Learn about Security Compass’s course on PCI103 PCI SSF Compliance.
Course Learning Objectives
This course covers the Payment Card Industry Software Security Framework (PCI SSF) in seven modules. By the end of this course, you’ll be able to describe:
- The structure of the framework and its key components.
- Three controls for minimizing the attack surface of applications: asset identification, secure defaults, and sensitive data retention.
- The four key controls to protect the integrity and confidentiality of critical assets: critical Asset Protection, Authentication and Access Controls, Sensitive Data Protection, and Cryptography.
- The two controls for tracking activity involving critical assets: activity tracking and attack detection controls.
- The three controls that implement secure software lifecycle management practices: threat and vulnerability management, secure software updates, and software vendor implementation.
- The two controls for assessing and protecting account data that is stored, processed, and transmitted cardholder data protection and sensitive authentication data protection.
- The five controls for protecting software intended for deployment and developing software intended for Point-of-Interaction devices: documenting, designing, mitigating attacks, security testing, and securely implementing terminal software.
Description
This course examines the PCI SSF and the PCI Security Software Standard (PCI SSS or S3), which is a component of PCI SSF. The framework was designed by the PCI Council to encourage developers to design and implement more secure software and will replace the Payment Application Data Security Standard (PADSS) in 2022.
| Audience | Time Required |
|---|---|
| Developers, DevOps, PMs PCI Assessors |
Tailored learning – 55 minutes total approx. |
Course Outline
1. Introduction to PCI SSS
- The PCi Secure Software Framework
- Relationship with PA-DSS
- Transition timelines
- Introduction to the Secure SLC Program
- SSF Assessors
2. Minimizing the attack surface
- Critical data identification
- Critical function and resource identification
- Critical asset identification
- Minimizing exposed software functions
- Limiting software privileges and resources
- Limiting default privileges for built-in accounts
- Reducing sensitive and transient data
- Securely deleting sensitive and transient data
- Minimizing data leaks
3. Software protection mechanisms
- Critical data identification
- Authentication and access control
- Protecting sensitive data
- Using cryptography
4. Secure software operations
- Tracking software activity
- What if a security control fails?
- Detecting attacks
5. Implementing SSLC
- Threat and vulnerability management
- Secure software updates
- Software implementation guidance
6. Account data
- What is account data?
- Protecting account data
- Protecting PAN data
- Protecting sensitive authentication data