The upcoming expiration of PCI PTS (PIN Transaction Security) version 5 is forcing fuel and convenience retailers to confront a reality that has been building for years: much of today’s payment hardware is nearing the end of its supported lifecycle. The PCI Security Standards Council’s extension from April 2026 to April 2027 shifted the timeline, but it did not reduce the scope of work that the expiration of PCI PTS v5 has set in motion.

What makes this cycle feel different from other past versions of PCI PTS is the state of the installed base. Many devices now approaching end-of-life were deployed during the initial EMV era while today’s payment ecosystem has evolved: widespread contactless adoption, mobile wallets, cloud‑connected platforms, and continuously evolving security expectations. In many cases, due to technical limitations, vendors can no longer extend the life of these devices accelerating full replacement across entire device generations.

Against that backdrop, the expiration of PCI PTS v5 affects all merchants, but for fuel retailers it exposes a uniquely complex hardware lifecycle challenge shaped by site variability, deeply embedded payment environments, labor constraints, and the capital required to execute across large, distributed networks. The practical risk is not whether teams are aware of the deadline; it is whether the organization can plan and execute replacement at the pace the environment actually allows.

Large‑scale replacement cycles in fuel retail are complex and time-consuming, making this a  critical moment to evaluate how these changes will shape the technical capabilities of the payment environment for the future. Let’s examine how PCI PTS v5 becomes a deployment problem at scale, what strategic decisions retailers should make before execution begins, and how to use this forced refresh to strengthen the payments environment rather than simply preserve it.

It’s Bigger Than Compliance: Where PCI PTS v5 Becomes a Deployment Challenge

Fuel retailers operate in diverse and complex environments where each dispenser contains its own payment device. Across a large network, that quickly adds up. For context, there are an estimated 1.9 million Automated Fuel Dispenser (AFD) payment devices in the U.S. – reflecting the scale of the forecourt payment infrastructure alone – with a significant share of that installed base currently operating on PCI PTS v5 certifications.

A substantial portion of that installed base is concentrated in a small number of long‑standing, widely deployed device families. Platforms such as the Verifone M400‑series and Gilbarco FlexPay 4 are common across retail fuel and represent a meaningful share of those AFD devices. As these platforms reach end of life under PCI PTS v5, retailers are faced with large‑scale physical replacement, not incremental upgrades – turning a compliance deadline into a material infrastructure transition.

Replacing forecourt payment hardware is fundamentally different from a typical retail technology refresh. It often requires certified fuel technicians, extended service windows, permitting and site coordination, and hardware procurement timelines. For many retailers, PCI PTS v5 remediation becomes a multi‑year, phased execution effort with a significant capital investment attached.

As industry‑wide demand for replacement hardware and qualified technicians increases, retailers who move later face tighter supply, fewer scheduling options, and higher execution costs. Waiting is not a neutral choice; it allows market constraints, not strategy, to shape decisions. The question, then, is not if action is required, but how fuel retailers should be thinking about this work now, while the timeline still allows for deliberate planning and execution.

A Strategic Approach to Hardware Lifecycle Planning

Start with asset visibility and lifecycle governance before planning begins

Prior to starting discovery on a solution, retailers need a clear and accurate view of their payment assets, including hardware, firmware, and variable environment factors. Retailers should not assume upgradability without validating directly with their device vendor, as architectural limitations on widely deployed models are not always immediately apparent from internal records alone. For distributed or multi‑banner networks, gaps in asset visibility are common and often surface only after planning is already underway – when assumptions are hardest to unwind.

Additionally, asset clarity must be paired with early capital planning. Replacement at this scale represents a significant, multi‑year investment once labor, scheduling complexity, site coordination, and downtime risk are fully accounted for. Ownership of this work typically spans finance, procurement, technology, operations, and security, making cross‑functional alignment critical from the outset. Starting early preserves options; waiting compresses timelines and increases execution risk.

Use the hardware refresh as a strategic inflection point

When payment hardware is being physically replaced to meet PCI PTS v5 requirements, retailers are already committing to site access, technician scheduling, and operational disruption. That makes this an important moment to take a broader look at the legacy equipment landscape across the forecourt and store environment. Identifying other components nearing end of life while devices are already being touched creates an opportunity to coordinate replacements, reduce repeat truck rolls, and minimize unnecessary site disruption – execution efficiencies that compound quickly at scale.

This replacement cycle also creates a rare opportunity to revisit broader technology decisions that are difficult to address outside of a refresh. That includes reviewing payments capabilities such as contactless enablement and expanded acceptance, assessing security architecture options like whether point-to-point encryption (P2PE) belongs on the roadmap, and confirming alignment between forecourt, in-store, and enterprise payment systems. Approached deliberately, the refresh can support both near-term replacement needs and longer-term technology roadmap goals rather than locking in another generation of fragmented decisions.

Define the solution pathway as a foundation

Before hardware procurement and deployment plans are in place, retailers must define the best solution to replacing expired devices that fits the needs of business. There is no one-size-fits-all approach: for some, this may be a largely like-for-like replacement to meet near-term requirements; for others, it may be an opportunity to enhance the existing technology stack or to reassess vendors and solutions more broadly.

That decision should be grounded in a clear understanding of the current asset base, the capital required to act, and the role this refresh plays in the broader payments and technology roadmap. When made deliberately, it shapes the scope, sequencing, and complexity of the deployment before execution begins. Each pathway carries different implications for timeline, cost, and long-term flexibility, reinforcing the need to align early on both business priorities and constraints.

Plan for execution as a large-scale deployment program

Execution across a large fuel network requires phased planning built around real constraints: technician availability, site access, hardware supply, and capital cycles. That means deliberate sequencing, built‑in contingency, and a multi-year sustained program discipline.

Retailers that underestimate the program structure this work requires – or mistake this as a compliance task – tend to find themselves reacting to constraints as timelines tighten. Those that structure it as a formal deployment program with defined phases, committed resources, and cross‑functional accountability retain more control and typically reduce both operational disruption and total cost.

Navigating the Lifecycle Takes More Than Time

Terminal and forecourt hardware replacement at this scale is expensive and disruptive. Because PCI PTS v5 forces action now, retailers have a narrow window to make decisions that will shape their payments environment for years to come.

The PCI PTS v5 extension provides time, but it does not create capacity or simplify execution. Success hinges on using that time intentionally, grounding plans in reality, aligning the right functions early, and treating required replacement as an opportunity to make better long-term decisions rather than just meet a deadline.

Capra works with fuel and convenience retailers to translate PCI and ecosystem requirements into executable deployment plans, helping establish asset visibility, pressure-test timelines, sequence phased rollouts, and align replacement decisions with broader payments and retail technology strategies. Whether you are navigating PCI requirements, managing a large-scale hardware rollout, or reevaluating your payments technology strategy, we can help.

Let’s Get Started

Frequently Asked Questions (FAQs):

What is PCI PTS certification?
PCI PTS (PIN Transaction Security) is a set of requirements governed by the PCI SSC that protect the PIN during transactions on payment hardware devices – including payment terminals, POS devices, PIN pads, and unattended devices such as fuel pumps and kiosks – to ensure secure PIN entry, protection against tampering or skimming, and encryption of cardholder data. Unlike PCI DSS (Data Security Standard), PCI PTS focuses on physical security and cryptographic functionality of devices. It covers Point of Interaction (POI) devices and Hardware Security Modules (HSM).

What does the PCI PTS v5 expiration actually mean?
April 30, 2027 marks the cut‑off for new deployments of devices certified under PCI PTS v5. After that date, newly installed devices must meet newer standards (such as PCI PTS v6 or PCI PTS v7). In practice, vendor support and device retirement timelines may force replacement sooner than the formal expiration.

Why does PCI PTS v5 feel more disruptive than past versions?
The disruption is driven less by PCI PTS v5 itself and more by market reality. A large share of PCI PTS v5 devices were installed during initial EMV deployments while modern payment and security expectations have continued to evolve. Limited upgrade paths accelerate full device replacement across entire generations, increasing scale and investment.

What happens if a retailer continues operating PCI PTS v5 devices after expiration?
Devices may remain in the field only while vendor support continues and vulnerabilities remain patchable. Once support ends or a vulnerability cannot be remediated, devices must be removed.

Retailers operating expired or unsupported hardware may face escalating penalties enforced through the payment ecosystem: card brands set compliance requirements that flow through acquiring banks down to retailers, and those penalties can escalate significantly over time. Retailers also face a liability shift in which responsibility for fraudulent transactions processed on expired hardware moves from the card issuer to the retailer.

What devices and models are PCI PTS approved?

A list of PCI PTS approved devices can be found on the PCI SSC’s website here: https://listings.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices?agree=true

What versions of PCI PTS certifications are currently in play?

• PTS v3: Expired, and merchants may have to entirely sunset use by December 31, 2030
• PTS v4: No longer available for new purchase or deployment as of April 30, 2024.
• PTS v5: New deployments are generally permitted until April 30, 2027 (but these are hard to buy)
• PTS v6/v7: Currently the required standard for any fresh hardware rollouts being pushed by vendors