Frequently Asked Question

How do PCI PTS-approved POI device expiry dates affect a PCI-listed P2PE solution?
PCI-listed P2PE solutions (and applicable P2PE components) are allowed to reassess their existing PCI P2PE approval with expired PTS POI devices for up to, but not exceeding, 5 years past the PTS POI device expiry dates (as listed on the PCI Approved PTS Devices list) for the POI device types used in the solution.
POI devices used in a PCI-listed P2PE solution exceeding 5 years past their listed expiry date will no longer be considered valid. A PCI-listed P2PE solution will be delisted if all of its associated POI device types have exceeded the 5 year window (as shown in the table below). In order to understand the impact of P2PE solutions that are using expired POI devices on PCI DSS compliance, please contact the individual payment brands (see How do I contact the payment card brands?).
Each PCI PTS-approved POI device is associated with an expiry date relative to the major version of the PCI PTS POI standard it was evaluated and approved against. Each PTS POI device approval listing indicates its expiry date. The Approved PTS Device list with associated expiry dates can be found here:
https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices
For quick reference, the following table provides the current POI device expiry dates and the corresponding revalidation/reassessment window for P2PE solutions using these devices:
PCI PTS POI version |
PTS POI Expiry Date |
P2PE Revalidation/Reassessment End-date |
1.x |
EXPIRED 2014 |
N/A – v1.x devices are not P2PE eligible |
2.x |
EXPIRED APR 2017 |
29April2022 |
3.x |
30April2021 |
29April2026** |
4.x |
30April2023 |
29April2028 |
5.x |
30April2026 |
29April2031 |
* There may be regional variations – please check with the respective payment brands to determine any variances in the dates shown above.
** Due to the impact of COVID-19, the PTS POI v3 expiry date has been extended from 30April2020 to 30April2021. As a result the P2PE Revalidation/Reassessment End-date has changed from 29April2025 to 29April2026. For additional information refer to the PCI SSC POI v3 expiry extension post here.
Please note that P2PE solutions (and applicable P2PE components) undergoing an initial assessment must use non-expired (i.e., not exceeding the PTS POI expiry date), eligible PCI PTS POI devices. Please refer to the PCI P2PE Standard and Program Guide in our document library for further details.
Related
-
How should payment terminals be considered during a PCI DSS assessment?
-
Are P2PE Products (P2PE Solutions, P2PE Components, P2PE Applications) on the P2PE Expired Listings still considered “validated” per the P2PE Program Guide?
-
If a P2PE Solution is on PCI’s list of Point-to-Point Encryption Solutions with Expired Validations, does the solution meet the eligibility criteria for SAQ P2PE?