On the cards
Standardisation is KeyFocus on security requirements and a European certification framework
19.07.10 BY Claude Brun
In the SEPA for Cards, European cardholders and merchants will be able to make and receive payments with general purpose cards in 32 SEPA countries with the same ease and convenience as in their home country. The EPC is carrying out a cards standardisation programme designed to remove technical obstacles preventing such a consistent customer experience. In 2009, the EPC organised the creation of the Cards Stakeholders Group (CSG) together with representatives of the five sectors also active in the cards domain including retailers, vendors (manufacturer of cards, payment devices and related IT systems), processors, card schemes, banks and payment institutions. The CSG is mandated to progress the SEPA Cards Standardisation Volume - Book of Requirements. Claude Brun delivers a progress report on two key domains covered in the SEPA Cards Standardisation Volume - Book of Requirements: (1) the high level functional requirements for a single set of security requirements and (2) the framework which describes the evaluation methodology and the certification architecture aimed at achieving interoperability of cards and terminals within SEPA.***
Scroll to the end of the page and post a comment. Go to comments.
Single set of SEPA security requirements
In June 2010, the EPC Plenary approved the single set of SEPA terminal security requirements agreed by the banking industry in close dialogue with other sectors represented in the Cards Stakeholders Group. These requirements are based on the PCI SSC requirements developed by the Payment Cards Industry Security Standards Council1 and will be integrated in an updated version of the SEPA Cards Standardisation Volume - Book of Requirements expected to be published by end 2010. The security requirements will regularly be reviewed by the banking industry together with other stakeholders active in the cards and terminals value chain including the CAS initiative (Common Approval Scheme). Further work is in progress aimed at developing a single set of security requirements for cards.
Cards and terminals SEPA certification framework
The design of the architecture (certification framework) allowing for the trusted and common security and functional evaluation and certification of cards and terminals at SEPA level is essential to cater to the needs of the more than 500 million cardholders and millions of merchants. The SEPA cards and terminal certification framework will ensure that any card or terminal certified by an accredited body can be deployed and used anywhere throughout SEPA. Currently, cards and terminals need to be certified for each market and card scheme subject to different criteria and procedures. To-date, the certification of cards and terminals takes place based on requirements defined at a national level. Moving forward, the goal is to establish a European certification framework enabling the manufacturers of cards and terminals to obtain a single certification that is recognised in all 32 SEPA countries. Thus by having a standard SEPA certification process, vendors can take advantage of greater economies of scale.
To this end, the EPC Plenary decided to create a "European Certification Body" whose governance structure should include banks and card schemes. The retail sector should participate as full members in the area of functional aspects which encompass, for example, functional requirements on ATM Cash withdrawals, unattended terminals without PIN, and card not present transactions. In addition, the retail sector should act as an observer with regard to the certification of security requirements. Regulators should be represented as observers in the "European Certification Body" as well. The EPC is prepared to support the market in setting up this certification management body.
The EPC will create a proposal to frame the cooperation process regarding the maintenance of cards and terminals security requirements and the further steps required to set up the "European Certification Body".
Claude Brun is the Vice Chair of the European Payments Council and served as the Chair of the EPC Cards Working Group until June 2010. In line with a recent change of the EPC Charter which stipulates that EPC Office Holders such as the Chair and Vice Chair of the organisation and Chairs of the EPC Working and Support Groups should not hold more than one office, Claude Brun is succeeded as Chair of the EPC Cards Working Group by Ugo Bechis.
Related articles in this issue:
1For more information on PCI SSC visit https://www.pcisecuritystandards.org/about/index.shtml
Other articles in this issue
19.07.10 Update EPC Plenary Meetings - Main decisions taken in June 2010 By Gerard Hartsink 19.07.10 SEPA Scheme Rulebooks: next Release - Public consultation ends in August 2010 By Javier Santamaría 19.07.10 EPC Card Fraud Prevention Forum - Agreement on new measures to fight card fraud By Cédric Sarazin 19.07.10 New Business Opportunities with Chip and PIN - How to create added value based on EMV technology By Nick Collin 19.07.10 New and Improved - EPC publishes updated guidelines on the use of audit trails in security systems By Björn Flismark 19.07.10 PSD: taking Action - Commission determined to ensure transposition and PSD Expert Group offers further guidance By Ruth Wandhöfer 19.07.10 SEPA in the Context of the Financial Crisis - Retail payments business proves to be resilient By Wiebe Ruttenberg and Monika Hempel 19.07.10 Gaining Momentum - A progress report on e-Invoicing By Charles Bryant 19.07.10 Facing the Facts in July 2010 - The EPC Newsletter tracks the progress of SEPA implementation By Herman Segers 19.07.10 Missed Opportunity - European Commission recommendation on scope and effects of euro cash as legal tender By Leonor Machado 19.07.10 Continued Commitment to high Quality - EU Regulation on authentication of euro coins and handling of euro coins unfit for circulation By Leonor Machado 19.07.10 Why change? Why me? Why now? - The political mismanagement of the SEPA process reinforces resistance to change By Javier Santamaría 19.07.10 On Payments and Light Bulbs - Commission ready to write off SEPA via EU legislation? By Gerard Hartsink 19.07.10 Promoting the SEPA Vision - European Commission and ECB establish the SEPA Council By Gerard Hartsink
If you would like to comment on this article, please identify yourself with your first and last name. Please note that your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC Newsletter Terms and Conditions, so please read them carefully before doing so.