Note: This is the first article in a series dedicated to the Cyber Resilience Act (CRA) and its impact on product cybersecurity. While this article focuses on the relationship between existing payment security standards and the CRA, future editions will explore specific requirements such as vulnerability management, SBOM validation, software supply chain security, coordinated vulnerability disclosure, continuous monitoring, and the operational capabilities organizations need to maintain security throughout a product's lifecycle. As the CRA implementation deadlines approach, understanding these topics will become increasingly important for manufacturers, PSPs, and technology providers alike.

For decades, PCI SSC standards have formed the foundation of payment security all over the world. Whether you are a payment service provider (PSP), payment device manufacturer, ATM vendor, or SoftPOS provider, standards such as PCI DSS, PCI PTS, and PCI MPoC have helped establish a common framework for protecting payment transactions, cardholder data, and the whole payment infrastructure.

These standards remain critically important and will continue to play a central role in the payment ecosystem.

However, a significant shift is underway.

The EU Cyber Resilience Act (CRA) represents a significant shift in how European regulators approach digital product security. While CRA is not a PCI standard and does not replace PCI compliance, it creates parallel regulatory pressure that reinforces the same security direction PCI has been encouraging for several years. Understanding this relationship is critical for payment terminal vendors operating in or exporting to the EU market.

As we see, those organizations will be most successful over the next decade that understand how the two regulations complement each other to finally ensure real security.

PCI and CRA: Different Objectives, Shared Goals

PCI standards were created to answer a specific question: Can this payment solution securely process payment transactions?

• PCI DSS focuses on protecting cardholder data and payment environments.
• PCI PTS focuses on the security of payment devices such as POS terminals and ATMs.
• PCI MPoC focuses on software-based payment acceptance running on commercial mobile devices.

Together, these standards have significantly improved the security of the global payment ecosystem.

The CRA approaches cybersecurity from a different perspective.

It focuses more on product security instead of payment transactions only: Can this digital product remain secure throughout its entire lifecycle?

The CRA applies to products with digital elements sold within the European Union and introduces requirements around

• Secure-by-design development
• Vulnerability management
• Security updates
• Coordinated vulnerability disclosure
• Supply chain security
• Software (SBOM) transparency
• Lifecycle security management

In many ways, PCI and CRA are addressing different parts of the same challenge.

PCI protects the payment ecosystem.

CRA protects the digital products that operate within that ecosystem.

The Important Dates Payment Vendors Should Know

Many organizations are focused on the CRA's full application date of 11 December, 2027.

While this is an important milestone, it is not the first deadline manufacturers need to prepare for.

On 11 June, 2026, the CRA provisions governing the notification of conformity assessment bodies become applicable. While this is not a direct compliance deadline for manufacturers, it marks the point at which the formal conformity assessment infrastructure begins to take shape across the EU. For manufacturers of payment devices, SoftPOS solutions, and other products with digital elements, this is the signal that CRA implementation is moving from regulatory planning to practical execution.

Organizations that may require third-party conformity assessments should begin evaluating their product classification, technical documentation, security processes, and assessment strategy early to avoid potential bottlenecks as notified bodies become operational.

11 September, 2026: Vulnerability Reporting Obligations Begin

Starting on 11 September, 2026, manufacturers must report actively exploited vulnerabilities and severe security incidents affecting products with digital elements. The regulation introduces strict reporting timelines, including initial notification requirements within 24 hours of becoming aware of an actively exploited vulnerability.

For many organizations, this deadline may prove more challenging than the final compliance date.

Why?

Because effective vulnerability reporting requires visibility.

Manufacturers cannot report on vulnerabilities they cannot identify, assess, or track.

11 December, 2027: Full CRA Applicability

From 11 December 2027, the CRA becomes fully applicable across products with digital elements sold into the EU market. Manufacturers will need to demonstrate compliance with cybersecurity requirements covering product design, development, vulnerability management, maintenance, and support processes.

For payment technology providers, this means cybersecurity becomes a product requirement rather than solely a compliance requirement.

Why PCI Compliance Alone May No Longer Be Enough

Many organizations that have already invested heavily in PCI programs are likely to be better positioned for CRA compliance than organizations only starting now from scratch.

The challenge is that modern payment devices have evolved significantly.

Today's payment ecosystem includes:

• Android-based payment terminals
• SoftPOS applications
• Mobile payment acceptance platforms
• Cloud-native payment services
• Connected ATMs
• Embedded operating systems
• Third-party software components
• Open-source dependencies

For vendors of payment terminals, PIN pads, ATMs, and POS devices, the CRA-PCI relationship creates a dual compliance landscape. CRA compliance becomes mandatory for EU market access with potential penalties for non-compliance. PCI PTS, PCI DSS, and related standards remain essential for acceptance in the payment ecosystem. Both frameworks push for the same security posture, making investment in secure-by-design practices beneficial for both compliance paths. 

Continuous security vulnerability management and update mechanisms meet both CRA and PCI requirements.

This alignment creates a stronger business case for continuous security investment. Rather than viewing CRA as an external burden, vendors can treat it as regulatory reinforcement of the direction PCI has already been encouraging.

The cybersecurity challenge is no longer limited to protecting transactions. It is increasingly about understanding the security posture of the entire product.

The Rise of Continuous Product Security

Historically, many organizations approached security through periodic assessments:

Design → Certification → Deployment

The CRA accelerates a different model:

Design → Certification → Deployment → Continuous Monitoring → Vulnerability Response → Secure Updates

This shift has significant implications for PSPs and payment device manufacturers.

Organizations will need to answer questions such as:

• Do we know every software component running inside our products?
• Can we quickly determine whether a newly disclosed vulnerability affects our deployed devices?
• Do we have an accurate and maintainable SBOM?
• Can we assess exploitability rather than simply vulnerability presence?
• Can we deliver security updates efficiently?
• Can we meet regulatory reporting timelines?

Building these capabilities often requires a combination of specialized expertise, technology, and continuous visibility into both products and the evolving threat landscape. Organizations can benefit from working with partners that understand both payment security requirements and modern product cybersecurity challenges.

From pre-certification and pre-compliance penetration testing about services/penetration testing/payment device penetration testing of payment devices to regular security assessments, continuous vulnerability monitoring about services/threat intelligence/vulnerability intelligence, threat intelligence, software composition analysis (SCA), and SBOM validation about services/threat intelligence/software composition analysis sca and sbom validation, these activities help organizations move beyond point-in-time compliance and toward a sustainable, long-term security strategy.

Ultimately, the goal is not simply to achieve compliance only, but to understand whether newly discovered vulnerabilities can affect a specific product, how they can be exploited, and what actions are required to reduce risk throughout the product lifecycle.

The Organizations That Move First Will Have an Advantage

The payment industry has historically been driven by compliance.

PCI compliance remains essential and will continue to be a prerequisite for market participation.

However, the organizations that view CRA solely as another compliance obligation may miss a larger opportunity.

The companies that begin building mature product security programs today will gain advantages far beyond regulatory readiness.

They will have:

• Better visibility into their products
• Faster vulnerability response times
• Improved supply chain transparency
• Greater customer trust
• Reduced operational risk
• Stronger competitive differentiation

Most importantly, they will be able to demonstrate not only that their products were secure at the time of certification, but that they remain secure throughout their lifecycle.

From Compliance to Resilience

PCI standards have played a critical role in raising the security baseline across the payment industry.

The CRA does not replace PCI. Instead, it expands the conversation.

The future of payment security is not about choosing between compliance and security. It is about ensuring both.

PCI provides the foundation for securing payment transactions.

The CRA pushes organizations toward continuous product security and long-term cyber resilience.

For payment device manufacturers, PSPs, and payment software providers, the message is clear:

The next generation of market leaders will not only achieve compliance. They will build sustainable security programs capable of protecting their products, customers, and businesses long after certification has been completed.