Payments NZ confirms EFTPOS deadline for April 2026
29 Apr 2025
Payments NZ, the governing body for payment systems in Aotearoa New Zealand, has confirmed a key EFTPOS deadline: terminals using the PCI 4.x security standard must be replaced by 30 April 2026.
Merchants have just over a year to replace any EFTPOS terminals that use the PCI 4.x security standard. These devices will be non-compliant and subject to disconnection from the network after 30 April 2026.
Around 19,000 terminals using the 4.x standard are still in use around Aotearoa, based on industry reporting to Payments NZ.
The sunset date was first published and communicated to industry in 2017, giving merchants, vendors, and resellers significant time to prepare. With just over a year to go, Payments NZ is reinforcing the timeline to ensure the industry remains on track.
Jamie Wood, General Manager of Clearing Systems at Payments NZ, says businesses should act now to avoid last-minute risks.
“The upcoming dates have been known to industry for some time, but we’re highlighting them again so merchants can lock in upgrade plans well in advance,” says Wood.
“New Zealanders trust and depend on EFTPOS every day. Keeping the network aligned with the latest security standards helps protect consumers and keeps the risk of card fraud low.”
“These upgrades are a team effort across the whole industry, so we’ll be keeping a close eye on terminal numbers and supporting banks, vendors and resellers to help ensure a smooth transition,” Wood adds.
“We know some resellers have already started this process, which is much appreciated.
“We encourage merchants who have older devices to contact their vendor or reseller now, so they can continue transacting with confidence through April 2026 and beyond.”
Further information
What are PCI 4.x devices?
4.x devices are EFTPOS terminals compliant with the PCI PED 4.x standard, issued by the international Payment Card Industry (PCI) Security Standards Council.
The devices are made by a range of manufacturers, and are distributed nationally by a range of vendors and resellers.
How does a merchant know what standard their device is?
Anyone who is unsure on whether they are using PCI 4.x devices should check with their hardware provider.
Why do 4.x devices need to be replaced?
Payments NZ sets device life cycle dates based on our device life cycle framework. This framework is in place to ensure sensitive card data continues to be protected from unauthorised use, by making sure EFTPOS devices use secure technology.
Find out more about our device life cycle framework.
We are currently reviewing our device life cycle framework, including how dates are set, communicated and managed. However, given the review is several months away from being completed, and the closeness of the 4.x sunset date, we need to provide certainty to the market that this date is not changing.
Are 4.x devices still secure?
Registered and connected 4.x devices are still compliant for use on the EFTPOS network, and the sunset date does not mean any individual device is insecure.
However, it’s time to replace them with devices using newer security standards so that the EFTPOS network as a whole is better protected from fraud.
Payments NZ has a separate process for disconnecting specific device models from the EFTPOS network if they’ve been compromised or have failed to protect sensitive data, anywhere in the world.
How does Payments NZ set the device life cycle dates?
Payments NZ adheres to international standards as prescribed by the Payment Card Industry (PCI) Security Standards Council.
These standards define security requirements using a risk-reduction methodology, which is not intended to eliminate the possibility of fraud, but to reduce the likelihood of it happening and lessen its impact.
Life cycle dates are set to give certainty and allow forward planning by merchants and the payments industry, by establishing regular intervals for introducing and phasing out EFTPOS devices as security standards improve over time.
What should merchants do if they are still using a 4.x device or are unsure?
Anyone still using a 4.x device, or unsure of the age of their devices, should get in touch with their hardware provider. Doing this now will avoid future disruptions.