The expiration date of PCI HSM version 3.x is approaching (30 April 2026), what will happen to the affected devices?

April 30, 2026 is the stipulated date for the expiration of cryptographic devices validated according to PCI HSM version 3.x. If you do not have defined your migration strategy, this article interests you.

NOTE: The PCI SSC has extended the expiration date of PCI HSM v3.x devices by two more years (April 2026 to April 2028). More information in the article «Two-year extension for PCI PTS HSM v3‘.

Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) or, better known as PCI HSM, is a security standard that defines the physical and logical requirements of Hardware Security Modules (HSMs).  Like all standards, PCI HSM has different versions that have incorporated improvements over the years to adapt to the operational and security needs of activities related to means of payment, including the processing of financial transactions, the personalization of payment cards, the life cycle of cryptographic keys used for the protection of sensitive data, among others.

Version 3.x of PCI HSM was released in June 2016. Complementarily, the PCI SSC established 30 April 2026 as the expiry date for devices validated in that version.

Expiry date vs. expiration date

For cryptographic security devices (or Secure Cryptographic Devices – SCDs). which include point-of-interaction devices (Point-of-Interaction – POI) as PIN Entry Devices (PEDs) or Encrypting-PIN PAD (EPPs), as well as Key Loading Devices (KLDs) and Hardware Security Modules (HSMs), have been stipulated two key dates in its life cycle:

1. Expiry Date, which sets the deadline from which an entity may purchase devices of the affected model from the seller. As of this date, no additional units can be purchased or new units of the affected model can be deployed in production, unless they have been purchased BEFORE the expiration date. This date is set by the PCI SSC, is linked to the version of the specific standard and can be consulted at the list of approved PTS devices the PCI SSC:

1. Expiry date (EOL/Sunset/Retire date), which sets the deadline linked to the use of a specific device. As of that date, the affected device is not allowed to be used in a production environment and must be removed immediately. Depending on the standard, this date is set by the PCI SSC or the payment marks. For example, in the P2PE standard the expiration date is six (6) years after the expiration date:

Impact of the expiration date of PCI HSM v3.x

From 1 May 2026, no new units of the devices concerned may be purchased or deployed in production, unless they have been purchased BEFORE that date.

Some of the devices and models affected by this measure are the following:

• Thales payShield 10k
• Futurex EXP1000 y GSP3000
• IBM 4768 y 4769
• Utimaco (RealSec) Cryptosec Dekaton 
• Atalla HSM AT1000
• Wordline Adyton

As can be seen, the vast majority of HSM devices currently used in means of payment are affected by this measure.

Likewise, some of the most important KDL devices on the market are also affected:

• Castles VEGA3000
• Ingenico DESK3500
• Ingenico iCT250
• Thales payShield Trusted Management Device (TMD)
• Utimaco C3

What can I do if my device is expired?

If the entity has a device validated in PCI HSM/KLD v3.x, it is very important to perform the following actions: to prevent risks associated with the supply chain in the event that new devices are needed:

1. IMMEDIATELY consult the manufacturer to find out what their migration plan is for the affected device. This plan can be the replacement by a new model or the recertification of the device in a version of the higher standard.
2. Since expired devices are allowed to be deployed if they have been purchased BEFORE the expiration date, the entity can stock new affected model units BEFORE 31 April 2026 and store them in case they are required in the future. In this case, it is essential to store purchase orders and invoices as evidence.

In any case, this expiry date implies that entities using affected devices should prepare to define a migration plan to prevent any problems if these devices require technical support, repair or replacement, in order to ensure proper continuity in operations.