With the publication of the first technical FAQ for PCI SSS v2.0, the PCI Security Standards Council has answered one of the most relevant questions for the community of assessors and software vendors: what exactly are the dates governing the transition period between version 1.2.1 and version 2.0 of the standard?
In the article published on January 16, 2026 about the new features of the standard, it was noted that the transition window would be 12 months starting from the release of the assessor training, but that the specific dates were not yet available. That gap has now been resolved.
A 12‑Month Coexistence Period
The FAQ confirms that there will be a 12‑month transition period during which both version 1.2.1 and version 2.0 will be valid for assessments and submissions to the PCI SSC. The rules applicable to each version are as follows:
For assessments under v1.2.1:
▪️Full Assessment submissions will be accepted until April 30, 2027.
▪️These submissions must have passed the PCI SSC’s quality management process
(AQM) no later than July 31, 2027.
▪️Products accepted and listed under v1.2.1 will have a 3‑year listing validity period,
provided they remain compliant with program requirements.
▪️ROV v1.x and AOV v1.x will continue to be used during this period.
▪️Products already listed under a 1.x version will continue using their ROV v1.x for
managing any applicable changes.
For assessments under v2.0:
▪️Assessments under v2.0 will become available once Secure Software Assessors
complete the new‑version training.
▪️Starting May 1, 2027, v2.0 will be mandatory for all new full assessments of
validated secure software products.
▪️Use of ROV v2.x, AOV v2.x, and the new Change Impact Template will be required
for delta changes.
▪️Importantly, version 2.0 does not affect annual revalidation dates or reevaluation
dates for products already listed under 1.x versions of the standard.
What does this mean in practice?
For vendors with products currently validated under v1.2.1 or earlier versions, the message is clear: their annual revalidation and periodic reevaluation obligations continue unchanged according to the already‑established schedule. There is no deadline imposed by the transition to v2.0 that forces an early migration of those existing listings.
However, for those who are starting a new validation process or planning to do so, the recommendation is clear: go directly for v2.0. Although version 1.2.1 remains valid until April 30, 2027, the real margin to successfully complete an assessment under that version is increasingly narrow when considering the typical timelines of an assessment process and PCI SSC review. Starting a process today under v1.2.1 means accepting the risk of not meeting the deadlines, only to end up having to migrate anyway.
Approaching v2.0 directly not only eliminates that risk but also positions the product with a three‑year validity certification from the moment it is listed, aligned with the current state of the standard. The changes introduced in this version — notably the identification of sensitive assets, the SBOM, MFA for sensitive operations, and the new module for SDKs — represent an opportunity to strengthen the product’s security posture, not merely a compliance requirement. For vendors who have not yet begun their gap analysis against these new controls, now is the time to do so.
