PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is a copy of content from the PCI Security Standards Council blog, preserved for tracking changes over time.
View Original →

Request for Comments: PCI Secure Software Lifecycle Standard v2.0

By Alicia Malone

Request for Comments: PCI Secure Software Lifecycle Standard v2.0

 

From 15 May to 15 June, eligible PCI SSC stakeholders are invited to review and provide feedback on the draft PCI Secure Software Lifecycle Standard v2.0 during a 30-day request for comments (RFC) period.   

The RFC will be available through the PCI SSC Portal, including instructions on how to access the documents and submit feedback. Eligible stakeholders will also receive instructions via email. As a reminder, participants are required to accept a Non-Disclosure Agreement (NDA) to download the document. Please review the RFC Process Guide for more information.    

Please note that PCI SSC can only accept comments submitted via the PCI SSC portal and received within the defined RFC period.    

Background on the PCI Secure Software Lifecycle Standard v2.0

The PCI Secure Software Lifecycle (Secure SLC) Standard, and its supporting materials, are currently undergoing the first major revision since it was introduced in 2019. The PCI Secure SLC Standard is one of two standards that are part of the PCI Software Security Framework (SSF). It provides security requirements and assessment procedures for software vendors to integrate into their software development lifecycles and to validate that secure lifecycle management practices are in place.

The PCI Secure Software Lifecycle Standard v2.0 draft has been revised based on stakeholder feedback from the previous RFC conducted in 2025. In addition, with the recent publication of the PCI Secure Software v2.0 Standard and Program, the Secure SLC Standard v2.0 draft now aligns with this recent publication, which includes a focus on ‘sensitive assets’. New content regarding ‘digital tools’, which includes accounting for artificial intelligence (AI) within a vendor’s Secure SLC processes, has been added.

Overall, the Secure SLC Standard has been refocused solely on a software vendor’s Secure SLC, and the requirements within are objective to allow the necessary flexibility for each vendor, accommodating varying levels of maturity in their Secure SLC. Feedback received during this RFC period will be reviewed and considered for inclusion in the final update to the draft standard before its publication in the second half of 2026.

 Access the PCI SSC Portal and Provide Comments