PCI SLC
PCI certifications
The PCI Secure Software Lifecycle (SLC) is a critical part of the PCI SSF (Secure Software Framework), developed by the PCI SSC. It defines the security requirements for the processes involved in creating, developing, testing, deploying, and maintaining payment-related software.
This standard is specifically designed for software vendors who need to demonstrate that their software lifecycle management processes are in line with industry best practices for security.

How we can help you?
If you're looking to ensure that your software development, maintenance, and management processes meet the highest security standards, we are here to support you. Our team will start by reviewing your approach, suggesting the best solutions, and thoroughly explaining the requirements of the PCI Secure Software Lifecycle (SLC) standard. We will verify whether your processes comply with the PCI SLC compliance requirements and guide you through every stage of the certification journey.
As accredited Secure Software Lifecycle Assessor (SLA) auditors, we are qualified to conduct certification audits that help companies confirm their compliance with PCI SLC. By working with us, software vendors can ensure they meet stringent security requirements, which not only improves customer confidence but also simplifies aligning with other standards such as PCI DSS and PCI SSS.
We work in close partnership with our clients to navigate the entire certification process. With our expertise, you can be confident that every step—from gap analysis to final reporting—will be handled professionally, ensuring successful PCI SLC certification and boosting the security of your software.
How will we work with you?
Stage 1
Gap
Analysis
This optional step is perfect for new clients who are unsure about their readiness for a certification audit. We simulate the certification audit, identify areas of non-compliance, and suggest improvements to help you align with PCI SLC standards.
Stage 2
Consulting
We will guide you through the entire certification process. With our expert advice, you’ll have answers to your questions and support in resolving challenges as you navigate PCI SLC certification.
Stage 3
Certification
Audit
The audit can be conducted remotely, on-site, or in a hybrid format. After completion, you will receive a tracker document listing the required evidence and documents to submit. This step ensures you meet all PCI SLC compliance requirements.
Stage 4
Corrections and
Evidence Collection
You’ll have up to 90 days to provide the necessary audit evidence or implement corrections based on observations. The quicker you provide evidence, the sooner we can proceed with the audit documentation.
Stage 5
Reporting
Once evidence is collected, we compile a detailed compliance report, which includes over 200 pages of analysis on your card environment. The report undergoes a quality assurance process, and after this, you will receive the Attestation of Validation (AOV) for your signature.
Stage 6
Sending Documents
to PCI SSC
Once the audit is complete, we submit the documents to the PCI SSC for review. The solution will be listed on the PCI SSC website after being assessed by the Assessor Quality Management (AQM) team. The review process takes up to three months and requires timely payment of the PCI SSC invoice to start.
Stage 7
End of
Process
When the solution is approved, you will receive the signed AOV document from PCI SSC. A few days later, your solution will be visible on the PCI SSC website. You will also receive a marketing certificate confirming the successful completion of the process.
Certification audit
The certification audit is a combination of on-site and remote activities designed to confirm your organization's compliance with the PCI SLC standard. The audit consists of five key components:
Staff interviews: Before the audit, we will send you an agenda outlining the topics to be discussed with your staff or suppliers. The interview process helps us better understand your organization, the roles and responsibilities of your team, and how you manage your card environment.
Configuration review: We will conduct a thorough review and verification of your environment’s configuration. This may involve reviewing your systems, devices, tools, and access control systems, among other elements. During this process, we will often request you to provide audit evidence.
Review of management processes: We will review the processes by which you manage your card environment, asking for documents like change reports, log reviews, and evidence of patch management sessions.
Documentation review: This step is mostly carried out remotely, where we will request documentation related to your card environment, such as network diagrams, policies, and procedures. It's essential that these documents are current, with the last review date no older than 12 months.
Process observations: For certain elements, we need to see the processes in action. This includes observing key generation and distribution, uploading keys to terminals, recording payment applications, and verifying secure room access. We simulate the processes and verify that each step is carried out correctly.
Following the audit, we will provide you with a comprehensive set of observations, documents, and evidence in the form of a tracker document. This document will outline what is required from you to proceed with the report and certification. Once all requirements are met, we can finalize the report and move forward with certification.
Don't buy a pig in a poke -
request a free consultation and check how we can assist you.
