{"id":11211,"date":"2026-02-12T14:55:51","date_gmt":"2026-02-12T13:55:51","guid":{"rendered":"https:\/\/pcihispano.com\/?p=11211"},"modified":"2026-05-06T19:12:46","modified_gmt":"2026-05-06T17:12:46","slug":"la-fecha-de-expiracion-de-pci-hsm-version-3-x-se-acerca-30-abril-2026-que-va-a-pasar-con-los-dispositivos-afectados","status":"publish","type":"post","link":"https:\/\/www.pcihispano.com\/en\/la-fecha-de-expiracion-de-pci-hsm-version-3-x-se-acerca-30-abril-2026-que-va-a-pasar-con-los-dispositivos-afectados\/","title":{"rendered":"The expiration date of PCI HSM version 3.x is approaching (30 April 2026), what will happen to the affected devices?"},"content":{"rendered":"

April 30, 2026 is the stipulated date for the expiration of cryptographic devices validated according to PCI HSM version 3.x. If you do not have defined your migration strategy, this article interests you.<\/span><\/p>\n

NOTE:<\/strong> The PCI SSC has extended the expiration date of PCI HSM v3.x devices by two more years (April 2026 to April 2028). More information in the article \u00abTwo-year extension for PCI PTS HSM v3<\/a>\u2018.<\/p>\n

Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM)<\/em><\/a> or, better known as PCI HSM<\/strong>, is a security standard that defines the physical and logical requirements of Hardware Security Modules (HSMs)<\/a>.\u00a0 Like all standards, PCI HSM has different versions that have incorporated improvements over the years to adapt to the operational and security needs of activities related to means of payment, including the processing of financial transactions, the personalization of payment cards, the life cycle of cryptographic keys used for the protection of sensitive data, among others.<\/p>\n

Version 3.x of PCI HSM was released in June 2016. Complementarily, the PCI SSC established 30 April 2026 as the expiry date for devices validated in that version.<\/span><\/p>\n

Expiry date vs. expiration date<\/h3>\n

For cryptographic security devices (or Secure Cryptographic Devices<\/em> \u2013 SCDs). which include point-of-interaction devices (Point-of-Interaction<\/em> \u2013 POI) as PIN Entry Devices<\/em> (PEDs) or Encrypting-PIN PAD<\/em> (EPPs), as well as Key Loading Devices<\/em> (KLDs) and Hardware Security Modules<\/em> (HSMs), have been stipulated two key dates<\/strong> in its life cycle:<\/p>\n

    \n
  1. Expiry Date<\/strong>, which sets the deadline from which an entity may purchase devices of the affected model from the seller. As of this date, no additional units can be purchased or new units of the affected model can be deployed in production, unless they have been purchased BEFORE the expiration date. This date is set by the PCI SSC, is linked to the version of the specific standard and can be consulted at the list of approved PTS devices<\/a> the PCI SSC:<\/li>\n<\/ol>\n

    \"\"<\/p>\n

     <\/p>\n

      \n
    1. Expiry date (EOL\/Sunset\/Retire date)<\/strong>, which sets the deadline linked to the use of a specific device. As of that date, the affected device is not allowed to be used in a production environment and must be removed immediately. Depending on the standard, this date is set by the PCI SSC or the payment marks. For example, in the P2PE standard the expiration date is six (6) years after the expiration date:<\/li>\n<\/ol>\n

      \"\"<\/p>\n

      Impact of the expiration date of PCI HSM v3.x<\/h3>\n

      From 1 May 2026, no new units of the devices concerned may be purchased or deployed in production, unless they have been purchased BEFORE that date.<\/span><\/p>\n

      Some of the devices and models affected by this measure are the following:<\/p>\n