PCI SSC 2

PCI SSC Releases Version 2.0 of the PCI Secure Software Standard 

by GRC & Compliance

The PCI Security Standards Council (PCI SSC) has published the first major revision to the PCI Secure Software Standard and its supporting Program Guide. This revision is the result of more than 18 months of collaboration with the PCI SSC stakeholder community.

The PCI Secure Software Standard helps provide assurance that software is designed, developed, and maintained in a manner that protects payment-related data and payment-related functionality.

Version 2.0 of the PCI Secure Software Standard includes a new companion document to help identify and document sensitive assets of the software. In addition, software development kits (SDKs) are now eligible to be assessed, which includes EMVCo© 3DS SDKs. The PCI Secure Software Standard v2.0 is intended to provide an alternate path for the assessment of 3DS SDKs, eventually replacing the need for the PCI 3DS SDK Standard to align with the PCI SSC roadmap initiatives for standards consolidation. As part of this transition, the PCI 3DS Data Matrix has been updated to version 1.2, which now includes information regarding 3DS SDK sensitive data elements.

Other highlights of the major revision include the introduction of the use of wildcards to account for non-security impacting software changes, a revised delta change process with a new change impact template, Portal access to submit annual attestations and administrative changes by the software vendor, and improved Portal and listing features.

The following documents are now available in the PCI SSC Document Library: 

    1. PCI Secure Software Standard v2.0
    2. PCI Secure Software Standard – Sensitive Asset Identification (for use with v2.x)
    3. Summary of Changes from PCI Secure Software Standard v1.2.1 to v2.0
    4. PCI Secure Software Program Guide (for use with v2.x)
    5. PCI 3DS Data Matrix, v1.2  

    The supporting v2.x ROV, AOV, and new Change Impact templates are expected to be available in early February 2026.

    The v2.0 computer-based training (CBT) is expected to be available within Q1 of 2026 to support existing secure software assessors. Instructor-led training (ILT) is planned for Q2 to support new secure software assessors. Once training becomes available, a 12-month transition period from v1.2.1 to v2.0 will begin.    

    The first major revision to the PCI Secure Software Lifecycle Standard will be released soon to complement the PCI Secure Software Standard as part of the PCI Software Security Framework.

    placeholder.png

    Navigating Central Bank of Jordan’s New Cloud Regulations

    by GRC & Compliance

    A practical guide for financial institutions on meeting the new data residency and encryption standards.

    Why Traditional EDR Fails

    Traditional Endpoint Detection and Response (EDR) looks for known signatures. However, AI-driven malware changes its code structure on every execution (polymorphism), rendering signature matching useless. Security teams relying solely on legacy AV are finding themselves outpaced.

    “The average dwell time for AI-driven breaches has dropped from 20 days to just 4 hours. Speed is now the only metric that matters.”

    How We Combat This

    At Cyber Correlate, we have shifted our focus entirely from “file-scanning” to “behavioral-scanning”. We don’t care what the file looks like; we care what it tries to do.

    • Behavioral Analysis: Detecting mass encryption events in real-time.
    • Deception Technology: Placing fake “honey files” that alert us immediately when touched.
    • Network Anomaly Detection: Spotting the subtle beaconing signals of C2 servers.

    Organizations must adopt a “Zero Trust” mentality, assuming that the perimeter has already been breached.