Document Comparison
PCI_Secure_Software_v1.x_Technical_FAQs_May2025.pdf
→
PCI_SecSW_v1.x_Technical_FAQs_June2026.pdf
77% similar
5 → 6
Pages
1146 → 1639
Words
4
Content Changes
From Revision History
- June 2026 New Technical FAQ(s): General: Q6, Q7
- June 2026 © 2023-2026 PCI Security Standards Council, LLC. All rights reserved. Page 1 PCI Secure Software Standard: Technical FAQs
- June 2026 © 2023-2026 PCI Security Standards Council, LLC. All rights reserved. Page 2 General
- June 2026 © 2023-2026 PCI Security Standards Council, LLC. All rights reserved. Page 3 If the implementation of such mitigations requires user input or interaction, then it is expected
Content Changes
4 content changes. 7 administrative changes (dates, page numbers) hidden.
Added
p. 2
June 2026 New Technical FAQ(s): General: Q6, Q7
Added
p. 5
Q6 June 2026: What is the process regarding the submission of a validated secure software product by an SSLC-Qualified Vendor? A A software vendor that is also a Secure SLC (SSLC)-Qualified Vendor (non-expired status) is able to indicate their secure software product has been developed using their SSLC-Qualified processes as part of the software assessment.
Upon submission of a full secure software product assessment to PCI SSC, the secure software assessor is able to select the non-expired SSLC-Qualified Vendor listing associated with the development of the software. Upon Acceptance of the submission, the associated listing of the secure software will receive a designation that it was developed using the vendor’s SSLC-Qualified processes, along with a hyperlink to their SSLC-Qualified Vendor listing.
If at the time of submission of the software product, the vendor’s SSLC-Qualified status is expired, it will not be possible to select and associate the software product as being developed …
Upon submission of a full secure software product assessment to PCI SSC, the secure software assessor is able to select the non-expired SSLC-Qualified Vendor listing associated with the development of the software. Upon Acceptance of the submission, the associated listing of the secure software will receive a designation that it was developed using the vendor’s SSLC-Qualified processes, along with a hyperlink to their SSLC-Qualified Vendor listing.
If at the time of submission of the software product, the vendor’s SSLC-Qualified status is expired, it will not be possible to select and associate the software product as being developed …
Added
p. 6
• New [Full] Assessment submissions allowable up to 30 April 2027
• Submissions must be ‘passed’ by AQM no later than 31 July 2027
• Submissions that are Accepted and Listed will have a 3-year listing period, provided they are maintained in accordance with the Program. - Requires use of the v1.x ROV and v1.x AOV - Existing v1.x Secure Software Product listings will still utilize their v1.x ROVs as necessary for any changes For v2.0:
• Available for assessments upon Secure Software Assessors being trained on v2.0
• Submissions must be ‘passed’ by AQM no later than 31 July 2027
• Submissions that are Accepted and Listed will have a 3-year listing period, provided they are maintained in accordance with the Program. - Requires use of the v1.x ROV and v1.x AOV - Existing v1.x Secure Software Product listings will still utilize their v1.x ROVs as necessary for any changes For v2.0:
• Available for assessments upon Secure Software Assessors being trained on v2.0
Modified
p. 4
Q3 May 2023: What should be done if a control objective cannot be met as stated due to a technical constraint? A In some software implementations, it may be impossible for the assessed payment software to meet a particular control objective due to legitimate technical constraints. For example, limitations of the software development languages or frameworks used or other technical limitations within the execution environment. (continued on next page)
Q3 May 2023: What should be done if a control objective cannot be met as stated due to a technical constraint? A In some software implementations, it may be impossible for the assessed payment software to meet a particular control objective due to legitimate technical constraints. For example, limitations of the software development languages or frameworks used or other technical limitations within the execution environment. (continued on next page) In such circumstances, all such constraints must be documented and justified …