in addition to the Scope Workshop in order to be able to identify deviations from the standards in good time and correct them before the assessment.
Your transition from PA-DSS to SSF
The SSF will completely replace the Payment Application Data Security Standard (PA-DSS), the current security standard for payment software issued by the PCI Security Standards Council, within the next few years.
Our experts will explain to you in detail what innovations you can expect from your SSF certification. We will be happy to help you through a smooth transition from PA-DSS to SSF.

Read our expert’s opinion on the new Software Security Framework here.

Our webinar covered an introduction to the new PCI Software Security Framework as well as a basic understanding of the respective standards and the changes and possibilities for affected businesses.