PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is archived content from PCI Security Standards Council bulletins, preserved for tracking changes over time.
View Original →

PCI Security Standards Council Bulletin: Announcement of Sunset Period for the PCI 3DS SDK Standard

PDF














PCI Security Standards Council Bulletin: Announcement of Sunset Period for the PCI 3DS SDK
Standard


01 May 2026
The PCI Security Standards Council (PCI SSC) is announcing the initiation of a formal sunset period for
the PCI 3-D Secure (3DS) Software Development Kit (SDK) Standard.
Background
The PCI 3DS SDK Standard provides security requirements, assessment procedures, and guidance for
3DS SDKs, as defined in the EMVCo EMV® 3-D Secure SDK Specification, to help prevent unauthorized
card-not-present (CNP) transactions and reduce merchants’ exposure to CNP fraud.
With the release of the PCI Secure Software Standard v2.0 earlier this year, software development kits
(SDKs), including EMVCo 3DS SDKs, are now eligible to be assessed under that framework. The PCI
Secure Software Standard v2.0 therefore provides an alternative path for the assessment of 3DS SDKs.
Additionally, the PCI 3DS Data Matrix was updated to version 1.2 to include information regarding
sensitive data elements within 3DS SDKs.
Following the release of the PCI Secure Software Standard v2.0, PCI SSC has determined that the PCI
3DS SDK Standard will now enter a formal sunset phase.
Sunset Period Timeline
• Effective Date of Sunset Period: May 01, 2026
• Sunset Period Ends: October 31, 2026
During the sunset period:
• New PCI 3DS SDK submissions will continue to be accepted by PCI SSC.
• Existing submission processes and program requirements will remain unchanged.
At the conclusion of the sunset period:
• No new PCI 3DS SDK submissions will be accepted by PCI SSC.

Existing Listings
All existing PCI 3DS SDK listings will:
• Remain valid through their normal listing lifecycle.
• Expire in accordance with their established listing validity and expiration dates.
• Continue to be subject to applicable program maintenance requirements throughout their validity
period.


In summary, there is no change to the lifecycle treatment of currently approved and listed PCI 3DS SDK
solutions.
Additional Considerations:
• Organizations currently pursuing or considering PCI 3DS SDK evaluations are encouraged to
plan accordingly within the announced sunset timeline.
• Organizations should evaluate future authentication and software security validation strategies
based on applicable payment brand requirements and other relevant industry standards, where
appropriate.
Note: This sunset announcement applies only to the PCI 3DS SDK Standard and solutions and has no
impact on the PCI 3DS Core Standard or related program.

For questions regarding this bulletin, please contact the PCI 3DS SDK Program Manager at
pci3ds@pcisecuritystandards.org.


###