Frequently Asked Question
How do PCI PTS-approved POI device expiry dates affect a PCI-listed P2PE solution?
PCI-listed P2PE solutions (and applicable P2PE components) are allowed to reassess their existing PCI P2PE approval with expired PTS POI devices for up to, but not exceeding, 5 years past the PTS POI device expiry dates (as listed on the PCI Approved PTS Devices list) for the POI device types used in the solution.
POI devices used in a PCI-listed P2PE solution exceeding 5 years past their listed expiry date will no longer be considered valid. A PCI-listed P2PE solution will be delisted if all of its associated POI device types have exceeded the 5 year window (as shown in the table below). In order to understand the impact of P2PE solutions that are using expired POI devices on PCI DSS compliance, please contact the individual payment brands (see How do I contact the payment card brands?).
Each PCI PTS-approved POI device is associated with an expiry date relative to the major version of the PCI PTS POI standard it was evaluated and approved against. Each PTS POI device approval listing indicates its expiry date. The Approved PTS Device list with associated expiry dates can be found here:
https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices
For quick reference, the following table provides the current POI device expiry dates and the corresponding revalidation/reassessment window for P2PE solutions using these devices:
PCI PTS POI version |
PTS POI Expiry Date |
P2PE Revalidation/Reassessment End-date |
1.x |
EXPIRED 2014 |
N/A - v1.x devices are not P2PE eligible |
2.x |
EXPIRED APR 2017 |
29April2022 |
3.x |
30April2021 |
29April2026** |
4.x |
30April2023 |
29April2028 |
5.x |
30April2026 |
29April2031 |
* There may be regional variations — please check with the respective payment brands to determine any variances in the dates shown above.
** Due to the impact of COVID-19, the PTS POI v3 expiry date has been extended from 30April2020 to 30April2021. As a result the P2PE Revalidation/Reassessment End-date has changed from 29April2025 to 29April2026. For additional information refer to the PCI SSC POI v3 expiry extension post here.
Please note that P2PE solutions (and applicable P2PE components) undergoing an initial assessment must use non-expired (i.e., not exceeding the PTS POI expiry date), eligible PCI PTS POI devices. Please refer to the PCI P2PE Standard and Program Guide in our document library for further details.
Related
-
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
-
Does PCI SSC consider guidance from other standards organizations when making updates to PCI standards?
-
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
Featured FAQ Articles
Featured
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Is the PCI DSS Attestation of Compliance intended to be shared?
-
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
-
Where do I direct questions about complying with PCI standards?
-
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Most Popular
-
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
-
Does PCI SSC consider guidance from other standards organizations when making updates to PCI standards?
-
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Can a compensating control be used for requirements with a periodic or defined frequency, where an entity did not perform the activity within the required timeframe?
Most Recently Updated
-
Are Mobile Payments on COTS (MPoC) solutions, Software-based PIN Entry on COTS (SPoC)™ solutions, or Contactless Payments on COTS (CPoC™) solutions eligible for a P2PE Solution approval?
-
How can an entity meet PCI DSS requirements for PAN masking and truncation if it has migrated to 8-digit BINs?
-
Can a compensating control be used for requirements with a periodic or defined frequency, where an entity did not perform the activity within the required timeframe?
-
How does encrypted cardholder data impact PCI DSS scope for third-party service providers?
-
Does PCI SSC provide a list of PCI DSS-compliant third-party service providers?