Visa, Mastercard, American Express, and Discover have all issued critical updates to their security certificate systems, requiring immediate attention from merchants across the US.
All merchants must remove outdated 1408-bit security keys from payment terminals by July 1, 2025 to prevent transaction processing failures.
While all four networks have made changes, the required actions are essentially the same across the board. This guide covers everything you need to know about these updates and what steps you need to take.
What Are Payment Security Keys?
Payment security keys are like digital locks that protect credit card transactions. Whenever a customer swipes, dips, or taps their card at a payment terminal, these security keys work behind the scenes to encrypt and verify the transaction data.
But digital security keys can become outdated and less secure over time. So the payment networks regularly update them to stay ahead of potential security threats and ensure payment information remains protected.
Payment security keys come in different strengths, which are measured in bits. The higher the number, the stronger the security:
- 1408-bit keys: An older, weaker version that needs to be removed.
- 1984-bit keys: The newer, stronger key that provides better protection.
This isn’t something that most merchants need to understand in detail. Your terminal provider will handle the technical aspects. But it’s important to know that failure to update your security keys can cause your payment processing system to stop working entirely.
Important Deadlines You Need to Know
All four payment networks—Visa, Mastercard, American Express, and Discover—have implemented seemingly identical security key updates.
They’re completely phasing out the 1408-bit keys, and they’ve extended the validation for the 1984-bit keys.
1408-bit Payment Keys Must be Removed by July 1, 2025
Merchants must remove the 1408-bit keys by July 1, 2025 to avoid processing failures.
Technically, these keys expired in December 2024. But it looks like the card networks provided a six-month grace period to give merchants, processors, and POS providers a little extra time to comply.
But the deadline is now rapidly approaching, and merchants that haven’t done so already need to act fast.
1984-bit Payment Keys Have Been Extended to December 31, 2034
Your new 1984-bit payment keys are valid for nearly a decade. So if you’ve already updated your terminals, then you won’t have to worry about this for a long time.
Visa and Mastercard initially set the 1984-bit expiration for December 2033, and Amex originally had a December 2031 expiration.
But now all of the card networks are aligned, with the 1984-bit keys expiring on December 31, 2034.
Affected Systems
These payment security updates apply to POS terminals in the US and throughout US territories. Affected systems include:
- Visa Smart Debit/Credit (VSDC) Certificate Authority Keys
- Mastercard Payment System Public Keys (including Maestro and Cirrus)
- American Express RSA Certification Authority Public Keys
- Discover D-Payment Application Specification (D-PAS) Certificate Authority Keys
- JCB Certification Authority (CA) Public Keys
- UnionPay Root Certificate Authority Public Keys
What Merchants Need to Do Right Now
Regardless of which cards you accept, all merchants need to take these steps prior to the July 1, 2025 deadline.
Step 1 – Contact Your POS Provider Immediately
The very first thing you need to do is contact your processor and/or POS provider to ensure your existing terminals have been updated with the correct security keys and expiration dates.
If your hardware is relatively new, there’s a good chance that you’re all set. But don’t make assumptions, and contact your provider to double-check.
Step 2 – Verify Terminal Compatibility
Next, make sure that all of your terminals that support offline data authentication or offline enciphered PIN data contain the updated keys with new expiration dates. It’s another relatively quick check that your POS provider can walk you through.
In some cases, older hardware may need to be replaced altogether.
Step 3 – Remove Expired Keys
This step is really important. In addition to updating your systems with the new keys, you must also make sure all 1408-bit keys are completely removed from all systems by July 1, 2025.
You cannot use keys past their expiration dates, and keeping them in your systems can result in payment failures.
Step 4 – Test Your Systems
After you’ve updated everything, you should run a few test transactions to ensure everything is working properly.
Test all of your terminals and payment methods ahead of the deadline.
Consequences of Ignoring This Update
Inaction isn’t really an option for anyone. If you do nothing and fail to remove the expired 1408-bit keys from your systems, you’ll end up with:
- Failed transactions across affected card networks
- Lost sales due to declined payments
- Frustrated customers
- Potential security vulnerabilities in your payment system
- Additional fees for excessive declines
You don’t want to be in this situation. So pick up the phone and contact your POS provider ASAP to avoid these problems.
Key Takeaways
In short, you need to take action before July 1, 2025—removing expired 1408-bit keys and replacing them with new 1984-bit keys.
The new expiration date for the 1984-bit keys is December 31, 2034, so you won’t have to worry about changing these for a while.
While you’re updating your payment systems, it’s a good time to evaluate your overall credit card processing costs. Contact our team here at Merchant Cost Consulting for a free audit. We’ll identify hidden fees, negotiate better rates with your processor, and help protect your account against future rate increases—all without having to switch providers.