The PCI Security Standards Council (PCI SSC) has published the first major revision to the PCI Secure Software Standard and its supporting Program Guide. This revision is the result of more than 18 months of collaboration with the PCI SSC stakeholder community.
The PCI Secure Software Standard helps provide assurance that software is designed, developed, and maintained in a manner that protects payment-related data and payment-related functionality.
Version 2.0 of the PCI Secure Software Standard includes a new companion document to help identify and document sensitive assets of the software. In addition, software development kits (SDKs) are now eligible to be assessed, which includes EMVCo© 3DS SDKs. The PCI Secure Software Standard v2.0 is intended to provide an alternate path for the assessment of 3DS SDKs, eventually replacing the need for the PCI 3DS SDK Standard to align with the PCI SSC roadmap initiatives for standards consolidation. As part of this transition, the PCI 3DS Data Matrix has been updated to version 1.2, which now includes information regarding 3DS SDK sensitive data elements.
Other highlights of the major revision include the introduction of the use of wildcards to account for non-security impacting software changes, a revised delta change process with a new change impact template, Portal access to submit annual attestations and administrative changes by the software vendor, and improved Portal and listing features.
The following documents are now available in the PCI SSC Document Library:
- PCI Secure Software Standard v2.0
- PCI Secure Software Standard – Sensitive Asset Identification (for use with v2.x)
- Summary of Changes from PCI Secure Software Standard v1.2.1 to v2.0
- PCI Secure Software Program Guide (for use with v2.x)
- PCI 3DS Data Matrix, v1.2
The supporting v2.x ROV, AOV, and new Change Impact templates are expected to be available in early February 2026.
The v2.0 computer-based training (CBT) is expected to be available within Q1 of 2026 to support existing secure software assessors. Instructor-led training (ILT) is planned for Q2 to support new secure software assessors. Once training becomes available, a 12-month transition period from v1.2.1 to v2.0 will begin.
The first major revision to the PCI Secure Software Lifecycle Standard will be released soon to complement the PCI Secure Software Standard as part of the PCI Software Security Framework.
