{"id":554,"date":"2026-01-27T12:06:53","date_gmt":"2026-01-27T11:06:53","guid":{"rendered":"https:\/\/pcihispano.com\/?p=554"},"modified":"2026-05-06T19:12:51","modified_gmt":"2026-05-06T17:12:51","slug":"que-es-pci-ssf-pci-secure-slc-pci-s3","status":"publish","type":"post","link":"https:\/\/www.pcihispano.com\/en\/que-es-pci-ssf-pci-secure-slc-pci-s3\/","title":{"rendered":"What is PCI SSF\/PCI Secure SLC\/PCI S3?"},"content":{"rendered":"<p><span class=\"intro-text\">This new article presents a brief introduction to the Software Security Framework or <strong>PCI SSF<\/strong> (<em>Payment Card Industry Software Security Framework<\/em>), which <a href=\"https:\/\/blog.pcisecuritystandards.org\/part-one-conceptual-differences-between-ssf-and-pa-dss\" target=\"_blank\" rel=\"noopener\">replaced<\/a> to standard <strong>PA-DSS<\/strong> (<em>Payment Applications Data Security Standard) <\/em>in October 2022.<br \/>\n<\/span><\/p>\n<div class=\"su-box su-box-style-glass\" id=\"\" style=\"border-color:#000000;border-radius:5px;max-width:none\"><div class=\"su-box-title\" style=\"background-color:#333333;color:#FFFFFF;border-top-left-radius:3px;border-top-right-radius:3px\">What is it?<\/div><div class=\"su-box-content su-u-clearfix su-u-trim\" style=\"border-bottom-left-radius:3px;border-bottom-right-radius:3px\">\n<p>All articles in the series \u00ab<a href=\"https:\/\/www.pcihispano.com\/en\/category\/que-es\/\" target=\"_blank\" rel=\"noopener\">What is it?<\/a>\u2018:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/que-es-pci-dss\/\" rel=\"bookmark\">What is PCI DSS?<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/que-es-pci-ssf-pci-secure-slc-pci-s3\/\" rel=\"bookmark\">What is PCI SSF\/PCI Secure SLC\/PCI S3?<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/que-es-pci-pin\/\" rel=\"bookmark\">What is PCI PIN?<\/a><\/li>\n<li><a href=\"https:\/\/www.pcihispano.com\/en\/que-es-pci-3ds\/\" target=\"_blank\" rel=\"noopener\">What is PCI 3DS?<\/a><\/li>\n<\/ul>\n<\/div><\/div>\n<h3>Introduction<\/h3>\n<p>One of the easiest targets to attack by a cybercriminal is a payment application that is outdated, does not use strong cryptography for the protection of sensitive data, or is incorrectly configured and\/or uses default values. In order to define basic parameters for card data protection in commercial payment applications and facilitate their integration in environments subject to compliance with the standard <a href=\"https:\/\/www.pcihispano.com\/en\/que-es-pci-dss\/\" target=\"_blank\" rel=\"noopener\">PCI DSS<\/a> (<em>Payment Card Industry Data Security Standard<\/em>), in 2004 VISA developed the basis for what would later become the standard <strong>PA-DSS<\/strong> (<em>Payment Applications Data Security Standard<\/em>) which was completely replaced by the new framework <strong>PCI SSF<\/strong> (<em>Payment Card Industry Software Security Framework) <\/em>in <a href=\"https:\/\/blog.pcisecuritystandards.org\/farewell-to-pa-dss-a-tribute-to-a-foundational-standard\" target=\"_blank\" rel=\"noopener\">October 2022<\/a>.<em><br \/>\n<\/em><\/p>\n<h3>Origin<\/h3>\n<p>In 2005 VISA USA published the document <a href=\"https:\/\/pcihispano.com\/wp-content\/uploads\/2022\/11\/Visa-CISP-Payment-Application-Best-Practices.pdf\" target=\"_blank\" rel=\"noopener\"><em>Payment Application Best Practices<\/em><\/a> (PABP) as a complementary part of your program <em>Cardholder Information Security Program<\/em> (CISP). This document contained eleven security principles to be applicable both in the software development process and during the deployment, operation and maintenance of commercial payment applications (sold, distributed or licensed by third parties) involved in authorization or settlement processes in credit and debit card transactions and used by merchants or service providers.<\/p>\n<p>The use of these best practices was completely voluntary (no mandatory application or sanctions were defined if not used) although it allowed interested companies to certify their software through a Qualified Security Advisor (QSA) to be listed on the VISA website.<\/p>\n<p>The VISA PABP document laid the groundwork for security controls in payment applications to be taken into account on two main fronts:<\/p>\n<ul>\n<li><strong>For internally developed applications<\/strong>, within the PCI DSS standard under requirement 6 \u00ab<em>Develop and maintain secure systems and applications<\/em>\u2018, and<\/li>\n<li><strong>For commercial payment applications<\/strong>, within standard <strong>PA-DSS<\/strong> (<em>Payment Applications Data Security Standard<\/em>).<\/li>\n<\/ul>\n<p>On 15 April 2008, the <a href=\"https:\/\/www.pcisecuritystandards.org\/\" target=\"_blank\" rel=\"noopener\">PCI Security Standards Council<\/a> (PCI SSC) published the standard <strong>PA-DSS<\/strong> (<em>Payment Applications Data Security Standard<\/em>) as an evolution of VISA PABP, formalizing the use of security controls in the development of software for commercial payment applications and defining the criteria for its use as a complementary element of security in environments affected by PCI DSS compliance.<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-566\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/11\/PA-DSS-SSF_Timeline.png?resize=729%2C339&#038;ssl=1\" alt=\"\" width=\"729\" height=\"339\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PA-DSS-SSF_Timeline.png?w=1719&amp;ssl=1 1719w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PA-DSS-SSF_Timeline.png?resize=300%2C139&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PA-DSS-SSF_Timeline.png?resize=1024%2C476&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PA-DSS-SSF_Timeline.png?resize=768%2C357&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PA-DSS-SSF_Timeline.png?resize=1536%2C714&amp;ssl=1 1536w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PA-DSS-SSF_Timeline.png?resize=500%2C232&amp;ssl=1 500w\" sizes=\"auto, (max-width: 729px) 100vw, 729px\" \/><\/p>\n<p>Eleven years later, in <a href=\"https:\/\/www.pcisecuritystandards.org\/about_us\/press_releases\/pr_01162019\" target=\"_blank\" rel=\"noopener noreferrer\">January 2019<\/a>, the PCI SSC publishes a new framework for payment application security: <strong>PCI SSF<\/strong> (<em>Payment Card Industry Software Security Framework<\/em>), incorporating new requirements aligned with the development of modern payment applications. This framework completely replaced the PA-DSS standard in October 2022.<\/p>\n<h3>What is (or was) PA-DSS (<em>Payment Applications Data Security Standard<\/em>)?<\/h3>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-567\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/11\/pa-dss.png?resize=734%2C97&#038;ssl=1\" alt=\"\" width=\"734\" height=\"97\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/pa-dss.png?w=1006&amp;ssl=1 1006w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/pa-dss.png?resize=300%2C40&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/pa-dss.png?resize=768%2C102&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/pa-dss.png?resize=500%2C66&amp;ssl=1 500w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/pa-dss.png?resize=1000%2C133&amp;ssl=1 1000w\" sizes=\"auto, (max-width: 734px) 100vw, 734px\" \/><\/p>\n<p>The standard <strong>PA-DSS<\/strong> (Data security standard for payment applications \u2013 <em>Payment Applications Data Security Standard<\/em>) was first published in 2008 and its final version was the <a href=\"https:\/\/pcihispano.com\/wp-content\/uploads\/2022\/11\/PA-DSS_v3-2.pdf\" target=\"_blank\" rel=\"noopener\">3.2<\/a>, which was published in May 2016. <span class=\"highlight\">This standard was replaced by PCI SSF in October 2022.<\/span><\/p>\n<p>PA-DSS had fourteen requirements, ranging from card data protection in storage and transmission, to security management in the software development lifecycle and secure deployment in the customer environment:<\/p>\n<ul>\n<li><em>Requirement 1: Do not retain full track content, card verification code or value (CAV2, CID, CVC2, CVV2) or PIN block data<\/em><\/li>\n<li><em>Requirement 2: Protect the cardholder's stored data<\/em><\/li>\n<li><em>Requirement 3: Provide secure authentication features<\/em><\/li>\n<li><em>Requirement 4: Record the activity of the payment application<\/em><\/li>\n<li><em>Requirement 5: Develop secure payment apps<\/em><\/li>\n<li><em>Requirement 6: Protect wireless transmissions<\/em><\/li>\n<li><em>Requirement 7: Evaluate paid apps to fix vulnerabilities and to maintain app updates<\/em><\/li>\n<li><em>Requirement 8: Facilitate the implementation of a secure network<\/em><\/li>\n<li><em>Requirement 9: Cardholder data should never be stored on a server connected to the Internet<\/em><\/li>\n<li><em>Requirement 10: Provide secure remote access to the paid app<\/em><\/li>\n<li><em>Requirement 11: Encrypt sensitive traffic from public networks<\/em><\/li>\n<li><em>Requirement 12: Encrypt non-console administrative access<\/em><\/li>\n<li><em>Requirement 13: Maintain a PA-DSS Implementation Guide for Customers, Resellers, and Integrators<\/em><\/li>\n<li><em>Requirement 14: Assign PA-DSS responsibilities to staff and establish training programs for staff, customers, resellers and integrators<\/em><\/li>\n<\/ul>\n<p>One of the main objectives of PA-DSS was to <strong>optimize the security levels of commercial payment applications when integrated into a PCI DSS compliant environment<\/strong>, minimizing the possibility of security failures that would allow the commitment of the PAN (main account number), the complete content of the track, the codes and verification values of the card (CAV2, CID, CVC2, CVV2), the PIN data and the PIN block, as well as fraud resulting from security failures in the application.<\/p>\n<p>Payment applications eligible to be analyzed under the PA-DSS standard and listed on the PCI SSC website must meet the following criteria:<\/p>\n<ol>\n<li>Store, process or transmit cardholder data as part of authorisation or settlement processes; and<\/li>\n<li>To be sold, distributed or licensed by third parties<\/li>\n<\/ol>\n<p><center><div style=\"width: 900px;\" class=\"wp-video\"><video class=\"wp-video-shortcode\" id=\"video-554-1\" width=\"900\" height=\"506\" preload=\"metadata\" controls=\"controls\"><source type=\"video\/mp4\" src=\"https:\/\/pcihispano.com\/wp-content\/uploads\/2022\/11\/YTDown.com_YouTube_Farewell-to-PA-DSS-A-Tribute-to-a-Founda_Media_UWuEGxcMbn0_002_720p.mp4?_=1\" \/><a href=\"https:\/\/pcihispano.com\/wp-content\/uploads\/2022\/11\/YTDown.com_YouTube_Farewell-to-PA-DSS-A-Tribute-to-a-Founda_Media_UWuEGxcMbn0_002_720p.mp4\">https:\/\/pcihispano.com\/wp-content\/uploads\/2022\/11\/YTDown.com_YouTube_Farewell-to-PA-DSS-A-Tribute-to-a-Founda_Media_UWuEGxcMbn0_002_720p.mp4<\/a><\/video><\/div>\n<p><\/center><br \/>\nIn November 2022, the PCI SSC announced in its <a href=\"https:\/\/blog.pcisecuritystandards.org\/farewell-to-pa-dss-a-tribute-to-a-foundational-standard\" target=\"_blank\" rel=\"noopener\">official blog<\/a> the final withdrawal of PA-DSS and its replacement by PCI SSF. From that time all documents related to this standard (support documents, report templates, FAQs and the standard as such) were removed from the PCI SSC document library.<\/p>\n<h3>What is PCI SSF (<em>Payment Card Industry Software Security Framework<\/em>)?<\/h3>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-569\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/11\/pcissf.png?resize=663%2C111&#038;ssl=1\" alt=\"\" width=\"663\" height=\"111\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/pcissf.png?w=735&amp;ssl=1 735w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/pcissf.png?resize=300%2C50&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/pcissf.png?resize=500%2C84&amp;ssl=1 500w\" sizes=\"auto, (max-width: 663px) 100vw, 663px\" \/><\/p>\n<p>Due to current changes in terms of development methodologies, technologies, application types and their related vulnerabilities, the PA-DSS standard <a href=\"https:\/\/blog.pcisecuritystandards.org\/safecode-and-pci-ssc-discuss-the-evolution-of-secure-software\" target=\"_blank\" rel=\"noopener\">It was starting to get old-fashioned.<\/a>. In response, the PCI SSC began to develop a new approach to developing secure payment applications with modern needs, updating, optimizing and extending the PA-DSS criteria throughout the secure development lifecycle (<a href=\"https:\/\/csrc.nist.gov\/CSRC\/media\/Publications\/white-paper\/2019\/06\/07\/mitigating-risk-of-software-vulnerabilities-with-ssdf\/draft\/documents\/ssdf-for-mitigating-risk-of-software-vulns-draft.pdf\" target=\"_blank\" rel=\"noopener noreferrer\"><em>Secure Software Development Lifecycle<\/em><\/a> \u2013 SSDLC). This new framework was named after <strong><em>PCI Software Security Framework\u00a0<\/em><\/strong>and was <a href=\"https:\/\/www.pcisecuritystandards.org\/pdfs\/New_Software_Security_Standards_Press_Release.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">published<\/a> for the first time in January 2019.<\/p>\n<p><span class=\"highlight\">The software security framework (<em><strong>PCI Software Security Framework<\/strong><\/em>) is a <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/SSF_At-a-Glance.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">set of software security standards<\/a>, including its validation programmes and the listing of certified applications.<\/span> Currently, there are <strong>two standards<\/strong> in this framework:<\/p>\n<ul>\n<li><em><a href=\"https:\/\/www.pcisecuritystandards.org\/standards\/secure-software\/\" target=\"_blank\" rel=\"noopener\">PCI Secure Software Standard \u2013 PCI S3<\/a>\u00a0<\/em> (current version: 2.0 \u2013 published in January 2026)<\/li>\n<li><em><a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/PCI-Secure-SLC-Standard-v1_0.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">Secure Software Lifecycle (Secure SLC) Standard<\/a><\/em> (current version: 1.1 \u2013 published in February 2021)<\/li>\n<\/ul>\n<p>The formal assessment of compliance with the standards that make up this framework is carried out by approved companies called <a href=\"https:\/\/www.pcisecuritystandards.org\/assessors_and_solutions\/software_security_framework_assessors\" target=\"_blank\" rel=\"noopener noreferrer\"><em>Secure SLC Assessor Companies<\/em><\/a> and its employees (<em>Secure SLC Assessors<\/em>).<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-10997\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/11\/PCI_SSF-1.png?resize=900%2C635&#038;ssl=1\" alt=\"\" width=\"900\" height=\"635\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCI_SSF-1.png?w=1963&amp;ssl=1 1963w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCI_SSF-1.png?resize=300%2C212&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCI_SSF-1.png?resize=1024%2C722&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCI_SSF-1.png?resize=768%2C541&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCI_SSF-1.png?resize=1536%2C1083&amp;ssl=1 1536w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCI_SSF-1.png?resize=1300%2C917&amp;ssl=1 1300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PCI_SSF-1.png?w=1800&amp;ssl=1 1800w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<h3>What is PCI S3 (<em>Secure Software Standard<\/em>)?<\/h3>\n<p>The <a href=\"https:\/\/www.pcisecuritystandards.org\/standards\/secure-software\/\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>Secure Software Standard<\/strong><em><strong> (PCI Secure Software Standard<\/strong><\/em>)<\/a> o<strong> PCI S3<\/strong> defines a set of security requirements and associated assessment procedures that help ensure that payment applications adequately protect the integrity and confidentiality of both payment transactions and their related data. Its current version is the <a href=\"https:\/\/docs-prv.pcisecuritystandards.org\/Software%20Security\/Standard\/PCI-Secure-Software-Standard-v2.0.pdf\" target=\"_blank\" rel=\"noopener\"><strong>2.0<\/strong><\/a>, published in <a href=\"https:\/\/docs-prv.pcisecuritystandards.org\/Software%20Security\/Standard\/PCI-Secure-Software-Standard-v2.0-Summary-Of-Changes.pdf\" target=\"_blank\" rel=\"noopener\">January 2026<\/a>.<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-574\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2022\/11\/PAvsSSF.png?resize=900%2C263&#038;ssl=1\" alt=\"\" width=\"900\" height=\"263\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PAvsSSF.png?w=1141&amp;ssl=1 1141w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PAvsSSF.png?resize=300%2C88&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PAvsSSF.png?resize=1024%2C300&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PAvsSSF.png?resize=768%2C225&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/PAvsSSF.png?resize=500%2C146&amp;ssl=1 500w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<p><strong>PCI S3<\/strong> includes a set of basic requirements (<em>core<\/em>) which apply to all types of paid software, regardless of the functionality of the software or the underlying technology. These basic requirements (<em>core<\/em>) twelve (12) safety objectives are organised (<em>Security Objectives<\/em>) and four (4) additional modules, as listed below:<\/p>\n<p><strong>Core \u2013 All Software<\/strong><\/p>\n<ol>\n<li><em>\u00a0Software Architecture, Composition, and Versioning <\/em><\/li>\n<li><em>Sensitive Asset Identification<\/em><\/li>\n<li><em>Sensitive Asset Storage and Retention<\/em><\/li>\n<li><em>Sensitive Modes of Operation<\/em><\/li>\n<li><em>Sensitive Asset Protection Mechanisms<\/em><\/li>\n<li><em>Sensitive Asset Output<\/em><\/li>\n<li><em>Random Numbers<\/em><\/li>\n<li><em>Key Management<\/em><\/li>\n<li><em>Cryptography<\/em><\/li>\n<li><em>Threats and Vulnerabilities<\/em><\/li>\n<li><em>Secure Deployment and Management<\/em><\/li>\n<\/ol>\n<p><strong>Modules<\/strong><\/p>\n<ul>\n<li><em>Module A \u2013 Account-Data Protection:<\/em> Additional security requirements for software that stores, processes and\/or transmits account data (as defined in PCI DSS).<\/li>\n<li><em>Module B \u2013 POI Device Software<\/em>: Additional security requirements for software intended to be deployed and executed on Point of Interaction devices (<em>Point-of-Interaction<\/em> \u2013 POI) which have been evaluated and approved in accordance with the PCI PTS POI standard and programme.<\/li>\n<li><em>Module C \u2013 Publicly-accessible Software:<\/em> Additional security requirements for software that contains, even partially, an interface that is accessible through public networks.<\/li>\n<li><em>Module D \u2013 Software Development Kits<\/em>: Additional security requirements for software that is part of a software development kit (SDK).<\/li>\n<\/ul>\n<p>In the future, additional modules will be added to this standard to address other types of software, use cases or technologies.<\/p>\n<p><span class=\"highlight\">This standard applies to paid software that is sold, distributed or licensed by third parties. This includes payment software intended to be installed on customer systems, as well as payment software deployed to customers \"as a service\" (<em>As-a-Service<\/em>) via the Internet.<\/span> At the time of publication of this standard, the following criteria must be met in order for an application to be evaluated under these requirements:<\/p>\n<ol>\n<li>\u00a0Participate in, support or facilitate payment transactions directly, <strong>y<\/strong><\/li>\n<li>\u00a0Store, process or transmit card data in clear text and can therefore be validated by both the Secure Software Standard (PCI S3) and Module A \u2013 Payment Card Data Protection, <strong>y<\/strong><\/li>\n<li>\u00a0Be a product available on the market developed by the software vendor for sale to multiple organizations.<\/li>\n<\/ol>\n<p>Validation of the PCI S3 standard is not intended to:<\/p>\n<ul>\n<li>Software developed in-house for the exclusive use of the company that developed it<\/li>\n<li>Software developed and sold to a single customer for the exclusive use of this<\/li>\n<li>Payment software operating on any customer's mobile electronic device that is not solely dedicated to accepting payments for transaction processing<\/li>\n<li>Software products that are operating systems, databases or platforms, whether these can store, process or transmit card data.<\/li>\n<li>Payment software intended to be used in hardware terminals.<\/li>\n<\/ul>\n<p>Future modules are planned to support some of these use cases. Software that is not eligible for validation at initial program launch will not necessarily remain ineligible for the entire life of the program. All exclusions will be re-evaluated each time a new module is added to the Secure Software Standard (PCI S3) and as the program evolves.<\/p>\n<p>Application validations with the Secure Software Standard (PCI S3) have an expiration of <strong>three years<\/strong>.<\/p>\n<p>Finally, it is important to highlight that the fact that an entity has to use software validated according to the Secure Software Standard (PCI S3) is determined by the directives of the payment brands and not by the PCI SSC.<\/p>\n<h3>What is PCI Secure Software Lifecycle (Secure SLC) Standard?<\/h3>\n<p>The Secure Software Life Cycle Standard (<a href=\"https:\/\/www.pcisecuritystandards.org\/standards\/secure-software-lifecycle-secure-slc\/\" target=\"_blank\" rel=\"noopener\">PCI Secure Software Lifecycle (Secure SLC) Standard<\/a>) defines a set of security requirements and associated test procedures for software vendors to validate how they properly manage payment software security throughout the software lifecycle. Validation, according to the Standard, demonstrates that the software vendor has mature secure software lifecycle management practices to ensure that their payment software is designed and developed to protect payment transactions and data, minimize vulnerabilities, and defend against attacks. Its current version is the <strong>1.1<\/strong>, published in February 2021.<\/p>\n<p>The PCI Secure SLC standard is intended for vendors\/software providers who develop software for the payment industry. Software vendors who have their software lifecycle management practices validated will be recognized in the <a href=\"https:\/\/www.pcisecuritystandards.org\/assessors_and_solutions\/software_lifecycle?agree=true\" target=\"_blank\" rel=\"noopener noreferrer\">List of Qualified SLC Providers PCI SSC Insurance<\/a>.<\/p>\n<p>Like the PCI S3 standard, the PCI Secure SLC standard is organized into four (4) security objectives that include ten (10) control objectives:<\/p>\n<ol>\n<li><strong>Software security governance (<em>Security Governance Software<\/em>)<\/strong>\n<ul>\n<li>Responsibility and safety resources (<em>Security Responsibility and Resources<\/em>)<\/li>\n<li>Software Security Policy and Strategy (<em>Software Security Policy and Strategy<\/em>)<\/li>\n<\/ul>\n<\/li>\n<li><strong>Secure Software Engineering (<em>Secure Software Engineering<\/em>)<\/strong>\n<ul>\n<li>Threat identification and mitigation (<em>Threat Identification and Mitigation<\/em>)<\/li>\n<li>Detection and mitigation of vulnerabilities (<em>Vulnerability Detection and Mitigation<\/em>)<\/li>\n<\/ul>\n<\/li>\n<li><strong>Secure software and data management (<em>Secure Software and Data Management<\/em>)<\/strong>\n<ul>\n<li>Change management (<em>Change Management<\/em>)<\/li>\n<li>Protection of software integrity (<em>Integrity Protection Software<\/em>)<\/li>\n<li>Protection of sensitive data (<em>Sensitive Data Protection<\/em>)<\/li>\n<\/ul>\n<\/li>\n<li><strong>Secure communication (<em>Security Communications<\/em>)<\/strong>\n<ul>\n<li>Supplier Safety Guide (<em>Vendor Security Guidance)<\/em><\/li>\n<li>Communications with stakeholders (<em>Stakeholder Communications<\/em>)<\/li>\n<li>Software Update Information (<em>Software Update Information<\/em>)<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h3>What is the relationship between the PCI S3 standard and the PCI Secure SLC standard?<\/h3>\n<p>The PCI S3 standard and the PCI Secure SLC standard are two separate and independent standards. While both standards address some of the same concepts, each of them realizes them from a different perspective:<\/p>\n<ul>\n<li>The secure functionality and security features of an application are covered in the PCI S3 standard<\/li>\n<li>Secure software development processes are covered in the PCI Secure SLC standard<\/li>\n<\/ul>\n<p>That said, additional flexibility is provided to PCI Secure SLC Qualified Providers as part of validating their payment software to the PCI S3 standard. These providers will be empowered to conduct and self-manage their own software delta assessments (as part of validating their payment software products to the PCI S3 standard) with reduced involvement or supervision by the qualified advisor.<\/p>\n<h3>How will the migration from PA-DSS to PCI SSF take place?<\/h3>\n<p>The PCI Software Security Framework has an immediate impact on applications currently validated under the PA-DSS program. Upon expiration, all payment applications validated under PA-DSS will be moved to the list of \"Acceptable only for pre-existing deployments\" (<em>Acceptable Only for Pre-Existing Deployments<\/em>).<\/p>\n<p>More information in the document <em><a href=\"https:\/\/blog.pcisecuritystandards.org\/resource-guide-transitioning-from-pa-dss-to-the-software-security-framework\" target=\"_blank\" rel=\"noopener noreferrer\">Transitioning from PA-DSS to the PCI Software Security Framework<\/a>.<\/em><\/p>\n<h3>Relationship between PCI DSS and Software Security Framework standards (PCI S3 and PCI Secure SLC)<\/h3>\n<p>In the <a href=\"https:\/\/www.pcihispano.com\/en\/que-es-pci-dss\/\" target=\"_blank\" rel=\"noopener\">PCI DSS version 4.0<\/a> a specific section was included in the standard document (<em>Appendix F \u2013 Leveraging the PCI Software Security Framework to Support Requirement 6<\/em>) which describes in detail how software validated under the controls of the PCI S3 and PCI Secure SLC standards can be used to meet the requirements of the standard or when using the custom approach (<em>customized approach<\/em>):<\/p>\n<ul>\n<li><strong>When using customized software that has been developed and maintained by an approved vendor such as Secure SLC Qualified Vendor<\/strong>, compliance with control 6.2 is facilitated and the custom approach is supported in controls 6.3 and 6.5. In this case, it must be validated that the supplier that develops the software is listed in the inventory of <a href=\"https:\/\/listings.pcisecuritystandards.org\/assessors_and_solutions\/vpa_agreement?return=%2Fassessors_and_solutions%2Fsoftware_lifecycle\" target=\"_blank\" rel=\"noopener\">Secure SLC Qualified Vendors<\/a>, that the software is developed and maintained as part of that vendor's software validation and that the entity that must comply with PCI DSS has followed the implementation guidelines.<\/li>\n<li><strong>When using customized software that has been developed according to the PCI Secure SLC standard.\u00a0<\/strong>The entity that must comply with PCI DSS may also use PCI Secure SLC as a reference for its internal developments. To validate it, a Secure SLC advisor must review the development process and document it in related reports.<\/li>\n<li>C<strong>uando uses third party-provided software validated under PCI S3<\/strong>. In this case, the use of software validated under PCI S3 can support compliance with control 6.2.4 and implementation of the custom approach for controls 6.3 and 6.5. To do this, the QSA advisor must review the compliance reports for such software (<em>Secure Software Report on Validation<\/em> (ROV) and <em>Secure Software Attestation of Validation<\/em> (AOV)) and validate that these reports are not expired.<\/li>\n<\/ul>\n<h3>Other additional considerations<\/h3>\n<p>The standards that make up the Software Security Framework (PCI SSF) are completely independent of other PCI SSC standards. Using payment software certified under these standards can help support the security of cardholders' data environment (<em>Cardholder Data Environment<\/em> \u2013 CDE) of an entity, but does not cause an entity to comply with PCI DSS, nor does it imply compliance with or the result of validation of any other PCI SSC standard. Entities must ensure that all payment software is deployed in a PCI DSS compliant manner and is included in their annual assessment to verify that the software is properly configured and meets the applicable PCI DSS requirements.<\/p>\n<h3>References<\/h3>\n<p><a href=\"https:\/\/blog.pcisecuritystandards.org\/how-to-successfully-transition-software-from-pa-dss-to-the-pci-secure-software-standard\" target=\"_blank\" rel=\"noopener\">How to Successfully Transition Software from <span class=\"hs-search-highlight hs-highlight-title\">PA<\/span>\u2013<span class=\"hs-search-highlight hs-highlight-title\">DSS<\/span> to the PCI Secure Software Standard<\/a><\/p>\n<p><a class=\"hs-search-results__title\" href=\"https:\/\/blog.pcisecuritystandards.org\/pci-software-security-framework-faqs-pa-dss-impact-and-transition\" target=\"_blank\" rel=\"noopener\">PCI Software Security Framework FAQS: <span class=\"hs-search-highlight hs-highlight-title\">PA<\/span>\u2013<span class=\"hs-search-highlight hs-highlight-title\">DSS<\/span> Impact and Transition<\/a><\/p>\n<p><a class=\"hs-search-results__title\" href=\"https:\/\/blog.pcisecuritystandards.org\/resource-guide-transitioning-from-pa-dss-to-the-software-security-framework\" target=\"_blank\" rel=\"noopener\">Resource Guide: Transitioning from <span class=\"hs-search-highlight hs-highlight-title\">PA<\/span>\u2013<span class=\"hs-search-highlight hs-highlight-title\">DSS<\/span> to the Software Security Framework<\/a><\/p>\n<p><a href=\"https:\/\/blog.pcisecuritystandards.org\/update-on-pci-software-security-framework\" target=\"_blank\" rel=\"noopener\">Update on PCI Software Security Framework<\/a><\/p>\n<p><a href=\"https:\/\/www.pcihispano.com\/en\/la-realidad-de-pci-ssf-lo-que-vendedores-entidades-y-asesores-siguen-ignorando\/\" target=\"_blank\" rel=\"noopener\">The reality of PCI SSF: What Sellers, Entities (and Advisors) Keep Ignoring<\/a><\/p>","protected":false},"excerpt":{"rendered":"<p>This new article presents a brief introduction to the Payment Card Industry Software Security Framework (PCI SSF), which replaced the PA-DSS (Payment Applications Data Security Standard) standard in October 2022. Introduction One [\u2026]<\/p>","protected":false},"author":2,"featured_media":6018,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[415,53],"tags":[33,419,95,57,96,98,97,423,99,424,422],"class_list":["post-554","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-pci-ssf","category-que-es","tag-desarrollo","tag-development","tag-pa-dss","tag-pci-dss","tag-pci-s3","tag-pci-secure-sdl","tag-pci-ssf","tag-poi","tag-software","tag-terminal","tag-web"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/11\/ssf.png?fit=1918%2C1078&ssl=1","jetpack-related-posts":[{"id":10785,"url":"https:\/\/www.pcihispano.com\/en\/la-realidad-de-pci-ssf-lo-que-vendedores-entidades-y-asesores-siguen-ignorando\/","url_meta":{"origin":554,"position":0},"title":"La realidad de PCI SSF: Lo que Vendedores, Entidades (y Asesores) siguen ignorando","author":"H\u00e9ctor Garc\u00eda","date":"enero 14, 2026","format":false,"excerpt":"Este es el primer art\u00edculo de una serie dedicada a desglosar el PCI Software Security Framework (SSF). En futuras entregas, profundizaremos en detalles t\u00e9cnicos y casos de uso espec\u00edficos, pero hoy empezamos por los cimientos. En el ecosistema de seguridad de pagos, los est\u00e1ndares no son est\u00e1ticos; evolucionan para responder\u2026","rel":"","context":"In &quot;Contenido general&quot;","block_context":{"text":"Contenido general","link":"https:\/\/www.pcihispano.com\/en\/category\/contenido\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2026\/01\/development.png?fit=1200%2C674&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2026\/01\/development.png?fit=1200%2C674&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2026\/01\/development.png?fit=1200%2C674&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2026\/01\/development.png?fit=1200%2C674&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2026\/01\/development.png?fit=1200%2C674&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":247,"url":"https:\/\/www.pcihispano.com\/en\/cambios-en-pci-hispano\/","url_meta":{"origin":554,"position":1},"title":"Cambios en PCI Hispano","author":"David Acosta","date":"agosto 18, 2022","format":false,"excerpt":"Con m\u00e1s de 250 art\u00edculos publicados y una media de 10.000 visitantes \u00fanicos por mes, PCI Hispano se ha convertido en un referente en el \u00e1rea de seguridad de medios de pago y cumplimiento normativo en Hispanoam\u00e9rica. Sin embargo, despu\u00e9s de m\u00e1s de 9 a\u00f1os en l\u00ednea, era necesario realizar\u2026","rel":"","context":"In &quot;Noticias&quot;","block_context":{"text":"Noticias","link":"https:\/\/www.pcihispano.com\/en\/category\/noticias\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Cambios.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Cambios.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Cambios.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Cambios.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/Cambios.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":5110,"url":"https:\/\/www.pcihispano.com\/en\/diferencias-entre-un-estandar-del-pci-ssc-y-un-programa-de-validacion\/","url_meta":{"origin":554,"position":2},"title":"Diferencias entre un est\u00e1ndar del PCI SSC y un programa de validaci\u00f3n","author":"David Acosta","date":"noviembre 27, 2024","format":false,"excerpt":"El cumplimiento de los controles de los est\u00e1ndares del PCI SSC se rigen por dos elementos que trabajan de forma mancomunada: el est\u00e1ndar como tal y su programa de validaci\u00f3n relacionado. Aqu\u00ed te explicamos sus diferencias. Cuando una entidad requiere demostrar su cumplimiento con un est\u00e1ndar de seguridad en particular,\u2026","rel":"","context":"In &quot;Contenido general&quot;","block_context":{"text":"Contenido general","link":"https:\/\/www.pcihispano.com\/en\/category\/contenido\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2024\/11\/standard_vs_program.png?fit=1200%2C674&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2024\/11\/standard_vs_program.png?fit=1200%2C674&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2024\/11\/standard_vs_program.png?fit=1200%2C674&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2024\/11\/standard_vs_program.png?fit=1200%2C674&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2024\/11\/standard_vs_program.png?fit=1200%2C674&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":243,"url":"https:\/\/www.pcihispano.com\/en\/que-es-pci-dss\/","url_meta":{"origin":554,"position":3},"title":"\u00bfQu\u00e9 es PCI DSS?","author":"David Acosta","date":"agosto 18, 2024","format":false,"excerpt":"En esta nueva serie de art\u00edculos de PCI Hispano se presentar\u00e1 una descripci\u00f3n general de cada uno de los est\u00e1ndares publicados actualmente por el Consejo de Est\u00e1ndares de Seguridad de la Industria de Tarjetas de Pago (Payment Card Industry Security Standards Council \u2013 PCI SSC) para la protecci\u00f3n de los\u2026","rel":"","context":"In &quot;Destacado&quot;","block_context":{"text":"Destacado","link":"https:\/\/www.pcihispano.com\/en\/category\/destacado\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/PCIDSS.png?fit=1200%2C674&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/PCIDSS.png?fit=1200%2C674&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/PCIDSS.png?fit=1200%2C674&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/PCIDSS.png?fit=1200%2C674&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/08\/PCIDSS.png?fit=1200%2C674&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":11498,"url":"https:\/\/www.pcihispano.com\/en\/que-es-pci-3ds\/","url_meta":{"origin":554,"position":4},"title":"\u00bfQu\u00e9 es PCI 3DS?","author":"David Acosta","date":"febrero 26, 2026","format":false,"excerpt":"En este art\u00edculo se presenta una breve descripci\u00f3n del est\u00e1ndar PCI 3DS, orientado a la protecci\u00f3n de las transacciones no presenciales (card-not-present) de comercio electr\u00f3nico a trav\u00e9s de la autenticaci\u00f3n robusta del titular de tarjeta. Introducci\u00f3n El est\u00e1ndar\u00a0Payment Card Industry 3-D Secure \u2013 Security Requirements and Assessment Procedures for EMV\u00ae\u2026","rel":"","context":"In &quot;PCI 3DS&quot;","block_context":{"text":"PCI 3DS","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-3ds\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2026\/02\/shopping_cart.png?fit=1200%2C674&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2026\/02\/shopping_cart.png?fit=1200%2C674&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2026\/02\/shopping_cart.png?fit=1200%2C674&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2026\/02\/shopping_cart.png?fit=1200%2C674&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2026\/02\/shopping_cart.png?fit=1200%2C674&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":11637,"url":"https:\/\/www.pcihispano.com\/en\/que-se-sabe-acerca-de-pci-dss-v5-0\/","url_meta":{"origin":554,"position":5},"title":"\u00bfQu\u00e9 se sabe acerca de PCI DSS v5.0?","author":"David Acosta","date":"abril 7, 2026","format":false,"excerpt":"La versi\u00f3n 4.0 de PCI DSS fue publicada en marzo de 2022. El PCI Security Standards Council ya est\u00e1 trabajando activamente en la versi\u00f3n 5.0. \u00bfQu\u00e9 se sabe de esta nueva versi\u00f3n? La Ley de Rendimientos Acelerados de Ray Kurzweil nos indica que los avances tecnol\u00f3gicos se desarrollan seg\u00fan una\u2026","rel":"","context":"In &quot;Contenido general&quot;","block_context":{"text":"Contenido general","link":"https:\/\/www.pcihispano.com\/en\/category\/contenido\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2026\/04\/5.png?fit=1200%2C674&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2026\/04\/5.png?fit=1200%2C674&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2026\/04\/5.png?fit=1200%2C674&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2026\/04\/5.png?fit=1200%2C674&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2026\/04\/5.png?fit=1200%2C674&ssl=1&resize=1050%2C600 3x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts\/554","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/comments?post=554"}],"version-history":[{"count":1,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts\/554\/revisions"}],"predecessor-version":[{"id":11701,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts\/554\/revisions\/11701"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/media\/6018"}],"wp:attachment":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/media?parent=554"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/categories?post=554"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/tags?post=554"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}