PCI Secure Software Framework Adoption Tracker

I’ve written elsewhere about the initial uptake of the PCI Secure Software Framework. We’re rapidly approaching the point in time where the PCI PA-DSS will close for new submissions, and the PCI SSF will be the only show in town for PCI software vendors.

This page will be updated on approximately a monthly basis, to track adoption of the new standard over time. The initial update is for January 2021, since 2021 is the first full year these standards are in operation. What I would expect over the next 6-9 months is a significant uptick in registrations after June. It’s been known for some time that the old PA-DSS is being would down, and so it’s reasonable to expect that organizations are currently going through SSF assessments for existing software.

Without access to private data at various assessor companies it’s hard to gauge exactly how the SSF rollout is going at this point. But by tracking month on month I hope to provide some visibility into this.

Contents

Tracking Data

The following data is collected mid-month, every month. That’s enough to illustrate the underlying rates of adoption over time.

MonthSecure SLCPayment Software
2022-0355
2022-0224
2022-0122
2021-1222
2021-1122
2021-1022
2021-0922
2021-0822
2021-0712
2021-0612
2021-0512
2021-0412
2021-0312
2021-0211
2021-0110

December 2021 Comments

We’re now at the end of December 2021, and there are still just 2 validated providers, and 2 validated software solutions. Within the next 60 days both software products are due for their first annual revalidation. The assumption is that both vendors are diligently working to revalidate on schedule. Given the current state of the market and lack of validated competition I would love to know if the question has been asked at either place, “is it worth the time and money?”.

As a personal anecdote, people I meet in the industry still haven’t heard of the new framework. It’s news to them when I explain that PA DSS is on its way out, replaced by a new framework with multiple standards. At minimum, the PCI Council need to step up their communications game and get the word out to interested parties.

August 2021 Comments

Over the long term I expect, perhaps wrongly, to see more validated software solutions than software vendors. If nothing else, each vendor can have multiple products targetting different niches. So I’m a little surprised that instead of an uptick in the number of validated software products, we see the number of SLC-validated vendors pulling even.

It’s now 2 for Secure SLC and 2 for Payment Software. Will we actually see more companies be validated than products? If that’s the case, there’s a lot of “hidden” custom payment software development going on.

Mid-2021 Comments

As of mid-2021, it’s clear that rates are still very low in terms of companies and solutions validated as compliance. What we don’t know from this data is whether there are few or many currently undergoing assessments. That should become clear over the next few months.