PCI Security Standards Council Opens RFC Period for Secure Software Lifecycle Standard v2.0

PCI SSC Announces RFC Period for Updated Software Security Standard

The PCI Security Standards Council (PCI SSC) has initiated a critical 30-day request for comments (RFC) period for the draft PCI Secure Software Lifecycle Standard v2.0, running from May 15 through June 15, 2026. This announcement signals significant updates to the framework governing secure software development practices for organizations in the payment card industry.

Who Can Participate in the RFC Process

The RFC period is exclusively available to eligible PCI SSC stakeholders, including participating organizations, associate members, and qualified security assessors. This targeted approach ensures that feedback comes from entities with direct experience in payment card data security and compliance implementation.

Organizations eligible to participate should have received direct communication from PCI SSC with access credentials and submission guidelines. The council typically extends invitations to merchants, payment processors, acquirers, issuers, and technology vendors actively engaged in payment card processing.

Key Areas Expected in Version 2.0

While the full details of the draft standard remain under review, version 2.0 is anticipated to address several critical areas that have evolved since the original standard:

Enhanced DevSecOps Integration: The updated standard likely includes stronger requirements for integrating security throughout the software development lifecycle, reflecting industry best practices in DevSecOps methodologies.

Supply Chain Security: Given recent high-profile supply chain attacks, v2.0 is expected to include more robust requirements for third-party component management and vendor risk assessment.

Cloud-Native Development: The standard will likely address modern cloud development practices, containerization, and microservices architectures that have become prevalent in payment processing systems.

Threat Modeling Requirements: Enhanced guidance on systematic threat modeling processes during software design and development phases.

Compliance Implications for Organizations

The introduction of PCI Secure Software Lifecycle Standard v2.0 will have far-reaching implications for organizations across the payment ecosystem:

Software Vendors: Companies developing payment processing software, point-of-sale systems, and related applications will need to demonstrate compliance with the updated lifecycle requirements.

Internal Development Teams: Organizations with in-house software development capabilities must align their processes with the new standard's requirements, potentially requiring significant process updates and staff training.

Assessment and Validation: The updated standard may introduce new validation requirements and assessment criteria, affecting how organizations demonstrate compliance during PCI DSS assessments.

Recommended Actions During RFC Period

Eligible stakeholders should take several immediate steps to maximize their participation in this critical feedback period:

Review Current Practices: Conduct a thorough assessment of existing software development lifecycles against anticipated requirements in the draft standard.

Engage Development Teams: Include software architects, security engineers, and development managers in the review process to ensure comprehensive feedback.

Document Concerns: Prepare detailed feedback addressing practical implementation challenges, cost implications, and timeline considerations.

Coordinate Industry Response: Work with industry associations and peer organizations to ensure consistent, constructive feedback that represents broader community concerns.

Timeline and Next Steps

Following the June 15, 2026 close of the RFC period, PCI SSC will review all submitted feedback and incorporate appropriate changes into the final standard. The organization typically publishes a summary of comments received and explains how feedback influenced the final version.

Organizations should expect the final PCI Secure Software Lifecycle Standard v2.0 to be published in late 2026 or early 2027, with implementation requirements likely taking effect 12-18 months after publication to allow adequate preparation time.

This RFC period represents a crucial opportunity for the payment card industry to shape security requirements that will govern software development practices for years to come.