The rationale for harmonised cards standardisation requirements in the Single Euro Payments Area
The European Union (EU) authorities driving forward the Single Euro Payments Area () programme identified early the need to create harmonised standardisation requirements for cards integrating the market for electronic euro payments. This was reinforced by the European Economic and Financial Affairs Council (ECOFIN) representing EU Member States, in December 2009, when it requested in its conclusions on that the industry should set the conditions for further cards standardisation (see 'related links' below). This request was repeatedly echoed by the European Central Bank (ECB). Already in 2006, the Eurosystem, which comprises the ECB and the national central banks of the EU Member States whose currency is the euro, defined its vision for a ‘ for Cards’ (see ‘related links’ below) as follows:
- Consumers can choose among a diversity of competing payment card schemes that do not have a pre-assigned priority in use at point-of-sale (POS) terminals.
- There is a competitive, reliable and cost-efficient card market, including service and infrastructure providers.
- All technical and contractual provisions, business practices and standards which had formerly resulted in the national segmentation of the euro area have been eliminated. In particular, there is no obstacle for merchants to accept any payment cards compliant with the Cards Framework1.
Standardisation of the card and terminal domains is critical given that (according to the latest ECB statistics2) cards within not only represent the most frequently used non-cash retail payment instruments, but also that card transaction volumes continue to grow at a rapid pace.
The objectives of a for cards will be achieved through the use of harmonised, interoperable and free standards, which are openly available to all parties within the card payment value chain. The work of the European Payments Council () and the Cards Stakeholders Group supports this vision.
What is the Cards Stakeholders Group (CSG)?
Created in 2009, the CSG is a multi-stakeholder body representing retailers, vendors, processors, card schemes and the . The CSG focuses on a cards standardisation programme that will create a better, safer, more cost efficient and functionally richer card services environment, whatever the card product or scheme may be.
The dialogue taking place in the CSG ensures the open and constructive co-management of the processes related to the identification of common standards requirements and implementation of best practices compliant with such requirements, which will promote interoperability and foster competition in the for cards. Specifically, the initiative aims at removing technical obstacles which prevent a consistent customer payment card experience across . The CSG encourages process efficiency throughout the card supply chain and, last but not least, adherence to the highest level of card payment security.
The CSG develops and maintains the Cards Standardisation Volume (the SCS Volume).
and CSG published the SCS Volume version 7.0 in January 2014, ready for market implementation
On 7 January 2014, the together with the CSG published version 7.0 of the SCS Volume, ready for market implementation. This document defines a standard set of requirements to ensure an interoperable and scalable card and terminal infrastructure across , based on open international card standards. The SCS Volume does not establish specifications or standards as such, but rather sets (functional and security) standardisation requirements, which refer to existing international standards established by, for example, ISO (International Organization for Standardization), EMVCo (initially Europay MasterCard Visa) and PCI SCC (Payment Card Industry Security Standards Council).
Following the public consultation on its provisionary version 6.5 in June and July 2013, the CSG has processed more than 2,000 comments received from market participants. The six books of the SCS Volume version 7.0 cover a set of requirements applicable to card-present (face-to-face) transactions to allow investment decisions and implementation based on stable requirements. All stakeholders and interested parties active in the cards domain are encouraged to roll out services and products in line with the requirements set out in version 7.0 of the SCS Volume in a three-year period, i.e. by January 2017. This means: the SCS Volume requirements for card-present transactions are expected to be met for new cards and terminals being introduced in the market as from 2017.
Version 7.0 of the SCS Volume is a major achievement reflecting a unique multi-stakeholder effort in the area of cards.
Structure of the SCS Volume version 7.0
The SCS Volume consists of a series of separate books. The following documentation pertains to version 7.0 of the volume:
- Book 1 - ‘General’ highlights the relevance of harmonised standardisation requirements to achieve a for cards. It offers an introduction to the content and structure of the SCS Volume, addressing the information needs of both experts in the field and other parties interested in the subject. It reflects the document change history and the principles governing the maintenance process. Book 1 also includes the definitions of terms used in the volume.
- Book 2 - ‘Functional Requirements’ details requirements applicable to transactions initiated with a card, which result in the provision of the different services to the cardholder referred to in this book. Book 2 enables a card system specialist to identify the operational requirements in the domains that need to be addressed to facilitate harmonisation. To improve the interoperability of cards and terminals, the book also refers to and enhances EMV standards and shows how to use these in conformance with the various services requirements described.
- Book 3 - ‘Data Elements’ supports the new card message standards defined in ISO (International Organization for Standardization) (i.e. 20022). It allows card schemes, issuers and acquirers to easily identify enhancements and comparisons with earlier ISO 20022 releases. Book 3 serves as a major enabling factor to achieve technical interoperability in the area of processing based on the most advanced global message standards available.
- Book 3 Data Elements Spreadsheet sets out the data elements described in Book 3 of the SCS Volume version 7.0. This separate spreadsheet can assist in the design of related system architecture for implementation and promotes the harmonisation of existing protocols with both the SCS Volume and the ISO 20022 card message authorisation and clearing standards.
- Book 4 - ‘Security’ defines requirements in order to achieve a “single common set of card security requirements and technical specifications”. The Book 4 single security requirements refer to PCI (Payment Card Industry) international card security standards. This ‘toolbox’ enables system developers and security professionals to easily identify and implement a single harmonised set of security requirements in a consistent way. card single security requirements are key to maintaining trust in card payments and to making security a pro-competitive factor to the benefit of all stakeholders in the card industry.
- Book 5 - ‘Conformance Verification Procedures’ defines the methods which allow to verify actual conformance with the SCS Volume requirements of a given card or terminal product or device.
- Based on those requirements, an implementation specification is developed, which allows a solution provider (e.g. a POS vendor) to develop products (e.g. a point of interaction terminal) against it. The conformance of a product towards an implementation specification is controlled by the certification process.
- The labelling process, which is optional, verifies that an implementation specification and its environment conform to the requirements of the SCS Volume.
- Type approval is defined as a final validation, performed by an approval body, before the product or solution may be deployed and used.
- Book 6 - ‘Implementation Guidelines’ defines a convergence path; i.e. a migration towards unique standard requirements and references.
These documents can be downloaded individually or together included in a zip file on the Website page dedicated to the SCS Volume version 7.0 (see ‘related links’ below).
The concept of voluntary conformance with the SCS Volume
There is no legal obligation to implement the standardisation requirements detailed in the SCS Volume. Achieving conformance with the SCS Volume is a voluntary process. The CSG specifically opted for the concept of conformance rather than compliance considering that alignment in with the SCS Volume is a voluntary decision by players active in the cards domain, and is not an obligation. Voluntary conformance of players active in the cards domain with the standard requirements detailed in the SCS Volume is comparable to what was done in Europe to achieve migration to EMV. (EMV is an industry standard to implement chip and personal identification number (PIN) security for card transactions to combat fraud.) In 2004, the industry made the voluntary commitment to migrate cards, POS (i.e. terminals), and automated teller machines (ATMs) to EMV for security reasons. Given that there is no legal obligation to implement the standardisation requirements detailed in the SCS Volume, it is primarily expected that the various stakeholders represented in the CSG who approved the SCS Volume v 7.0 will implement the provisions themselves. The requirements have been defined through the consensus of experts designated by these stakeholders.
Conformance with the SCS Volume based on self-declaration
Conforming to the standardisation requirements detailed in the SCS Volume version 7.0 reflects the voluntary self-declaration of a player active in the cards domain. To illustrate this: if a terminal manufacturer decides that their products and services will conform to the SCS Volume (e.g. for commercial reasons), it implies that the manufacturer will undertake a process of alignment with all the relevant requirements that correspond to its activity. In this case, the manufacturer must ensure that the terminal passes the functional and security testing and certification processes necessary, as well as type approval by the card schemes. If and when a terminal meets the SCS Volume requirements based on these criteria, it may be termed ‘Volume-conformant’.
Maintenance of the SCS Volume
The SCS Volume consists of a series of separate books. This structure will facilitate future issuing of updated versions of the SCS Volume with amendments only to individual books as required, such as including card-not-present (i.e. mail orders, telephone orders and e- and m-commerce) functional and security requirements. The SCS Volume structure also provides for the option to integrate further books addressing aspects other than those reflected in version 7.0. A full release of the SCS Volume, where all books are reviewed by the CSG expert teams and updated, occurs every three years. Each full release will undergo a three-month public consultation period. The publication of the next full release of the SCS Volume after version 7.0 is foreseen in 2017.
There may be the need to review certain aspects of a particular book in the interim due to reasons decided by the CSG or to align the SCS Volume with new regulatory requirements. These smaller individual changes to certain aspects of a book or books will be released as part of a yearly bulletin. Yearly changes, announced in the form of a bulletin, undergo a shorter, one-month, market consultation. The implementation timelines for any changes to the SCS Volume released as part of a yearly bulletin will be simultaneously communicated.
To reiterate: the card-present requirements published with version 7.0 of the SCS Volume in January 2014 are stable for implementation purposes and subject to a three-year maintenance cycle barring unforeseeable events that would require any changes such as, for example, regulatory developments impacting card present requirements.
Participation in the CSG Expert Teams in charge of the maintenance of the various books is open to any expert in the relevant field. CSG experts are not representing an organisation. They are chosen based on their own expertise and knowledge. A balance will however be sought within expert teams in order to avoid some sectors being over-represented.
Inclusion of security requirements for remote payments with future update of the SCS Volume
The SCS Volume security requirements for remote payments were on a separate public consultation in July to August 2013. It is planned to include card-not-present functional and security requirements in an SCS Volume related books update in 2015. This is in line with feedback received during the public consultation indicating the need for further in-depth dialogue on the topic. This approach also ensures consistency with new rules expected to be defined by the European authorities in the course of 2014. The timeline to implement the functional and security requirements for remote payments will be communicated when these will be published, taking into account relevant regulatory initiatives:
- In January 2013, the ECB published the final recommendations for the security of internet payments (see ‘related links' below). These recommendations were developed by the European Forum on the Security of Retail Payments (SecuRe Pay). The Forum was established in 2011 as a voluntary cooperative initiative between relevant authorities from the European Economic Area – supervisors of payment service providers and overseers in particular – formed with the objective of facilitating common knowledge and understanding of issues related to the security of electronic retail payment services and instruments and, where necessary, issuing recommendations. Implementation of the SecuRe Pay recommendations for the security of internet payments is due by February 2015, upon release of implementation rules by national supervisory and oversight authorities.
- In November 2013, the ECB launched a public consultation on recommendations for the security of mobile payments also developed by the SecuRe Pay Forum (see ‘related links’ below). These are expected to become final before end-2014.
- In July 2013, the European Commission published its ‘payments legislative package’ (see ‘related links’ below), i.e. the draft revised Payment Services Directive () and the proposal for a new Regulation on interchange fees for card-based payment transactions. It is a prerequisite that these legislative acts have been adopted by the EU legislator and officially published in order for the SCS Volume to be brought in line with relevant requirements. It is however at present not clear when the EU legislator, i.e. the European Parliament and the Council of the EU representing EU Member States, will formally adopt the and the new Regulation on card interchange fees.
Once the harmonisation exercise is also concluded on card-not-present requirements, it is expected to promote development and innovation for both e- and m-commerce and e- and m-payments.
The benefits of harmonised cards standardisation requirements in
The SCS Volume contains standardisation requirements which as much as possible combine the interests of the different card and terminal value chain stakeholders. Implementation of common standards requirements detailed in the SCS Volume will promote interoperability and foster competition in the cards domain. For retailers, vendors and payment service providers, the version 7.0 requirements will bring benefits to the planning and stability of investments on terminals and on cards, usually made with a five to seven year perspective and even beyond. Cost savings and stability are relevant in the physical card environment to favour cheaper, easier and broader acceptance both at national and cross-border levels. Cardholders, i.e. consumers, will benefit from increased security, transparency and indirect cost reduction expected from standardisation. Improved interoperability will facilitate a consistent customer payment card experience across .
Ugo Bechis is the Chair of the Cards Working Group and CSG Co-Chair.
Council of the European Union – Economic and Financial Affairs, ECOFIN. (The Council of the EU is the EU institution where the Member States’ government representatives sit, i.e. the ministers of each EU Member State with responsibility for a given policy area.) Council Conclusions on SEPA, December 2009
Related articles in previous issues:
1 The Cards Framework, developed by the , outlines high level principles and rules that when implemented by the card industry, will deliver a consistent user experience to both cardholders and merchants when making or accepting euro payments or cash withdrawals: http://www.europeanpaymentscouncil.eu/other_documents_detail.cfm?documents_id=330.
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.