Upcoming Webinar | Assuring Agentic AI on March 5th @ 1:00 PM ET

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO 20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Services
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
MTCS Certification
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
Certificate Directory
Contact Us

«  View All Posts

PCI Secure Software Standard (PCI SSS) v2.0: Key Updates for Modern Development Teams Blog Feature
Daniel Garczek

By: Daniel Garczek

Print/Save as PDF

PCI Secure Software Standard (PCI SSS) v2.0: Key Updates for Modern Development Teams

Payment Card Assessments | PCI DSS

Published: Feb 23, 2026

The Payment Card Industry Security Standards Council has released a major revision of the PCI Secure Software Standard (PCI SSS), moving from v1.2.1 to v2.0. This isn't an incremental update but rather a fundamental restructuring that reflects how software security has evolved in today's interconnected digital landscape.

In this blog post, we’ll detail the major changes to the PCI Secure Software Standard, what this means for your organization, and how to prepare for compliance.

The Removal of Payment Software in PCI SSS

The most striking change is the complete removal of the term "Payment Software" from the standard. This signals a significant philosophical shift from focusing narrowly on payment-specific applications to embracing a broader, more comprehensive approach to software security.

In its place, PCI SSS v2.0 introduces the concept of "Sensitive Assets," which is a framework that encompasses data, functionality, resources, and modes of operation that require protection. This change acknowledges that modern applications are complex ecosystems wherein sensitive information flows through multiple components, not just via traditional payment processing modules.

New Foundation in PCI SSS v2.0: Sensitive Asset Identification

To support this expanded scope, the standard now includes a mandatory companion document called "Sensitive Asset Identification." This document isn't optional reading. It's a required part of the PCI Secure Software Program and provides the following information:

  • Additional context for sensitive asset terminology

  • Practical examples of what constitutes sensitive assets
  • Guidance for identifying sensitive data, functionality, and resources
  • Special considerations for EMVCo® 3DS-related data through the PCI 3DS Data Matrix document

PCI SSS v2.0 Structural Transformation: From Control to Security Objectives

The standard has reorganized its requirements into 11 comprehensive Security Objectives (formerly called "Control Objectives"). This restructuring creates a more logical flow that covers:

  • Software architecture, composition, and versioning
  • Sensitive asset identification and protection
  • Storage, retention, and output requirements
  • Cryptography, key management, and random number generation
  • Threat management and secure deployment

Enhanced SDK Support in PCI SSS v2.0

Perhaps most notably for development teams, PCI SSS v2.0 introduces Module D specifically for Software Development Kits (SDKs). This new module addresses the growing importance of SDKs in modern development and includes enhanced support for an EMVCo® 3DS SDK assessment.

What PCI SSS v2.0 Means for Your Organization

These updates signal the industry's recognition that software security must evolve beyond traditional payment boundaries. To ensure compliance, organizations now need to:

  1. Reassess their software inventory using the new sensitive asset framework
  2. Understand the expanded scope of what constitutes sensitive functionality
  3. Prepare for enhanced SDK assessments if they develop or use software development kits
  4. Adapt to new testing methodologies based on documentation review, static analysis, and dynamic analysis

Moving Forward with PCI SSS v2.0 Compliance

The PCI Secure Software Standard v2.0 represents a maturation of software security thinking. By moving away from "payment software" to "sensitive assets," the standard acknowledges that security isn't about protecting just one type of data. It's about creating secure software that can handle any sensitive information appropriately.

The following documents are now available in the PCI SSC Document Library with additional details:

  • PCI Secure Software Standard v2.0
  • PCI Secure Software Standard – Sensitive Asset Identification (for use with v2.x)
  • Summary of Changes from PCI Secure Software Standard v1.2.1 to v2.0
  • PCI Secure Software Program Guide (for use with v2.x)
  • PCI 3DS Data Matrix, v1.2

Ready to understand how these changes affect your specific development processes? In an upcoming blog post, we'll dive deeper into the 11 new Security Objectives and explore how they replace the previous control framework with a more comprehensive approach to software security.

Stay tuned for our detailed breakdown of the core requirements and implementation strategies. In the meantime, contact us today to learn more and discover additional payment card security insights here:

About Daniel Garczek

Daniel Garczek is a PCI Technical Lead with Schellman. Prior to joining Schellman in 2021, Daniel worked as a Senior Security Engineer for a web development and managed hosting organization where he was responsible for managing a PCI compliant multi-tenant hosting environment. Daniel has 10 years of experience designing, managing, and optimizing both on-premise and cloud environments across various industries, including e-commerce, government, and healthcare. Daniel holds the QSA, CISSP, and ISO 27001 Lead Auditor certifications and is now primarily focused on PCI DSS assessments.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.