On 15 January 2026, the PCI Security Standards Council (PCI SSC) released version 2.0 of the PCI Secure Software Standard. This is the first comprehensive revision since the introduction of the standard.
Insight into the Key Changes
The new version streamlines the structure, reduces overlaps with the PCI Secure Software Lifecycle Standard, and introduces important new content focuses areas that have a direct impact on software manufacturers.
- New focus on sensitive assets: The standard is no longer primarily focused on payment applications but places a stronger emphasis on identifying and protecting sensitive assets. The newly published companion document, Sensitive Asset Identification (SAID), supports software vendors in identifying and documenting these assets. A sensitive asset, as defined in the standard, is any element of a software product, including the software product itself, whose unauthorized access, use, modification, or disclosure may compromise the security of payment processes or payment‑related data.
- Software development kits can be certified for the first time: A new feature is the ability to evaluate software development kits, including EMVCo 3DS SDKs. A separate module has been introduced for this purpose.
- Wildcards allowed again: Non-security-relevant software changes no longer have to be fully re-certified, because wildcards are allowed again. This makes change processes more efficient.
- New Requirements for documentation, architecture, and Bill of Materials: With version 2.0, complete documentation of the software architecture, all components, and the software Bill of Materials will be mandatory. This requirement now applies to all software products.
- Stronger controls and multi-factor authentication for sensitive operating modes: For sensitive operating modes, such as administrative or debug access, the standard will require multi-factor authentication as well as other measures to secure access in the future.
- Revised structure and new terminology: Version 2.0 revises the structure of the standard and makes linguistic adjustments. The requirements have been reorganized to make it easier to navigate the standard. In addition, the standard replaces the term “control objectives” with “security objectives".
What Next Steps Do We Recommend You Take?
“Even though the PCI SSC has not yet published an official transition period, software vendors should not postpone the extensive changes of v2.0. Start now by testing your applications against the new requirements and evaluating the concrete impact on your applications. Particularly important are the identification of your sensitive assets and the complete documentation of your software architecture, including all components. Those who prepare now will reduce the effort and delays involved in the upcoming (re-)certification. In our experience, a gap analysis has proven to be a good first step.”
Lorenz Heiler, usd Managing Consultant and PCI SSF Assessor
Would you like to learn how the changes in version 2.0 affect the certification of your software and what steps you should take now to successfully prepare for the next certification? We support you. Please feel free to contact us.
