Next Webinar- AI Meets Data Governance: Building Trust, Driving Innovation Register

Dark teal and black gradient

Blog

CompliancePaymentsPCI

PCI Compliance for Legacy Devices: Using Expired PTS POI Devices in PCI-Validated P2PESolution

July 8, 2025

By Mikayla Bartell and Suba Ramanathan

In a dynamic world of payment card data security, one of the most common questions among merchants and solution providers is: Can we continue using expired PTS POI devices if we have a PCI-validated P2PE solution?

The answer? Yes, but conditionally.

Let’s look at some concepts and understand the circumstances where we can use expired PTS devices.

Point-to-Point Encryption(P2PE)

P2PE is a PCI SSC-validated security solution that encrypts cardholder data at the point of interaction (like a card reader) and keeps it encrypted until it reaches a secure decryption environment, thus preventing clear-text data ever entering the merchant’s system. It reduces the PCI DSS scope and the risk of compromise.

PIN Transaction Security (PTS)

PTS is a standard published by the PCI Security Standards Council. It ensures that hardware devices used for PIN entry or card data capture are secure, including protection from physical tampering, skimming, or software-based attacks.

PTS POI devices are hardware terminals like POS systems, card readers, PIN pads, and unattended payment terminals (e.g., at kiosks or gas pumps) that have been evaluated for security.

These devices go through evaluation cycles and have expiry dates, typically 5–6 years after approval. After expiry, they are no longer listed as “approved” by PCI SSC, even though they may still function securely.

What Happens When a PTS POI Device Expires?

In general, PCI guidance suggests moving away from expired PTS devices to maintain stronga strong security posture. However, there is an exception when using a PCI-validated P2PE solution. The PCI Security Standards Council allows for the continued use of expired PTS POI devices in a validated P2PE solution for up to 5 years after their approval expiration.

As per PCI SSC,

“PCI-listed P2PE solutions (and applicable P2PE components) are allowed to reassess their existing PCI P2PE approval with expired PTS POI devices for up to, but not exceeding, 5 years past the PTS POI device expiry dates (as listed on the PCI Approved PTS Devices list) for the POI device types used in the solution”

(source: https://listings.pcisecuritystandards.org/documents/PCI-SSC_P2PEv3_Technical_FAQs.pdf)

When Can You Use Expired PTS Devices in a P2PE Solution?

An expired PTS POI device may continue to be used in a P2PE solution, provided:

  • The device was part of the original PCI-validated P2PE solution listing.
  • The P2PE solution provider has not changed or removed the device from the solution scope.
  • The device is still deployed in accordance with the original implementation guide, P2PE instruction manual(manual (PIM).
  • The solution provider continues to manage, monitor, and support the device as per the PCI P2PE requirements.

Why Is This Allowed? Why is using Expired PTS POI Devices Allowed?

Because the overall security of the P2PE solution goes beyond just the hardware certification. It includes encryption, tamper protection, access controlcontrol, and regular monitoring.

The end-to-end encryption offered by the validated P2PE solution compensates for the expiry of the individual device’s PTS listing—as long asif all controls remain in place.

What You CANNOT Do

You cannot simply use any expired PTS device and claim it’s protected by P2PE. Only devices that are explicitly part of an active, listed PCI-validated P2PE solution can benefit from this exception.

Also:

  • You cannot introduce a new expired device into a P2PE environment.
  • You cannot alter the device configuration or placement without revalidation by the solution provider.

Summary

Yes, expired PTS devices can be used within a PCI-validated P2PE solution—but only if:

  • The device was listed in the original validated solution,
  • The solution provider still manages and supports it,
  • No unauthorized changes have been made.

This approach allows merchants to extend the lifespan of legacy hardware while maintaining PCI compliance, reducing risk, and keeping costs manageable.

Final points to remember

  • Note that devices with expired approvals may not be able to withstand the latest generations of attacks
  • The impact of using expired PTS devices should be discussed with the merchant’s acquirer or the payment brand.
  • POI devices used in a PCI-listed P2PE solution exceeding 5 years past their listed expiry date will no longer be considered valid.
  • Always consult your P2PE solution provider and your QSA before continuing to use or replacingreplace expired devices. Missteps could inadvertently expand your PCI scope or lead to noncompliance.

About the Author

Mikayla Bartell is a Manager of payments at Tevora. Suba Ramanathan is a Senior Associate at Tevora.

Back to Resource Center

Explore More In-Depth Compliance Resources

View Our Resources