Synopsys Software Integrity Group is now operating as Black Duck Software, Inc., a subsidiary of Synopsys. Click to learn more.

close search bar

Sorry, not available in this language yet

close language selection

Introduction to PCI SSF

Course Description

This course provides a thorough introduction to the requirements that the PCI Software Security Framework (SSF) introduces. PCI SSF replaces the PCI Payment Application Data Security Standard (PA-DSS), which will be retired in October 2022, and introduces two new standards and associated validation and listing programs: the Secure Software Standard and Secure Software Life Cycle Standard.

The main goal of this course is to present the requirements that these standards introduce for creating payment software that is designed, engineered, developed, and maintained in a manner that protects payment transactions and data, minimizes vulnerabilities, and defends against attacks. Students will learn to conduct a gap analysis and create a roadmap to ensure that their software life cycle and the payment software they produce is compliant to PCI SSF. They will also gain a thorough understanding of the areas they need to focus on in order to protect the security of sensitive and payment data that is stored, processed, or transmitted by the software.

Learning Objectives

  • Understand the requirements that PCI SSF introduces and how it differs from PA-DSS
  • Perform a gap analysis and create a roadmap to comply with PCI SSF
  • Design and implement processes and procedures to create a secure software life cycle following the PCI Secure Software Life Cycle Standard
  • Design and implement security controls for payment software according to the requirements of the PCI Secure Software Standard
  • Ensure the secure development of applications to protect the integrity and confidentiality of sensitive data they store, process, and transmit

Details

Delivery Format: eLearning

Duration: 1 hour

Level: Beginner

Intended Audience:

  • Architects
  • Back-End Developers
  • Enterprise Developers
  • Front-End Developers
  • Mobile Developers
  • QA Engineers

Prerequisites: 

Course Outline

Introduction
  • Scope
  • Vendor Responsibilities
  • Required Documentation and Materials
  • Secure SLC Assessment Process
  • Secure Software Standard Assessment Process
  • Changes to Payment Software

Software Security Governance

  • Senior Leadership
  • Roles and Responsibilities
  • Training
  • Software Security Policy
  • Software Security Strategy
  • Software Security Assurance

Design

  • Asset Inventory
  • Open Source Software
  • Identify Threats
  • Threat Modeling
  • Security Controls
  • Secure Defaults
  • Principle of Least Privilege

Data Protection

  • Data Collection
  • Protecting Sensitive Data at Rest
  • Protecting Sensitive Data in Transit
  • Cryptography
  • Key Management
  • Random Numbers
  • Data Retention
  • Deleting Sensitive Data
  • Account Data Protection

Authentication and Access Control

  • Authentication Mechanisms
  • Accountability
  • Protecting Authentication Credentials
  • Access Control

Change and Vulnerability Management

  • Vulnerability Detection and Security Testing
  • Fixing Vulnerabilities
  • Updates and Fixes
  • Software Integrity Protection
  • Change Management
  • Versioning

Security Monitoring

  • Activity Tracking
  • Managing and Protecting Activity Logs
  • Security Monitoring

Communication with Stakeholders

  • Communicating with Stakeholders
  • Reporting Vulnerabilities
  • Implementation Guidance

Terminal Software Security

  • Terminal Software Design
  • Terminal Software Security Testing and Attack Mitigation

Documentation and Implementation Guidance

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster