Written by Tyler Bick
If your business accepts credit or debit cards, whether in person, online, or through a mobile device, payment security rules apply to you. Over the last several years, PCI Compliance standards have evolved in ways that affect not only IT, but also operations, management, and the vendors that support your payment systems.
Two PCI standards are especially relevant for most businesses that accept card payments:
- PCI DSS 4.0: the rules for how your business protects card data across your people, processes, and systems.
- PCI PTS POI: security standards for the payment devices themselves, such as the terminals and PIN entry devices where customers tap, dip, or enter a PIN.
These standards address different parts of the payment ecosystem and are designed to complement each other. One is about your overall environment. The other is about the hardware at the counter (or in the field, or in an ATM).
Here’s the practical, non-technical version of what’s changing and how to stay ahead.
First: A “PCI-Compliant Terminal” Doesn’t Make Your Business Compliant
A secure, certified terminal is a great start, but it’s only one piece of the puzzle.
Think of it like installing a high-quality lock on your front door. It helps. But if your windows are open, your alarm is off, and everyone shares the same key… You still have risk.
That helps illustrate how the two standards relate to each other:
- PCI PTS POI helps ensure your terminal hardware is built to resist tampering.
- PCI DSS 4.0 is about how your business operates: your network, access, policies, vendor relationships, and how you prove controls are working.
What’s New With PCI DSS 4.0 (The “How You Run Things” Standard)
PCI DSS 4.0 has been rolling out in phases, and the direction is clear: payment security is shifting toward more continuous monitoring and clearer accountability.
In practice, that means:
- More ongoing validation that security controls are in place and working. Instead of doing a one-time compliance effort each year, companies are expected to show that safeguards are consistently in place.
- Clear ownership. Businesses need to be able to answer, “Who is responsible for this?” for key security steps, not just “I.T.”
- Extra attention on online checkouts. If you take payments online, there’s increased focus on protecting the checkout experience from hidden changes, including third-party scripts and add-ons.
- Greater oversight of third-party service providers. Your payment processor, POS provider, gateway, e-commerce platform, and other vendors can affect your compliance and your risk. PCI compliance increasingly requires coordination between businesses and the vendors that support their payment environment.
Many of the requirements that were initially optional became mandatory after March 31, 2025, meaning 2026 is the year many businesses feel the operational impact.
What’s New With PCI PTS POI (The “Terminal Hardware” Standard)
PCI PTS POI is the standard used to evaluate the security of payment devices such as payment terminals and PIN entry devices.
The big takeaway: these devices have their own lifecycle and deadlines.
Right now, the industry is moving from older “v5” devices to newer “v6” (and now v7) devices. You don’t need to know the technical differences—but you do need to know that older device versions eventually reach a point where they can’t be newly deployed.
A key date to be aware of is April 30, 2027, which is the extended expiration date for PCI PTS POI v5-approved devices. After that point, organizations should expect to rely on newer device versions such as v6 or v7.
Devices already in place may be able to stay in service. Still, organizations should plan for replacement and avoid last-minute scrambles—especially if you operate multiple locations or run a large device fleet.
What We Recommend: A Simple, Practical Plan
You don’t need a giant technical project to get moving. Most businesses do well with a structured, common-sense approach:
1) Take inventory. List your payment devices and their locations.
2) Ask the right vendor questions. For your terminals, POS provider, and processor:
- What device versions are we using today?
- What’s the replacement and support roadmap?
- How do firmware updates work?
- What should we plan for before 2027?
3) Tighten your “day-to-day” controls. Even basic improvements can help: access controls, training, vendor oversight, and documentation that demonstrates controls are being consistently followed.
4) Build a 12–24 month roadmap to prepare for upcoming device lifecycle deadlines. Be sure to plan upgrades and improvements in manageable phases.
The Bottom Line
Payment security is moving toward more continuous compliance, clearer accountability, and greater attention to the systems and vendors that support the payment process, not just the terminal itself.
The good news is that proactive planning usually costs less, disrupts operations less, and reduces risk far more effectively than reacting late.
If you have questions about payment security, vendor oversight, or how compliance requirements may affect your business, our team is here to help. Contact us to start the conversation.