An entity wants to know if the Software Security Framework can be leveraged during their assessment. Which of the following software types would this apply to?
A.
Any payment software in the CDE.
B.
Only software which runs on PCI PTS devices.
C.
Validated Payment Applications that are listed by PCI SSC and have undergone a PA-DSS assessment.
D.
Software developed by the entity in accordance with the Secure SLC Standard.
TheSoftware Security Framework (SSF)is intended to support entities usingbespoke and custom softwarewithin the Cardholder Data Environment (CDE). If the software is developed and maintained in accordance with theSecure Software Lifecycle (SLC) Standard, it can help demonstrate secure software development practices and potentially reduce the number of applicable PCI DSS requirements.
Option A:Incorrect. Not all payment software qualifies unless developed under SSF standards.
Option B:Incorrect. PCI PTS devices follow different hardware security standards.
Option C:Incorrect. PA-DSS has been retired; those applications are now listed as “Acceptable Only for Pre-Existing Deployments”.
Option D:Correct. Software developed under the Secure SLC Standard may help an entity meet some requirements in PCI DSS Requirement 6.
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit