After having us on edge for a few months, the PCI Security Standards Council (PCI SSC) has extended the expiration periods of devices validated in PCI HSM as follows:

  • Extends the period of device validation in PCI HSM v4 31 December 2025 to 30 June 2027. This date affects manufacturers of safety devices who wish to certify their products to the PCI HSM v4 standard.
  • Extends the expiration date of devices certified in PCI HSM v3.x from April 2026 to April 2028 (two years extension)
  • Extends the expiration date of devices certified in PCI HSM v4.x from April 2032 to April 2033 (one year extension)

This change is made to align migration dates and periods between standards and align them with the release of version 5 of the PCI HSM standard, scheduled for 2026.

The newsletter related to this change can be obtained here.

Additionally, the expiration dates of devices validated in PCI HSM and PCI KLD v3.x have already been updated in the PCI SSC Listings to adapt to this change:

What implications does this change have?

Thanks to this extension, many companies using security cryptographic devices (SCDs) such as Hardware Security Modules (HSMs) or Key Loading Devices (KLDs) validated in PCI HSM v3.x can be quiet for two more years, which does not mean that the problem has been eliminated, but simply postponed.

This episode, related to the expiration date of devices certified in PCI HSM v3.x, evidenced numerous weaknesses in the supply chain and in the life cycle management of cryptographic devices. Many entities do not have a device migration plan in place and do not regard this event (device expiration) as a risk in their operation, which shows that r is necessaryadapt risk analysis processes and contemplate these scenarios so as not to have similar problems in the future, especially taking into account current incidents linked to availability problems of electronic components, mainly RAM and SSD hard drives, which can be extended to other related components.

Posted by David Acosta

Qualified Security Assessor (QSA) for PCI DSS, PCI PIN, PCI 3DS, P2PE and PCI TSP. CISSP, CISA, CISM, CRISC, C|EH, C|HFI.

Leave to Reply