Resources
   All news

EFTPOS upgrade deadline: How our device lifecycle keeps payments secure

28 May 2025

As the governing body for payment systems in Aotearoa New Zealand, we’ve reconfirmed the retirement date for EFTPOS terminals using the PCI 4.x security standard. These devices must be replaced by 30 April 2026.

Read our full media release here.

This forms part of our device life cycle management, a structured process designed to ensure EFTPOS terminals across Aotearoa remain, resilient and fit for purpose. It helps protect sensitive cardholder data and supports the ongoing trust and safety of our payment's ecosystem.   

This article explains how our device life cycle works, why the 2026 deadline is in place, and what merchants and industry partners need to know. 

Why we set life cycle dates 

Payments NZ is responsible for promoting an interoperable, innovative, safe, open and efficient payment system. We’re regulated by the Reserve Bank of New Zealand Te Pūtea Mātua to ensure we deliver this. 

A core part of our work is managing the life cycle of terminals connected to the EFTPOS network. This ensures devices remain secure and capable of protecting sensitive card data from unauthorised use. 

We do this through a life cycle framework that sets clear timelines for introducing and retiring EFTPOS devices, in line with evolving technology and security threats.  

Our life cycle dates are based on global data security standards set by the Payment Card Industry (PCI) Security Standards Council.  

There are three key dates in our device life cycle: 

  • No new registrations. The date we stop registering new models of EFTPOS devices that use a given PCI security standard. Devices already registered can still be connected. 
  • No new connections. The date when registered models of a given standard can no longer be connected to the EFTPOS network for the first time. Existing devices can continue to operate. 
  • Sunset date. The final date by which devices using that standard must be removed from the network. 

Other payment bodies around the world take a similar approach, setting dates based on PCI expiry while reflecting their own market needs and risk profiles. 

How dates are set 

We align our life cycle dates with the validity of PCI’s global standard for card terminals and other devices that accept PINs. This is the PIN Transaction Security (PTS) Point Of Interaction (POI) Modular Security Requirements standard –also known as the PCI PTS POI standard. 
 
This standard applies to devices that “provide for the entry of PINs, used for the purchase of goods or services or dispensing of cash.” 
 
Payments NZ requires any terminal being connected to the EFTPOS network to be certified to this standard. Vendors must provide a copy of this certification to us for every type of device they want to sell, which we then add to our EFTPOS device register.  

Each version of the PCI PTS POI standard is valid for nine years.   

  • Version 4.x version was released in 2014. It was originally due to expire in 2023, but was granted a one-year extension due to pandemic supply chain issues, and instead expired in 2024, ten years after its introduction. 
  • Version 5.x was released in 2017 and will expire in 2026, nine years after introduction. 
  • Version 6.x was released in 2020 and will expire in 2030, ten years after introduction. 

By expiring a standard after nine years, PCI requires terminal vendors to certify new devices to newer standards that address vulnerabilities found in previous versions This creates an ever-evolving standard that keeps pace with data security threats. 

We generally set our sunset dates for EFTPOS in Aotearoa around three years after the related PCI standard expires, allowing time for industry to transition. This approach supports regular upgrades and avoids large-scale, last-minute replacements. 

As a result, 4.x devices have a sunset date in 2026, 5.x devices have a sunset date in 2029, and 6.x devices have a sunset date in 2033, eight years from now.  

Next year’s deadline  

Last month, we reconfirmed that EFTPOS terminals using the PCI 4.x security standard must be replaced by 30 April 2026.  

After that date, any remaining 4.x devices will be non-compliant and subject to disconnection.  

This sunset date was first announced in 2017, giving nine years’ notice to merchants, vendors, and resellers. 

The overall life cycle for 4.x devices is shown below: 

  • Introduction to the market: 2014 (eleven years ago) 
  • No new device registrations: 2020 (five years ago) 
  • No new connections: 2024 (one year ago) 
  • Sunset date: 30 April 2026

As of April 2025, around 19,000 4.x devices were still in use, based on industry reporting. Resellers are already working with merchants to support their replacements, and we’re actively supporting vendors and resellers through the process. 

4.x device security 

While still compliant today, 4.x devices need to be replaced to help protect the EFTPOS network from future attacks. 

4.x devices have been in use in Aotearoa since 2014 – a long time in security terms. Version 5.x and 6.x address many of the vulnerabilities identified in the 4.x standard, so it’s important that we keep encouraging the retirement of older standards and encourage the use of later, more secure versions.   

The international stance on 4.x devices 

PCI issued a notice in 2022 extending their approval expiry date for 4.x devices to 30 April 2024, due to pandemic supply chain issues.  

PCI’s notice recognised that 4.x devices were less robust against certain emerging attacks. PCI also strongly encouraged the use and deployment of newer-generation 5.x or 6.x devices in areas not affected by supply chain disruptions. 

Our sunset date is three years after the original PCI expiry and two years after the extended expiry – in line with our standard approach. 

The view across the Tasman 

Australia has a sunset date of 2033 for 4.x devices, but this reflects a very different EFTPOS market. In Australia, most EFTPOS terminals are issued by banks, who manage replacement cycles directly with manufacturers. 

In Aotearoa, our EFTPOS market is more diverse and reseller based. Our device life cycle reflects that, balancing security with realistic timelines for merchants and vendors. 

Words from our team 

Jamie Wood, Payments NZ’s General Manager of Clearing Systems, says businesses should act now to avoid last-minute risks. 

“The upcoming dates have been known to industry for some time, but we’re highlighting them again so merchants can lock in upgrade plans well in advance,” says Wood. 

“New Zealanders trust and depend on EFTPOS every day. Keeping the network aligned with the latest security standards helps protect consumers and keeps the risk of card fraud low.” 

“These upgrades are a team effort across the whole industry, so we’ll be keeping a close eye on terminal numbers and supporting banks, vendors and resellers to help ensure a smooth transition,” Wood adds. 

“We encourage merchants who have older devices to contact their vendor or reseller now, so they can continue transacting with confidence through April 2026 and beyond.” 

Further information 

What are PCI 4.x devices?  

Devices certified to the PCI PED 4.x standard, issued by the international PCI Security Standards Council. They are made by various manufacturers and distributed by local vendors. 

How does a merchant know what standard their device is?  

Anyone who is unsure on whether they are using PCI 4.x devices should check with their hardware provider.  

Why do 4.x devices need to be replaced?  

Payments NZ sets device life cycle dates based on our device life cycle framework. This framework is in place to ensure sensitive card data continues to be protected from unauthorised use, by making sure EFTPOS devices use secure technology.   

Find out more about our device life cycle framework here.  

We are currently reviewing our device life cycle framework, including how dates are set, communicated and managed. However, given the review is several months away from being completed, and the closeness of the 4.x sunset date, we need to provide certainty to the market that this date is not changing. 

Are 4.x devices still secure? 

They remain compliant for now, but newer devices offer stronger protection. A PCI-certified assessor identified several risks in 4.x devices, including: 

  • Weaker PIN protection against advanced attacks 
  • Limited firmware update capabilities 
  • Greater exposure to side-channel attacks 
  • Weaker authentication mechanisms 

These risks have reinforced our decision to maintain the existing sunset date. 

How are life cycle dates set? 

Payments NZ sets dates in line with PCI expiry and local risk considerations, to support long-term planning and ensure devices stay secure. 

What should merchants do now? 

If you’re using a 4.x device or unsure, contact your hardware provider now to avoid disruption. 
 
An earlier version of this article was originally published on 29 April 2025. 

About Payments NZ 

Payments NZ is the governance organisation at the centre of Aotearoa New Zealand’s payments system. Established in 2010 with the endorsement of the Reserve Bank of New Zealand – Te Pūtea Matua, we manage and govern the country’s core payments clearing and settlement systems to ensure they remain safe, efficient, interoperable, and fit for the future.  

We work in close partnership with industry to set the rules and standards that enable seamless payments between financial institutions, support API-enabled innovation through our API Centre, and lead strategic efforts to modernise and strengthen the payments ecosystem. In 2024, our systems processed over $8 trillion in retail and high-value payments. Our focus is on delivering world-class payments that support New Zealanders – today and for generations to come. 

  Prev Statement on the passage of the Customer and Product Data Bill
Next Open banking progress: What today’s announcement means for our industry