New sunset date for PCI 3.x EFTPOS devices

1 Aug 2023

Payments NZ is extending the sunset date for Payment Card Industry (PCI) 3.x EFTPOS devices to 30 June 2024.  

This change follows industry feedback that a range of issues continue to affect the roll-out of replacement devices, including supply chain disruptions continuing on from the global COVID-19 pandemic.  

The new date gives industry participants an additional eight months from an earlier deadline of 31 October 2023. 

Any PCI 3.x devices still connected to the EFTPOS switching network after 30 June 2024 will be disconnected and unable to be used. 

The modernisation of EFTPOS devices provides a very high degree of security, protecting sensitive data from unauthorised access. It is not anticipated that the eight-month extension will create a material security or safety risk. 

We would like to acknowledge all those who are already on target to meet the original sunset date and encourage them to continue with their replacement programmes as planned. 

Device lifecycle framework 

Payments NZ’s Consumer Electronic Clearing System governs how EFTPOS payments are processed in Aotearoa New Zealand. As part of this process, we maintain a device lifecycle framework that ensures any EFTPOS device being used is secure enough to protect sensitive card data from unauthorised use.  

Our framework is based on the international PCI PIN Transaction Security Point of Interaction Standard. 

As part of our role, we’ll be working closely with our acquiring Participants (banks) to monitor how many devices are replaced monthly between now and 30 June 2024. This will help ensure the roll-out remains timely and efficient. 

More information 

Any business still using a PCI 3.x EFTPOS device should contact their acquirers (banks) for more information if they haven’t heard from them yet. 
 
A list of all device lifecycle dates for Aotearoa New Zealand is available on our website, as well as more details about our device lifecycle framework.  

 

General industry Q&As

What happens if I’m already planning to replace my PCI 3.x device by 31 October 2023? 
We would like to acknowledge all those who are already on target to meet the original sunset date and encourage them to continue with their replacement programmes as planned. 

Why do these devices need replacing? 
Payments NZ sets device lifecycle dates based on our device lifecycle framework. This framework is in place to ensure sensitive card data continues to be protected from unauthorised use by making sure EFTPOS devices being used have suitably secure technology. 

Why has there been a date change? 
The extended sunset date will provide enough time to complete the removal of PCI 3.x devices from the EFTPOS switching network while keeping the system safe and secure. We acknowledge supply chain disruptions because of COVID-19 have made it more difficult to source new devices in some cases. The new date is well clear of the busy Christmas trading period. 

The additional eight months until 30 June 2024 should not create any material risk to the safety and security of the EFTPOS network.  

I am a merchant and have not been contacted by anyone about this change. Who should I talk to? 
Please contact your acquirer (bank) to find out more about what replacement programmes they may have in place. 

How do we set the device lifecycle dates? 
In Aotearoa New Zealand, we adhere to international standards as prescribed by the Payment Card Industry (PCI) Security Standards Council. These standards define security requirements using a risk-reduction methodology which is not intended to eliminate the possibility of fraud, but to reduce the likelihood of it happening and lessen its impact.  

Given how sophisticated fraud and the technology that enables it has become, each standard has an increasingly limited lifespan. PCI expires its standard when it believes that the standard should no longer be relied upon, thus encouraging the industry to adopt a newer standard. 

We align our sunset date with this PCI expiry date, and as a rule of thumb, will publish a sunset date that is approximately three years after the PCI expiry date. This is to provide merchants with enough time to migrate to an updated PCI standard. 

PCI expired their 3.x standard on 30 April 2021.