Card networks publish mandate calendars that dictate when terminals, payment applications, and operator processes must support specific features. The schedule is not optional — missed mandates can result in liability shift, fines, or transaction decline. Parking operators managing fleets of pay stations benefit from looking 18–36 months ahead because hardware refresh and re-certification cycles are long.
What follows is a synthesis of publicly announced mandates and expected directions as of publication. Operators should confirm specifics with their acquirer and consult primary sources from Visa, Mastercard, American Express, Discover, and EMVCo.
PCI DSS 4.0 Fully In Force
PCI DSS 4.0 became the sole effective version in 2024, and the future-dated requirements within 4.0 reach their effective date on 31 March 2025. Through 2026, acquirers and service providers will be enforcing these provisions in their attestation reviews:
- Targeted risk analyses for several control families.
- Enhanced multi-factor authentication requirements.
- Expanded authenticated vulnerability scanning.
- Formal scope documentation and segmentation validation.
Parking operators who attested against 4.0 in 2025 should expect tighter scrutiny of the 4.0-specific controls in 2026.
Contactless CVM Limit Changes
Contactless cardholder verification method (CVM) limits have been revised in multiple markets. Networks have adjusted the thresholds above which a contactless transaction requires PIN or device-based verification. For parking operators, the practical implication is that high-value pay-on-exit transactions at resort, airport long-term, and event venues may increasingly require CVM or step to a chip-and-PIN fallback.
Operators with pay stations that do not support PIN entry (some contactless-only designs) should confirm their CVM limit policy with their acquirer and verify that the terminal behavior at the limit is correct.
Tokenization and Account-Level Token Expansion
Visa, Mastercard, and American Express have all published strategic direction favoring tokenization over raw PAN storage. Several mandate items expected in the 2026-2028 window:
- Expansion of network tokenization coverage for card-on-file use cases.
- Expected end-of-life for certain legacy PAN-based credential-on-file patterns.
- Enhanced Visa Account Updater and Mastercard Automatic Billing Updater coverage becoming a near-default for recurring billing.
For parking operators with monthly parker programs, this generally reduces integration pain (fewer reissued-card failures) but may require updates to how card-on-file is initially captured.
Authentication: 3-D Secure Evolution
3-D Secure 2 has largely displaced 3DS 1 for card-not-present transactions. Expected direction through 2028:
- 3DS 2.2 and 2.3 feature adoption (decoupled authentication, trust framework integration).
- Expanded risk-based authentication data sharing.
- European-style strong customer authentication (SCA) principles influencing other markets.
For parking operators with online reservation or pre-pay products, 3DS 2 is a practical requirement for CNP fraud liability shift.
EMV Kernel Updates
EMVCo publishes kernel specifications that card schemes adopt as mandates. Through 2028, expect:
- Continued deprecation of magnetic stripe fallback in additional markets.
- Kernel updates addressing quantum-resilient cryptography planning.
- Enhanced contactless transaction data elements for fraud analytics.
Kernel updates typically flow through acquirer certification cycles. Operators with large deployed fleets should ask their terminal vendor about kernel update support cadence for in-service devices.
Surcharging and Regulatory Overlay
Not strictly a scheme mandate, but the regulatory environment around surcharging and cash-discount programs continues to evolve. Multiple U.S. states have amended rules. Visa and Mastercard publish surcharging rules that layer on top of state law. Operators contemplating or running surcharging programs should re-confirm compliance annually.
ISO 20022 and Payment Messaging
The broader payments industry is migrating to ISO 20022 message formats. Federal Reserve research and NACHA both publish guidance. Card rails are less directly affected than ACH and wire, but operators with blended payment environments should be aware.
Operational Implications for Fleet Planning
- Terminal hardware life. Plan for a 5–7 year terminal lifecycle with mid-cycle kernel updates. Units procured in 2020 are approaching replacement.
- Certification maintenance. Budget for acquirer re-certification events tied to kernel updates and scheme mandate cycles.
- PCI DSS 4.0 investment. If 4.0 controls were treated as minimums, expect tightening during 2026 audits.
- Tokenization roadmap. If not already tokenized, 2026 is the year to plan the migration rather than the year to start implementing.
- Contactless parity. Any terminal in deployment without full contactless support will increasingly be an outlier.
FAQ
Where should operators track official mandate calendars?
Acquirers publish mandate bulletins to merchants, and the card network websites (Visa, Mastercard, American Express, Discover) maintain public rulebooks and release notes. EMVCo publishes specification updates directly.
What happens when an operator misses a mandate deadline?
Consequences range from liability shift (the operator becomes responsible for certain fraud losses that would otherwise have been the issuer’s) to processor fees to, in extreme cases, transaction decline. Most mandates have graduated enforcement — soft shifts followed by hard cutoffs.
Are there region-specific mandates parking operators should track?
Yes. Europe, Canada, Australia, and several Asian markets each have national or regional mandate schedules that differ from the U.S. Operators with multi-country portfolios should track each region separately.
How far ahead should fleet procurement decisions incorporate mandate planning?
Given certification cycles of 3–6 months and hardware lead times of 3–12 months, an 18-month planning horizon is a reasonable minimum. Larger portfolio operators plan 24–36 months out.
