[UPDATE] Certificate Authority Public (CAP) Key Requirement
The Program: The EMV standard uses Public Key technology to perform certain functions related to offline authentication, some aspects of online transactions and offline PIN encryption. Each of the card brands publish sets of these keys for use with their EMV applications. Public keys are distributed to acquirers, merchants, and solution providers to load into their terminals.

On an annual basis, EMVCo reviews the keys and makes recommendations on the expected life span (on a rolling 10-year projection window) of the different key lengths. Once EMVCo determines a key length is beginning to approach a point where it may become vulnerable, they will set the key’s expiration date.

The Change: Outlined below are the active (production) CAP key lengths and their projected expiration dates:
• 1408-bit keys have an expiry date of 12/31/2024
• Visa 1984-bit keys expiration date updated to 12/31/2033
• Mastercard 1984-bit keys expiration date updated to 12/31/2033
• Amex 1984-bit keys expiration date updated to 12/31/2033
• Discover 1984-bit keys expiration date updated to 12/31/2030

Note: Although expiration dates can change, they should not be stored on terminals.

The Impact/Action Required: When a key expires it must be removed from the terminal within six months. At this time there should only be two keys (1408-bit and 1984-bit) loaded in devices, any older/expired keys must be removed. Failure to remove expired keys may result in non-compliance assessments to merchants.

Assessments are slated to begin at $25.00 per merchant location identified as non-compliant (based upon January 2024 Mastercard data) and may continue to increase each month thereafter.

In order to avoid fees, merchants or their POS providers/ISV partners must ensure all expired keys are removed from devices and that the proper current keys are loaded.