SEPA Vision for Cards
SEPA Cards Standardisation Volume Version 7.0 Published in 2014 Ready for Market Implementation
On 7 January 2014, the European Payments Council (EPC) together with the Cards Stakeholders Group (CSG) published version 7.0 of the Single Euro Payments Area (SEPA) Cards Standardisation Volume (the SCS Volume), ready for market implementation. This document defines a standard set of requirements to enable an interoperable and scalable card and terminal infrastructure across SEPA, based on open international card standards. The SCS Volume does not establish specifications or standards as such, but rather sets (functional and security) standardisation requirements, which refer to existing international standards established by, for example, ISO (International Organization for Standardization), EMVCo (initially Europay MasterCard Visa) and PCI SCC (Payment Card Industry Security Standards Council).
Following the public consultation on its provisionary version 6.5 in June and July 2013, the CSG has processed more than 2,000 comments received from market participants. The six books of the SCS Volume version 7.0 cover a set of requirements applicable to card-present (face-to-face) transactions to allow investment decisions and implementation based on stable requirements. All stakeholders and interested parties active in the SEPA cards domain are encouraged to roll out services and products in line with the requirements set out in version 7.0 of the SCS Volume in a three-year period, i.e. by January 2017. This means: the SCS Volume requirements for card-present transactions are expected to be met for new cards and terminals being introduced in the market as from 2017.
The rationale for harmonised cards standardisation requirements in SEPA
The European Union authorities driving forward the SEPA programme identified the need to create harmonised cards standardisation requirements throughout all countries across SEPA early in the process of integrating the market for electronic euro payments. In response to these expectations retailers, vendors, processors, card schemes and the EPC jointly created the CSG in 2009. The CSG focuses on a cards standardisation programme that will create a better, safer, more cost efficient and functionally richer card services environment, whatever the card product or scheme may be. The CSG develops and maintains the SCS Volume. The version 7.0 of the SCS Volume is a major achievement reflecting a unique multi-stakeholder effort in the area of cards.
Implementation of common standardisation requirements detailed in the SCS Volume will promote interoperability and foster competition in the SEPA cards domain. For retailers, vendors and payment service providers, the version 7.0 requirements will bring benefits to the planning and stability of investments on terminals and on cards, usually made with a five to seven year perspective and even beyond. Cost savings and stability are relevant in the physical card environment to favour cheaper, easier and broader acceptance both at national and cross-border levels. Cardholders, i.e. consumers, will benefit from increased security, transparency and indirect cost reduction expected from standardisation. Improved interoperability will facilitate a consistent customer payment card experience across SEPA.
Documentation pertaining to the SCS Volume version 7.0
The SCS Volume version 7.0 consists of six separate books. The following documentation pertains to version 7.0 of the volume:
- Book 1 - ‘General’ highlights the relevance of harmonised standardisation requirements to achieve a SEPA for cards. It offers an introduction to the content and structure of the SCS Volume, addressing the information needs of both experts in the field and other parties interested in the subject. It reflects the document change history and the principles governing the maintenance process. Book 1 also includes the definitions of terms used in the volume.
- Book 2 - ‘Functional Requirements’ details requirements applicable to transactions initiated with a card, which result in the provision of the different services to the cardholder referred to in this book. Book 2 enables a card system specialist to identify the operational requirements in the domains that need to be addressed to facilitate harmonisation. To improve the interoperability of cards and terminals, the book also refers to and enhances EMV standards and shows how to use these in conformance with the various services requirements described.
- Book 3 - ‘Data Elements’ supports the new card message standards defined in ISO (International Organization for Standardization) (i.e. 20022). It allows card schemes, issuers and acquirers to easily identify enhancements and comparisons with earlier ISO 20022 releases. Book 3 serves as a major enabling factor to achieve technical interoperability in the area of processing based on the most advanced global message standards available.
- Book 3 Data Elements Spreadsheet sets out the data elements described in Book 3 of the SCS Volume version 7.0. This separate spreadsheet can assist in the design of related system architecture for implementation and promotes the harmonisation of existing protocols with both the SCS Volume and the ISO 20022 card message authorisation and clearing standards.
- Book 4 - ‘Security’ defines requirements in order to achieve a “single common set of SEPA card security requirements and technical specifications”. The Book 4 single security requirements refer to PCI (Payment Card Industry) international card security standards. This ‘toolbox’ enables system developers and security professionals to easily identify and implement a single harmonised set of security requirements in a consistent way. SEPA card single security requirements are key to maintaining trust in card payments and to making security a pro-competitive factor to the benefit of all stakeholders in the card industry.
- Book 5 - ‘Conformance Verification Processes’ defines the methods which allow to verify actual conformance with the SCS Volume requirements of a given card or terminal product or device.
- Based on those requirements, an implementation specification is developed, which allows a solution provider (e.g. a point of sale vendor) to develop products (e.g. a point of interaction terminal) against it. The conformance of a product towards an implementation specification is controlled by the certification process.
- The labelling process, which is optional, verifies that an implementation specification and its environment conform to the requirements of the SCS Volume.
- Type approval is defined as a final validation, performed by an approval body, before the product or solution may be deployed and used.
- Book 6 - ‘Implementation Guidelines’ defines a convergence path; i.e. a migration towards unique standard requirements and references.
These documents can be downloaded individually or together included in a zip file (see links below).
The concept of voluntary conformance with the SCS Volume
There is no legal obligation to implement the standardisation requirements detailed in the SCS Volume. Achieving conformance with the SCS Volume is a voluntary process. The CSG specifically opted for the concept of conformance rather than compliance considering that alignment in SEPA with the SCS Volume is a voluntary decision by players active in the cards domain, and is not an obligation. Voluntary conformance of players active in the SEPA cards domain with the standardisation requirements detailed in the SCS Volume is comparable to what was done in Europe to achieve migration to EMV. (EMV is an industry standard to implement chip and personal identification number (PIN) security for card transactions to combat fraud.) In 2004, the industry made the voluntary commitment to migrate cards, points of sale (POS, i.e. terminals), and automated teller machines (ATMs) to EMV for security reasons.
Conformance with the SCS Volume based on self-declaration
Conforming to the standardisation requirements detailed in the SCS Volume version 7.0 reflects the voluntary self-declaration of a player active in the cards domain. To illustrate this: if a terminal manufacturer decides that their products and services will conform to the SCS Volume, (e.g. for commercial reasons), it implies that the manufacturer will undertake a process of alignment with all the relevant requirements that correspond to its activity. In this case, the manufacturer must ensure that the terminal passes the functional testing and certification processes necessary, as well as type approval by the card schemes. If and when a terminal meets the SCS Volume requirements based on these criteria, it may be termed ‘Volume-conformant’.
Maintenance of the SCS Volume
The SCS Volume consists of a series of separate books. This structure will facilitate future issuing of updated versions of the SCS Volume with amendments only to individual books as required, such as including card-not-present (i.e. mail orders, telephone orders and e- and m-commerce) functional and security requirements. The SCS Volume structure also provides for the option to integrate further books addressing aspects other than those reflected in version 7.0. A full release of the SCS Volume, where all books are reviewed by the CSG expert teams and updated, occurs every three years. Each full release will undergo a three-month public consultation period. The publication of the next full release of the SCS Volume after version 7.0 is foreseen in 2017.
There may be the need to review certain aspects of a particular book in the interim due to reasons decided by the CSG or to align the SCS Volume with new regulatory requirements. These smaller individual changes to certain aspects of a book or books will be released as part of a yearly bulletin. Yearly changes, announced in the form of a bulletin, undergo a shorter, one-month, market consultation. The implementation timelines for any changes to the SCS Volume released as part of a yearly bulletin will be simultaneously communicated.
To reiterate: the card-present requirements published with version 7.0 of the SCS Volume in January 2014 are stable for implementation purposes and subject to a three-year maintenance cycle barring unforeseeable events that would require any changes such as, for example, regulatory developments impacting card-present requirements.
Inclusion of security requirements for remote payments with future update of the SCS Volume
The SCS Volume security requirements for remote payments were on a separate public consultation in July to August 2013. It is planned to include card-not-present functional and security requirements in an SCS Volume related books update in 2015. This is in line with feedback received during the public consultation indicating the need for further in-depth dialogue on the topic. This approach also ensures consistency with new rules expected to be defined by the European authorities in the course of 2014. The timeline to implement the security requirements for remote payments will be communicated when these will be published, taking into account relevant regulatory initiatives. Once the harmonisation exercise is also concluded on card-not-present requirements, it is expected to promote development and innovation for both e- and m-commerce and e- and m-payments.
EPC technical documents
- Book 1 - General - SEPA Cards Standardisation Volume Version 7.0
- Book 2 - Functional Requirements - SEPA Cards Standardisation Volume Version 7.0
- Book 3 - Data Elements - SEPA Cards Standardisation Volume Version 7.0
- Book 3 - Data Elements Spreadsheet - SEPA Cards Standardisation Volume Version 7.0
- Book 4 - Security - SEPA Cards Standardisation Volume Version 7.0
- Book 5 - Conformance Verification Processes - SEPA Cards Standardisation Volume Version 7.0
- Book 6 - Implementation Guidelines - SEPA Cards Standardisation Volume Version 7.0
- SEPA Cards Standardisation Volume Version 7.0 ZIP Format