Twenty Years In, A First Look Behind the Curtain#
The PCI Security Standards Council has been around since 2006. In that time, it has published multiple generations of the PCI DSS, stood up qualification programs for assessors and scanning vendors, and built a global ecosystem of standards that touch nearly every organization handling payment card data.
And in all that time, it never published an annual report. Until now.
In January 2026, PCI SSC released its inaugural 2025 Annual Report, providing the most transparent look the Council has ever offered into its operations, strategic direction, and delivery outcomes. The timing isn’t accidental. 2026 marks the Council’s 20th anniversary, and this report reads as both a retrospective on a record year and a signal of where things are headed next.
For anyone working in PCI compliance, whether you’re a QSA, an ISA, a merchant, or a service provider, this report is worth your time. It contains real roadmap details that will affect how you plan for future assessment cycles.
Let me walk through what stands out.
The Product Family Model: A Structural Shift#
The biggest strategic change in the report is PCI SSC’s formal transition to a product-led operating model organized around seven product families:
- Data & Environment (PCI DSS, 3DS Core, TSP, and a potential new ESS)
- Mobile (MPoC, SPoC, CPoC)
- Software (Secure Software, Secure SLC, 3DS SDK)
- Card (Card Production Logical and Physical Security)
- Key Management (the new KMO standard, PIN)
- P2PE (Point-to-Point Encryption)
- Device (PTS POI, PTS HSM)
This isn’t just a rebranding exercise. Each product family now encompasses the standard itself along with all the supporting materials: program guides, training, listing programs, templates, and FAQs. The goal is to release everything together (or as close to simultaneously as possible) so that when a new standard version drops, assessors and organizations aren’t waiting months for the supporting documentation to catch up.
If you’ve ever scrambled to figure out how a new standard revision applies to your environment while the ROC template was still weeks away from publication, you understand why this matters.
The Standards Roadmap: Consolidation Is Coming#
Buried in the product family framework is a roadmap that should be on every compliance team’s radar. PCI SSC is planning to consolidate and realign several of its standards in the coming years. Here’s what the report signals:
PCI PIN is planned to be integrated into a new Key Management Operations (KMO) standard. The first Request for Comment for KMO v1.0 was completed, and a second RFC is in progress. This is a meaningful shift for organizations that currently maintain separate compliance efforts for PIN security.
3DS SDK is being integrated into the PCI Secure Software standard. Instead of maintaining a standalone 3DS SDK standard, it’ll become a module within Secure Software. For organizations building or assessing 3DS applications, this changes the compliance pathway.
SPoC and CPoC may be integrated into MPoC. The mobile payment acceptance standards could be consolidated under a single umbrella. If you’re currently certified under SPoC or CPoC, keep an eye on transition timelines.
3DS Core may be integrated into PCI DSS. This is potentially the most impactful consolidation on the roadmap. If it moves forward, it’d bring 3DS security requirements directly into the PCI DSS assessment scope rather than treating them as a separate standard.
A new Environmental Security Standard (ESS) is being evaluated. This would sit alongside PCI DSS within the Data & Environment product family. Details are limited, but the report lists it on the target state roadmap.
None of these are enforceable today. But if your organization operates in any of these spaces, the time to start thinking about how consolidation affects your compliance program is now, not when the final standards drop.
2025 By the Numbers#
The report includes some hard delivery metrics that are worth acknowledging. In 2025, PCI SSC completed:
- 5 Requests for Comment
- 2 standards publications (PTS POI v7.0 and P2PE v3.2)
- 8 guidance documents (including 2 focused on AI)
- 98+ FAQs (including technical FAQs aligning prior guidance to PCI DSS v4.0.1)
- 20+ supporting documents
- 4+ new training courses
- 1 new listing program (PIN Listing)
They also trained 7,539 professionals worldwide, hosted Community Meetings in Fort Worth, Amsterdam, and Bangkok with over 2,200 attendees, and expanded the Board of Advisors to a record 64 member organizations for the 2025-2027 term.
Whether you view those numbers as impressive or overdue depends on your perspective, but the volume of output is hard to argue with. 2025 was clearly their most productive year from a standards delivery standpoint.
AI Gets Formal Attention#
Artificial intelligence showed up in the report in a way that signals it’s no longer a “future consideration” for PCI SSC. In 2025, the Council published:
- AI Principles for developing and deploying AI systems in payment environments
- Guidance on AI in PCI Assessments for assessors evaluating organizations that use AI in their cardholder data environments
They also launched an “AI Exchange: Innovators in Payment Security” blog series featuring stakeholders discussing how they’re using AI in payment security.
This matters because AI is increasingly embedded in fraud detection, transaction monitoring, customer service, and even compliance automation within payment environments. While AI isn’t yet explicitly codified into PCI DSS requirements, the Council’s clearly laying the groundwork. If your organization uses AI anywhere in or connected to payment flows, expect this to become an area of assessor focus sooner rather than later.
Global Expansion and the India-South Asia Push#
The report highlights a notable push into emerging markets. The launch of the India-South Asia Regional Engagement Board in August 2025 is the Council’s second regional board after Brazil’s launch in 2018. Given the scale of digital payments in India (particularly UPI-driven transaction volumes), this makes strategic sense.
PCI SSC also held training sessions in Dubai for the first time in nine years and now has Regional Directors based in the U.S., Ireland, Singapore, Japan, India, and Brazil. The global engagement team is fully staffed for the first time.
For organizations operating across multiple regions, this expansion means more localized guidance and potentially more regional nuance in how standards are interpreted and applied.
What This Means Looking Forward#
The 2026 Community Meetings are already scheduled (Vancouver in September, Edinburgh in October, Kuala Lumpur in November), and the Council is actively soliciting speaker submissions. PCI SSC is also inviting the community to share memories as part of the 20th anniversary celebration.
But beyond the anniversary festivities, the real story in this report is about pace. PCI SSC’s Executive Director Gina Gobeyn framed 2025 as the year the Council “moved from intention to execution.” The product family model, the standards consolidation roadmap, the AI guidance, and the global expansion all point to an organization that’s trying to keep up with an industry that’s evolving faster than traditional standards cycles can accommodate.
The payment landscape in 2026 looks very different from 2006. Transactions are faster, more numerous, and running through an increasingly complex ecosystem of third-party providers, mobile platforms, and cloud services. The threat landscape has evolved just as dramatically. The Council’s challenge over the next 20 years is to keep its standards relevant without sacrificing the rigor that makes them valuable in the first place.
For those of us working in the PCI ecosystem, this report is worth reading in full. Not just for what it says about 2025, but for what it signals about where we’re all headed.
Resources:
