Single set of security requirements
In June 2010, the Plenary approved the single set of SEPA terminal security requirements agreed by the banking industry in close dialogue with other sectors represented in the Cards Stakeholders Group. These requirements are based on the PCI SSC requirements developed by the Payment Cards Industry Security Standards Council1 and will be integrated in an updated version of the SEPA Cards Standardisation Volume - Book of Requirements expected to be published by end 2010. The security requirements will regularly be reviewed by the banking industry together with other stakeholders active in the cards and terminals value chain including the CAS initiative (Common Approval Scheme). Further work is in progress aimed at developing a single set of security requirements for cards.
Cards and terminals SEPA certification framework
The design of the architecture (certification framework) allowing for the trusted and common security and functional evaluation and certification of cards and terminals at SEPA level is essential to cater to the needs of the more than 500 million cardholders and millions of merchants. The SEPA cards and terminal certification framework will ensure that any card or terminal certified by an accredited body can be deployed and used anywhere throughout SEPA. Currently, cards and terminals need to be certified for each market and card scheme subject to different criteria and procedures. To-date, the certification of cards and terminals takes place based on requirements defined at a national level. Moving forward, the goal is to establish a European certification framework enabling the manufacturers of cards and terminals to obtain a single certification that is recognised in all 32 SEPA countries. Thus by having a standard SEPA certification process, vendors can take advantage of greater economies of scale.
To this end, the EPC Plenary decided to create a "European Certification Body" whose governance structure should include banks and card schemes. The retail sector should participate as full members in the area of functional aspects which encompass, for example, functional requirements on ATM Cash withdrawals, unattended terminals without PIN, and card not present transactions. In addition, the retail sector should act as an observer with regard to the certification of security requirements. Regulators should be represented as observers in the "European Certification Body" as well. The EPC is prepared to support the market in setting up this certification management body.
The EPC will create a proposal to frame the cooperation process regarding the maintenance of cards and terminals security requirements and the further steps required to set up the "European Certification Body".
Claude Brun is the Vice Chair of the European Payments Council and served as the Chair of the EPC Cards Working Group until June 2010. In line with a recent change of the EPC Charter which stipulates that EPC Office Holders such as the Chair and Vice Chair of the organisation and Chairs of the EPC Working and Support Groups should not hold more than one office, Claude Brun is succeeded as Chair of the EPC Cards Working Group by Ugo Bechis.
Related articles in this issue:
1For more information on PCI SSC visit https://www.pcisecuritystandards.org/about/index.shtml
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website Terms and Conditions.