What PCI SSC’s 2025 Annual Report Means for Our Clients – A QSA Perspective

The PCI Security Standards Council (PCI SSC) recently published its first-ever Annual Report, offering transparency into how PCI standards are evolving and where the Council is focusing as it approaches its 20th anniversary in 2026.

As a Qualified Security Assessor (QSA) firm, CompliancePoint works closely with organizations navigating PCI DSS assessments, scoping decisions, and ongoing compliance challenges. While the report covers a broad range of activity, several themes stand out as most relevant to merchants and service providers planning for upcoming PCI cycles.

Below is our perspective on what matters most — and what organizations should be paying attention to now.

PCI Is Moving Toward Greater Structure and Predictability

One of the most significant changes highlighted in the report is PCI SSC’s transition to a product-led operating model, organized around seven PCI SSC product families.

From a client standpoint, this matters because it signals:

• Better alignment between standards, guidance, training, and validation programs
• Improved release coordination and fewer fragmented updates
• Greater predictability across assessment cycles

For organizations managing PCI DSS alongside other PCI standards (such as P2PE, Secure Software, or MPoC), this shift should reduce confusion and improve long-term planning. From a QSA perspective, it also supports more consistent assessment expectations across the industry.

PCI SSC Is Actively Listening to Implementation Challenges

The Annual Report reinforces that PCI SSC is increasingly focused on real-world implementation feedback.

Notable examples include:

• Expanded Request for Comment (RFC) opportunities
• Creation of an E-commerce Guidance Task Force to address PCI DSS v4.x implementation challenges
• Increased collaboration with stakeholders across the payments ecosystem

For clients, this is an important signal: while PCI requirements continue to mature, PCI SSC is making a clear effort to balance stronger security outcomes with practical implementation realities.

Expect Continued Evolution — Not “Set It and Forget It” PCI

A consistent message throughout the report is that PCI standards will continue to evolve.

PCI SSC outlines:

• Planned consolidation and realignment of standards
• New and revised standards related to key management, software security, and emerging technology
• A forward-looking roadmap designed to reduce duplication and improve consistency

For organizations subject to PCI, this reinforces a critical point: PCI compliance is no longer static. Successful programs are those that plan beyond the next assessment and treat PCI as an ongoing risk management effort rather than a once-per-year exercise.

Upcoming Standards Changes to Keep on Your Radar

The Annual Report also provides early visibility into future standards realignment, which is particularly relevant for organizations supporting PIN-based payments, PCI 3D Secure, or complex cryptographic environments.

PCI SSC’s roadmap highlights several planned and potential changes, including:

• Integration of PCI PIN into a new Key Management Operations (KMO) standard
• Integration of the 3DS SDK into the PCI Secure Software standard
• Potential alignment of 3DS Core requirements into PCI DSS
• Possible consolidation of SPoC and CPoC into MPoC

While these changes are not yet enforceable requirements, they clearly signal the direction PCI SSC is heading as it works to improve consistency and reduce overlap across standards.

From a client perspective, this is an opportunity to:

• Understand where future scope expansion may occur
• Identify systems, teams, and processes that may be impacted over time
• Begin aligning cryptographic and authentication practices proactively

From a QSA standpoint, our guidance is not to react prematurely — but to incorporate these roadmap signals into longer-term PCI planning, especially for organizations operating complex or highly integrated payment environments.

AI and Emerging Technology Are Officially on the PCI Radar

Artificial intelligence (AI) emerged as a clear focus area in 2025. PCI SSC published guidance on AI considerations within PCI assessments and high-level principles for the use of AI in payment environments.

This is particularly relevant for organizations using AI in fraud detection, transaction monitoring, automation, or customer interaction platforms connected to payment flows.

While AI is not yet explicitly codified into PCI DSS requirements, the direction is clear: governance, transparency, and control design around AI will increasingly matter in future assessments.

Assessment Quality and Consistency Remain a Priority

The report also highlights ongoing investment in assessor education and qualification programs, global assessor engagement through formal roundtables, and expanded training and guidance to support consistent assessments.

For clients, this focus supports more predictable and defensible assessment outcomes, reducing variability and uncertainty across PCI engagements.

Why the Right QSA Matters More Than Ever

Taken together, the themes in PCI SSC’s 2025 Annual Report point to a more dynamic PCI landscape — one that requires early planning, informed interpretation, and practical execution.

As PCI standards continue to evolve, working with an experienced QSA is critical to:

• Anticipating upcoming changes rather than reacting to them
• Understanding how roadmap items may impact scope and effort
• Avoiding unnecessary rework or late-stage assessment delays
• Building sustainable PCI programs that scale with business growth

At CompliancePoint, we don’t just validate compliance — we help organizations navigate change, reduce friction, and align PCI requirements with real-world environments.

Let’s Continue the Conversation

If you have questions about how these developments may impact your next PCI assessment, future scope, or long-term compliance strategy, we’d welcome the opportunity to discuss further.

Contact us at: connect@compliancepoint.com