One week to go before EFTPOS hardware upgrade deadline
24 Sep 2024
A nationwide phase-out of obsolete EFTPOS terminals is nearly complete, but remaining businesses still using older devices are being urged to act now to avoid disruptions.
From Tuesday, 1 October, any EFTPOS terminals running the PCI 3.x standard will no longer be compliant and will be subject to disconnection from Aotearoa New Zealand’s payment network.
Payments NZ clearing systems general manager Jamie Wood says with one week to go, a final push is being made across the payments industry to reach a small number of merchants who are yet to upgrade.
Around 4,000 outdated devices remain connected to the network as of late September, a fraction of the 50,000 in use a year ago.
“Since issuing our final reminder earlier this month, we’ve continued to work with banks, vendors and resellers to make sure word gets out to merchants still using outdated terminals,” says Wood.
“The remaining numbers are low but disconnection is something we really want to avoid for any business taking card payments.
“We’d encourage merchants to check their terminals now and get in touch with their hardware provider to make sure they’ll still have EFTPOS available when they need it.”
Wood says Payments NZ has worked with the industry to understand their ability to quickly reconnect any merchants who may be caught out by the deadline.
“With best efforts it could take several days for disconnected devices to be replaced, likely longer outside of main centres. Vendors and resellers will be anticipating a few urgent requests, but reconnection won’t be instant.
“The best time for merchants to reach out to hardware providers is now, before any disruption to business happens.”
Wood says the 1 October deadline is part of an industry lifecycle which ensures that the EFTPOS network operates to the latest security standards, keeping the risk of card fraud low for consumers and businesses.
“Next week’s deadline follows several years of planning to phase out these older devices,” says Wood.
“Almost all merchants have now upgraded, so it’s time to phase out older devices on schedule so we can help keep the EFTPOS network secure for everyone.
“Once again I would like to thank merchants, terminal vendors and resellers across Aotearoa for their efforts to upgrade EFTPOS terminals, and to help keep our card payments network secure.”
What are PCI 3.x devices?
3.x devices are EFTPOS terminals compliant with the 3.x standard issued by the international Payment Card Industry (PCI) Security Standards Council. The devices are made by a range of manufacturers and are distributed nationally by a range of vendors and re-sellers.
How does a merchant know what standard their device is?
Anyone who is unsure on whether they are using PCI 3.x devices should check with their hardware provider.
Why do 3.x devices need replacing?
Payments NZ sets device lifecycle dates based on our device lifecycle framework. This framework is in place to ensure sensitive card data continues to be protected from unauthorised use by making sure EFTPOS devices use secure technology.
Find out more about our device lifecycle framework here.
How do we set the device lifecycle dates?
In Aotearoa New Zealand, we adhere to international standards as prescribed by the Payment Card Industry (PCI) Security Standards Council. These standards define security requirements using a risk-reduction methodology which is not intended to eliminate the possibility of fraud, but to reduce the likelihood of it happening and lessen its impact.
What should merchants do if they are still using a 3.x terminal or are unsure?
Anyone still using a 3.x terminal or who is unsure should get in touch urgently with their hardware provider. They need to do this now rather than wait until a disconnection occurs.