PCI Secure Software Framework Adoption Tracker

I’ve written elsewhere about the initial uptake of the PCI Secure Software Framework. We’re rapidly approaching the point in time where the PCI PA-DSS will close for new submissions, and the PCI SSF will be the only show in town for PCI software vendors.

This page will be updated on approximately a monthly basis, to track adoption of the new standard over time. The initial update is for January 2021, since 2021 is the first full year these standards are in operation. What I would expect over the next 6-9 months is a significant uptick in registrations after June. It’s been known for some time that the old PA-DSS is being would down, and so it’s reasonable to expect that organizations are currently going through SSF assessments for existing software.

Without access to private data at various assessor companies it’s hard to gauge exactly how the SSF rollout is going at this point. But by tracking month on month I hope to provide some visibility into this.

Tracking Data

The following data is collected mid-month, every month. That’s enough to illustrate the underlying rates of adoption over time.

MonthSecure SLCPayment Software
2021-0822
2021-0712
2021-0612
2021-0512
2021-0412
2021-0312
2021-0211
2021-0110

August 2021 Comments

Over the long term I expect, perhaps wrongly, to see more validated software solutions than software vendors. If nothing else, each vendor can have multiple products targetting different niches. So I’m a little surprised that instead of an uptick in the number of validated software products, we see the number of SLC-validated vendors pulling even.

It’s now 2 for Secure SLC and 2 for Payment Software. Will we actually see more companies be validated than products? If that’s the case, there’s a lot of “hidden” custom payment software development going on.

Mid-2021 Comments

As of mid-2021, it’s clear that rates are still very low in terms of companies and solutions validated as compliance. What we don’t know from this data is whether there are few or many currently undergoing assessments. That should become clear over the next few months.