Recently the PCI Security Standards Council issued a bulletin extending several important PCI PTS HSM lifecycle dates. The change affects organizations operating Hardware Security Modules (HSMs) in payment environments and directly impacts device lifecycle planning, compliance timelines, and HSM upgrades.
After careful review Foregenix summarized what payment service providers should do next and how introduced changes can affect your business.
PCI SSC introduced three key updates that affect both PTS HSM v3 and PTS HSM v4 approved devices:
Each change impacts the HSM lifecycle and provides additional time for vendors and payment service providers to transition to the next generation of requirements.
The PCI PTS HSM v4 Security Requirements were originally scheduled to stop accepting new device approvals after 31 December 2025. PCI SSC has now extended this window. New deadline for new device approvals: 30 June 2027.
Who affected: HSM manufacturers
Impact:
Who affected: Issuers, Acquirers, PSPs, Cloud HSM Servicers.
Impact:
Who affected: Issuers, Acquirers, PSPs, Cloud HSM Servicers.
Impact:
All companies operating HSMs under their PCI compliance programs (including PCI DSS, PCI PIN, PCI P2PE, PCI 3DS, PCI CPP) can continue to operate PTS HSM devices for one additional year without affecting compliance.
Who affected: Issuers, Acquirers, PSPs, Cloud HSM Servicers.
Impact:
All companies operating HSMs under their PCI compliance programs (including PCI DSS, PCI PIN, PCI P2PE, PCI 3DS, PCI CPP) can continue to operate PTS HSM devices for two additional years without affecting compliance.
The extension is tied to the upcoming PCI PTS HSM v5 Security Requirements, expected to be published in 2026. PCI standards historically provide overlapping approval windows to ensure vendors have time to update hardware designs, certification labs can prepare for new testing programs, and payment operators can plan infrastructure upgrades.
Important: Remember that each PCI Compliance Program has its own timelines for expired device usage. For example, devices deployed prior to their approval expiry are considered as acceptable for being used within a specific number of years after the approval expiry.
If you are not sure about how those device expiration extensions impact your business – contact us and we can help you with defining the proper HSM migration strategy and advise on compliance impact.
The payment terminal security landscape is evolving with PCI PTS Version 7, bringing significant changes that will impact how Point-of-Interaction (POI) devices operate. This video breaks down what payment service providers, manufacturers, and application developers need to know to prepare for these critical updates.