|

PCI PTS HSM v5.0: What the New PCI Update Means for Payment Security

The Payment Card Industry Security Standards Council (PCI SSC) published PCI PTS HSM v5.0 on May 18, 2026, marking a major revision to the PCI PIN Transaction Security (PTS) Hardware Security Module (HSM) Modular Security Requirements. The update moves the standard from version 4.0 to version 5.0 and addresses modern cryptographic practices, cloud and multi-tenant HSM deployments, and emerging risks such as post-quantum threats.[1]

For most merchants, this is not a direct change to the Approved Scanning Vendor (ASV) program. It does, however, point to a broader shift across PCI standards: payment security is becoming more continuous, more cloud-aware, and more dependent on strong validation evidence.

That matters for any organization responsible for PCI compliance. Even if your business does not manage HSMs directly, the systems, software, processors, payment applications, cloud providers, and externally exposed environments that support your payment operations still need to be reviewed, tested, and kept current.

What changed in PCI PTS HSM v5.0?

PCI PTS HSM v5.0 introduces extensive requirement updates and additional guidance. PCI SSC says the revision modernizes the structure of the standard, strengthens cryptographic expectations, and better aligns HSM evaluations with real-world deployment models, including HSM-as-a-Service and remote administration environments.[1]

  • Stronger cryptographic requirements: Device-security keys used for firmware authentication, tamper/storage protection, and similar purposes must now use cryptography with at least 128-bit effective key strength. TDES is no longer permitted for device-security purposes.[1]
  • Support for modern and post-quantum cryptography: The update includes post-quantum cryptography considerations and new requirements such as Elliptic Curve Schnorr Digital Signature Algorithm (EC-SDSA) for certain use cases.[1]
  • New evaluation modules: The standard adds modules for key-transfer functionality, remote administration, and HSM solution security, reflecting the growth of distributed and cloud-based HSM deployments.[1]
  • Cloud and multi-tenant HSM controls: PCI PTS HSM v5.0 expands requirements for HSM-as-a-Service and multi-tenant HSM architectures, including tenant key erasure and strict isolation between tenants.[1]
  • Lifecycle and vulnerability management: Vulnerability management requirements have been strengthened and moved into lifecycle security modules, emphasizing security across the full HSM lifecycle.[1]
  • Enhanced testing expectations: Testing laboratories are expected to perform deeper validation activities, including source-code review for certain requirements and more explicit documentation of vulnerability sources and testing methods.[1]

Why this matters beyond HSMs

The HSM update is technical, but the signal is broader. PCI is evolving to reflect how payment technology is actually deployed today: in cloud environments, across APIs, through software-based payment acceptance, and inside complex third-party ecosystems.

This is why the release should not be viewed as a one-off standards update. It fits into a broader PCI modernization trend that includes stronger software security expectations, mobile payment acceptance changes, and continued emphasis on vulnerability management and validation evidence.

A broader PCI modernization trend

PCI PTS HSM v5.0 is one part of a larger modernization of PCI standards. In January 2026, PCI SSC released PCI Secure Software Standard v2.0, the first major revision to that standard and its supporting Program Guide. PCI SSC describes the Secure Software Standard as helping provide assurance that payment software is designed, developed, and maintained in a way that protects payment-related data and payment-related functionality.[4]

In May 2026, PCI SSC also announced formal sunset periods for the PCI SPoC and PCI CPoC standards. The sunset period runs from May 1 through October 31, 2026, and no new SPoC or CPoC submissions will be accepted during that period.[5]

At the same time, PCI SSC continues to support Mobile Payments on COTS (MPoC), a broader standard for mobile payment acceptance on commercial off-the-shelf devices. PCI SSC says MPoC solutions are evaluated by PCI-recognized laboratories against the MPoC Standard and Program Guide.[6]

Taken together, these updates show the direction of travel: PCI security is moving beyond traditional point-in-time validation and toward lifecycle security, modern cryptography, software assurance, cloud-aware controls, and clearer evidence that security requirements are being met.

Why merchants should care, even if they do not manage HSMs

Many merchants will not directly own or operate an HSM. In many cases, cryptographic operations are handled by a processor, acquirer, gateway, issuer, payment service provider, or cloud HSM provider. Even so, merchants and service providers still need to understand how their payment environment is supported and whether their vendors are keeping pace with PCI changes.

The practical takeaway is not that every merchant now needs to become an HSM expert. The takeaway is that PCI compliance depends on a chain of controls. Hardware, software, cloud infrastructure, third-party services, payment pages, APIs, and external-facing systems all need to be understood, scoped, and validated appropriately.

The ASV connection: PCI compliance is becoming more continuous

External vulnerability scanning remains one of the clearest recurring PCI DSS requirements. PCI SSC defines an ASV as an organization with security services and tools used to conduct external vulnerability scans that validate adherence with PCI DSS Requirement 11.3.2. PCI SSC also notes that an ASV scan solution is tested and approved before a vendor is added to the Council’s ASV list.[2]

Under PCI DSS v4.x, Requirement 11.3.2 requires evidence of passing external scans performed by an ASV at least once every three months. PCI SSC’s ASV resource guide specifically calls out SAQ A merchants, since many are completing Requirement 11.3.2 for the first time.[3]

This is especially important for e-commerce merchants. Some organizations previously assumed that outsourcing payment processing removed most PCI scanning obligations. Under PCI DSS v4.x, that assumption can create gaps. If a merchant system hosts the webpage that redirects to a PCI DSS compliant third-party service provider, or includes an embedded payment page or form from that provider, ASV scanning may apply.[3]

This is where the HSM update and ASV scanning connect at a strategic level. Both point to the same theme: PCI is pushing organizations to prove that payment environments are secure on an ongoing basis, not simply during an annual assessment cycle.

Not Sure What Your PCI Scanning Obligations Are?

ASV scanning, SAQ A requirements, authenticated internal scans, quarterly rescans — it’s a lot to track. Our 2026 PCI Scanning Guide breaks it all down in plain language so you know exactly what’s required and what to do next.

Read the PCI Scanning Guide 2026

What payment organizations should review now

  1. HSM inventory and vendor dependency: Identify whether your organization uses HSMs directly or relies on a processor, acquirer, issuer, cloud provider, gateway, or payment service provider that does. Ask those vendors how they are planning for PCI PTS HSM v5.0.
  2. Cloud and multi-tenant risk: Review whether any payment cryptography, payment acceptance, or payment application services are hosted in shared or cloud environments. Confirm that tenant isolation, key erasure, access control, logging, and remote administration controls are understood.
  3. Payment software posture: Review payment applications, SDKs, APIs, checkout pages, plugins, and third-party integrations in light of the broader PCI Secure Software direction.[4]
  4. ASV scan scope: Confirm that all externally facing IP addresses, domains, e-commerce pages, payment redirects, embedded payment forms, and relevant cloud assets are included in scope.
  5. Quarterly scanning process: Make sure external scans are scheduled at least every three months and that failed scans are remediated and rescanned until a passing result is achieved.[3]
  6. Change management: Run scans after significant changes, including new payment pages, new domains, infrastructure changes, firewall updates, new APIs, cloud migrations, and changes to payment integrations.
  7. Evidence management: Keep scan reports, remediation records, attestations, vendor documentation, and scope notes organized so they are ready for assessors, acquirers, partners, and internal stakeholders.

How Clone Systems can help

Clone Systems is a PCI SSC Approved Scanning Vendor that helps merchants, service providers, processors, QSAs, and PCI-focused partners manage external vulnerability scanning requirements. For organizations that need to simplify PCI scanning, Clone Systems provides ASV scanning, reporting, remediation visibility, and rescans needed to achieve passing compliance evidence.

For partners managing multiple customers, Clone Systems also supports white-labeled and multi-tenant ASV scanning models. This allows organizations to offer PCI ASV scanning under their own brand while relying on Clone Systems’ approved scanning capabilities.

For more detail on ASV scanning, SAQ A, authenticated internal scans, and quarterly vulnerability scanning requirements, read Clone Systems’ related guide: PCI Scanning Guide 2026: ASV & Authenticated Internal Scans.[7]

Final takeaway

PCI PTS HSM v5.0 is a technical standard, but its broader message is clear: payment security is becoming more modern, more cloud-aware, and more continuous. Stronger cryptography, better lifecycle governance, secure software, mobile payment acceptance, and recurring vulnerability validation are all part of the same direction.

For merchants and service providers, the safest approach is to treat PCI compliance as an ongoing security program rather than a once-a-year exercise. That means keeping vendors aligned, reviewing scope regularly, scanning external assets at least quarterly, remediating vulnerabilities promptly, and maintaining clear evidence that payment environments are protected.

References

[1] PCI SSC, “PCI SSC Publishes PCI PTS HSM v5.0,” May 18, 2026

[2] PCI SSC, Approved Scanning Vendors program page

[3] PCI SSC, “Resource Guide: Vulnerability Scans and Approved Scanning Vendors,”

[4] PCI SSC, “PCI SSC Releases Version 2.0 of the PCI Secure Software Standard,” January 15, 2026

[5] PCI SSC, “Announcement of Sunset Periods for the PCI SPoC and PCI CPoC Standards,” May 1, 2026

[6] PCI SSC, Mobile Payments on COTS (MPoC) overview

[7] Clone Systems, “PCI Scanning Guide 2026: ASV & Authenticated Internal Scans,”

[8] PCI SSC, Industry Bulletins

Similar Posts