1. Home
  2. Insights
  3. Blogs
  4. Simplifying AusPayNet’s device approval process

Simplifying AusPayNet’s device approval process


18 December 2024

By David McGregor, Security Standards Manager, AusPayNet and
Nisha Shah, Compliance Manager, AusPayNet
 

Overview

AusPayNet’s device approval process (DAP) fundamentally supports our work to create confidence in payments for all.

On 1 January 2025, a revised version of AusPayNet’s device approval process (Revised DAP) will become effective. The Revised DAP will:

  • simplify both the process for approval of devices and the management of AusPayNet's approved devices lists
  • expand the range of international standards against which devices are deemed approved
  • clarify the sunset dates and criteria for the removal of devices which have been deployed but which no longer meet the standards.
     

Revised process

From January 2025, under the Revised DAP, devices which have been approved by an Approved Standards Entity (ASE) using an Accepted Standard can be used in Australia without needing to be registered with AusPayNet. A device can be used in the Issuers and Acquirers Community (IAC) provided it complies with an Approved Standard and is listed on the website of an ASE. The list of accepted standards includes:

  • PCI PTS POI
  • PCI PTS HSM
  • PCI MPoC
  • PCI SPoC
  • FIPS 140-2/3 (for HSMs only).
     

What has not changed?

AusPayNet will continue to manage the approval process for Non-Standard Technologies (NST), allowing the use of devices which have not been approved by PCI or another ASE. 

AusPayNet will also continue to maintain a list of devices approved under the NST process, as well as devices previously approved by AusPayNet where no approval has been granted by an ASE. AusPayNet’s website will no longer list devices already listed on the website of an ASE. 
 

Approval periods

Prior to 2021, under AusPayNet’s device approval process, approvals were allocated an initial approval period of three years. Before the approval expired, AusPayNet would ascertain whether there were known vulnerabilities with the device and, if there were not, would extend the approval for a further three years. This renewal process continued until a device was found to have known security concerns or was no longer available. 

Since 2022, devices that have been approved by PCI and the US’s National Institute of Standards and Technology (NIST) have been registered as approved devices by AusPayNet, where an application for registration was received. 

PCI and NIST provide a fixed expiry date for each approval and this date was replicated in AusPayNet’s list of approved devices, signifying the end of the AusPayNet approval period. When an approval period expired, the device was moved to AusPayNet’s expired devices list and allocated a sunset date by AusPayNet. Devices purchased during the approval period can continue to be used in the IAC up until the sunset date.

ASEs such as PCI and NIST do not typically include sunset dates in their listings. By ceasing to list devices approved by an ASE, AusPayNet can no longer record the sunset dates for PCI and NIST devices in the expired devices list. To address this problem, AusPayNet publishes a schedule of sunset dates. This schedule enables readers to determine the sunset date of a PCI and NIST approved device using the version of requirements (e.g. PCI PTS v 5.0) or the expiry date of the original approval. 
 

Revocation

The Revised DAP provides for revocation of an approved device in extraordinary circumstances. The list of triggers for revocation is set out in the DAP. Revocation immediately invalidates the device’s approval (including during the sunset period). Any revoked devices which are deployed and cannot be immediately decommissioned will be managed through AusPayNet’s exemption process, part of the annual security audit. A new page will be added to AusPayNet’s listings for revoked devices, to allow for determination of the revocation status of a device. 
 

Summary

The changes introduced through the Revised DAP are designed to simplify the process for approval of devices and align it with major card brands. No amendments to technical security requirements have been made as part of this update. 

As part of this update, changes have been made to:

  • the IAC Code Set
  • Device Approval Process
  • Device Evaluation FAQs
  • Security Audit FAQs
  • Schedule of Sunset Dates.

All documents will be published to the AusPayNet website and member portal early in 2025.

If you have any questions about the new process, please email PAG@auspaynet.com.au.
 

 
  • Subscribe to our mailing list

Copyright © 2025 Australian Payments Network Limited. All rights reserved. Read full Terms of Use / Privacy Statement. Australian Payments Network ® and AusPayNet ® are registered trademarks of Australian Payments Network Limited.

Home