Scope of Requirements
The PCI Secure SLC Requirements apply to the software vendor’s processes, technology, and personnel involved in the design, development, deployment, and maintenance of the software vendor’s software products and services including, but not limited to:
- The policies and processes that govern how the software vendor manages its software throughout the software lifecycle.
- The tools, technologies, and techniques used by the software vendor in the development and management of its software.
- The software-testing methods and technologies used by the software vendor and the results of such testing.
- All people involved in the management of the software vendor’s software, including applicable vendor personnel and third-party contributors.
- All processes supporting the software vendor’s software lifecycle management activities, including change management, vulnerability management, and risk management.
- The software vendor’s software versioning methodology.
- All guidance the software vendor is expected to provide its customers and other stakeholders to ensure that customers know how to implement and configure its software in a secure manner.
- All software vendor communications to its stakeholders.
Some software vendors may have multiple software products covered by different software lifecycle management programs. Prior to assessment against the PCI Secure SLC Requirements, software vendors should identify the software products and associated software lifecycle management program(s) to be covered under the assessment. For more information on defining the scope of the Secure SLC assessment, refer to the PCI Secure SLC Program Guide.
