4 PAYMENT CARD SECURITY IN THE CONTEXT OF EUROPEAN HARMONISATION
|
|
- Dora Bryan
- 8 years ago
- Views:
Transcription
1 4 PAYMENT CARD SECURITY IN THE CONTEXT OF EUROPEAN HARMONISATION The Observatory for Payment Cards Security took note of the development in 2005 of two proposals for harmonising card payments in Europe. In September 2005, the European Payments Council (EPC) a body of the European banking industry developing rules for the interoperability of payment instruments aiming at the creation of a Single Euro Payments Area (SEPA) adopted the SEPA Cards Framework (SCF), a framework for the interoperability of general-purpose payment cards scheduled to become operational in January 2008 and fully-fledged by January In December 2005, the European Commission sent the European Council and the European Parliament its proposal for a Directive on Payment Services in the Internal Market. The draft Directive is intended to harmonise the legal framework for non-cash payments in Europe, whatever of the means of payment and the currency used. As these two projects will have a significant impact on the rules for issuing and using French payment cards, the Observatory examined them from a security point of view. Regarding the SCF, the Observatory welcomes the choice of EMV chip cards as the supporting technology for card payments in Europe. The Observatory nevertheless encourages all of the stakeholders to define specific, harmonised implementation procedures, so that the expected benefits in terms of security can be realised without adverse effects on competition. As for the Directive on payment services, the Observatory welcomes the adoption of a common European legal framework, but feels that the prudential requirements associated with the new statute of payment institutions (which will be authorized to issue and manage means of payment) are not sufficient to ensure financial and legal security for means of payment. 4 1 The SEPA Cards Framework (SCF) The SEPA Cards Framework (SCF) is one of three SEPA initiatives directed by the EPC, the other two being SEPA direct debit (SDD), the creation of a single European payment scheme for direct debit; and SEPA credit transfer (SCT), the creation of a single European payment scheme for credit transfers. The objective of the SCF is to put in place beginning in 2008 and with full implementation in 2010 a single area for card payments in Europe. This initiative is Observatory for Payment Card Security 2005 Report 39
2 aimed at general purpose cards: four-party cards accepted by a large European network of merchants. 14 It will thus be possible to use an SCF-compliant card throughout the SEPA area under the same conditions as in the current national areas. (For example, in France, cards complying with the SCF will benefit from the principle of interbanking, which has been observed in France since the 1980s.) At this stage, three options for achieving that objective are being considered: Exclusive reliance on the international card systems (Visa and Mastercard); Co-branding between domestic card systems and the international systems (as is currently the case for CB cards); The creation of a pan-european card network, constructed from one or more national or international card systems. Implementation of the SCF presupposes harmonisation in the standards and principles governing the functioning of payment cards. The Observatory hopes that this harmonisation will provide an opportunity to reinforce the security of card payments in Europe. The Observatory welcomes the contribution to security made by the framework proposed by the EPC, but considers that more progress still needs to be made in defining common security objectives in the SEPA area, and feels that it should be stated clearly that security cannot be allowed to be a factor in competition. Real progress in terms of security The Observatory considers that implementation of the SCF can have a positive impact on the security of payment cards and can reduce the risk of fraud, especially for cross-border transactions. The SCF's principal contribution to security is the adoption of the EMV chip card (see box 11). The SCF expects that all countries in the SEPA area will have adopted this type of card by The Observatory welcomes this objective, which aims at generalising the use of the Chip and PIN model for payment cards, in which cardholders must identify themselves in each withdrawal or payment transaction by entering their Personal Identification Number (PIN). The chip payment card (used by the French CB four-party card system since 1992) will thus replace the magnetic stripe payment card in all countries of the SEPA area. The Observatory welcomes the prospect that the magnetic technology, which is more fragile in terms of security, would be used less, or even disappear completely, at least from the SEPA area. The Observatory salutes the willingness shown by European banks to strengthen their cooperation in preventing and combating fraud by studying the opportunity and feasibility of a pan-european database of all incidents of card payment fraud within the SEPA 14 I.e. for payments in Euro, the European Union and the European Free Trade Association (EFTA): Switzerland, Norway, Liechtenstein, and Iceland Rapport Observatory for Payment Card Security
3 15 area. Such a database could aid in the fight against fraud and thereby strengthen public confidence in this payment instrument within the SEPA area. Box 11 the EMV chip card EMV is a standard established in the 1990s by three international card systems (Europay, Mastercard, and Visa) to define the interactions between chip cards and payment terminals. The standard is currently managed by the EMVCo consortium, which consists of MasterCard, VISA, and the Japanese JCB system. EMV defines the interaction between the payment card and the terminal at the level of physical and electronic characteristics and of format of data elements to be exchanged. Several different implementations of the EMV standards are possible, and it is therefore possible that national banking industries have chosen different versions, depending on their timetable for migrating to EMV and their specific needs. Most of the EMV implementations identify the cardholder by the entry of a personal code (the Chip and PIN model), although this is not strictly required. Promoting strong security within the SEPA area While the adoption of EMV will improve security in the interaction between payment cards and terminals, the Observatory considers that strengthening the security of card payments also requires: Adopting technical security standards for all types of interaction between the parties to a card transaction: cardholder to terminal, merchant to acquirer, and acquirer to issuer; and Improving the conditions for security certification of cards and terminals. Defining technical security standards for all types of interaction between the parties to a card transaction At present, technical security standards differ considerably from one card payment system to the next. This is a source of inefficiency and vulnerability to fraud whenever transactions pass through several systems (for example, in cross-border transactions). Work on standardisation has been undertaken, particularly in the area of exchanges between cards and terminals (see discussion of EMV, above). However, this work remains incomplete: common standards still need to be defined for the authorisation, acquiring, clearing, and settlement of transactions. The Observatory encourages the standard-setting bodies concerned to complete work on the missing security standards as quickly as possible, and calls upon the EPC to incorporate these standards in the SCF. 15 Indeed, the draft Directive on payment services allows, notwithstanding the Directive on data protection, the processing of personal data by payment systems and payment services providers, for the sole purpose of preventing and combating fraud. Observatory for Payment Card Security 2005 Report 41
4 Security certification The SCF calls for harmonisation in the methodologies for security certification (of cards, terminals, etc.), but does not provide any details on how this is to be achieved. There is therefore a risk of 'harmonisation to the lowest common denominator'. This could result in marked disparities between national card systems, and could even confer a competitive advantage to those countries that choose to install less secure and therefore less costly equipment. Cardholders could be exposed to a greater risk of fraud in countries that have equipment which is more easily converted to fraudulent use, even though the cards conform to the common EMV standard. This possibility is a source of concern to the Observatory, which notes that the current French CB four-party card system is based on stringent certification methods. Cards, terminals, and other elements of the card system are initially subjected to a functional certification by the manager of the system. This functional certification specifies the level of security of the components which the manager wishes to use for its cards. It is supported by an external evaluation and certification to verify that this level has been achieved. In France, the evaluation and certification process for cards is an element of a national scheme administered by the Central Directorate for Information System Security (Direction centrale de la sécurité des systèmes d information DCSSI), which reports to the General Secretary for National Defence. These evaluations are governed by a set of international security standards, known as the Common Criteria (see box 12), which have been adopted by the principal industrialised countries (France, the United States, Germany, the United Kingdom and Japan, among others). There are two international agreements for recognising certificates issued as a result of an evaluation conducted according to the Common Criteria: The Common Criteria Recognition Arrangement (CCRA), an agreement which is open to all countries worldwide, but which introduces limits on recognition (in other words, because this agreement is limited to evaluations conducted for an average level of security requirements, and provides only an elementary defence against attacks). Ten countries are currently recognised under this agreement as being able to evaluate and certify products (but others are willing to be recognised). The Senior Officials Group for Information Security (SOG-IS) agreement, a European agreement to which 11 countries of the European Union and EFTA are currently signatories. 16 The SOG-IS agreement does not introduce any limits on the mutual recognition of evaluations conducted in different countries. It therefore applies to evaluations conducted on the basis of stringent security requirements, like those currently in force in France for CB payment cards. Three countries are currently recognised under this agreement as being able to evaluate and certify products: France, Germany, and the United Kingdom. In practice, only Germany and France 16 Germany, France, the United Kingdom, Spain, Finland, Italy, Greece, Norway, the Netherlands, Portugal, and Sweden Rapport Observatory for Payment Card Security
5 evaluate and certify cards for a high level of protection against attacks. This situation could change in the medium term: other countries (for example the Netherlands, Spain, and Norway) could ask to for recognition of their certificates under this agreement. Box 12 the Common Criteria The international standard known as the Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408) is the result of the unification of three older standards: a European standard developed in the beginning of the 1990s (ITSEC), an older American standard (TCSEC), and a Canadian standard (CTCPEC). In contrast with other information security standards, the Common Criteria do not define a set of rules with which information processing products must comply. Instead, they establish a framework in which users can formulate their security requirements and providers can demonstrate that their products satisfy those requirements. In other words, the Common Criteria make it possible to ensure that the processes for specifying security requirements, for developing products, and for evaluating their security, are carried out in the most rigorous manner possible. The Common Criteria methodology is based on three main concepts: the Protection Profile (PP), a document which expresses the security requirements of a community of users; the Security Target (ST), a document (typically drawn up by the provider of the product) which describes the product's security characteristics and lists the protection profiles which the product purports to satisfy; the Evaluation Assurance Level (EAL), which documents all of the measures that have been taken to comply with security functionalities. The assurance levels define the level of security requirement, and range from level EAL-1 (the least stringent) to level EAL-7 (the most stringent and also the most costly). These assurance levels consist of requirements in seven different classes of assurance: configuration management (ACM), delivery and operation (ADO), development (ADV), guidance documents (AGD), life cycle support (ALC), tests (ATE), and vulnerability assessment (AVA). Micro-processors used in co-branded Visa or Mastercard CB cards are also subjected to a security evaluation by the laboratories of each of these international networks. In European countries which do not have a national scheme, this evaluation by Visa and Mastercard is the only evaluation that takes place for international payment cards. Mastercard recognises the evaluations conducted within the framework of the French national scheme, under the authority of the DCSSI, so that French co-branded Mastercard cards do not need to undergo a specific evaluation by Mastercard. The Observatory considers it essential that the security for cards, terminals, and other elements of card systems should be maintained at a very high level for SCF-compliant cards. To that end: The managers of card systems should submit their cards, terminals, and other elements of their systems to stringent common security requirements. The Observatory takes note of the initiative developed by several European card systems, known as the Common Approval Scheme (CAS), to develop such security Observatory for Payment Card Security 2005 Report 43
6 requirements for cards, payment terminals, and eventually for other elements of card payment systems. This useful initiative needs only to be adopted by the EPC in order to become a standard operating procedure applicable to all SCF-compliant card systems. Evaluations and certificates should be standardised. There are several ways of achieving this: For cards assuming that the level of security is equivalent to the current level in France uniformity could be guaranteed by enlarging the SOG-IS agreement, which has already been adopted by almost half of all EU Member States. However, this assumes that these countries would be willing to accept that their payment cards should be evaluated by the French, German, or United Kingdom national schemes, which for the time being are the only national schemes recognised for purposes of evaluation and certification under the agreement. For terminals, the level of security targeted will probably be much weaker than the level targeted for cards (the need for security is not the same). If the Common Criteria are used to evaluate this equipment, all of the countries that are signatories to either the CCRA or the SOG-IS agreement and that have a national certification scheme could evaluate and certify terminals. Community legislation could establish equivalency criteria (including transparency requirements) between the public and private evaluation processes used by card systems in each country. It would be important that all of the laboratories that conduct security evaluations within the SEPA area should possess similar levels of expertise. The Observatory notes that the European Commission proposed a provision along these lines in version four of its draft Directive. This provision was subsequently dropped, but could be supported. Mutual recognition in Europe could be instituted by establishing an ad hoc structure administered by the European banks (self-regulation). 4 2 The Legal Framework for Payment Services in Europe The Observatory is pleased with the efforts of the European Commission to establish a harmonised legal framework for payments in Europe that could ease the establishment of SEPA. The draft Directive confirms the principle that the user's responsibility for losses that occur before he has reported the loss or theft of his card is limited to 150 euros, and that the user has no pecuniary responsibility for losses that occur as the result of unauthorized payments. These principles are already embodied in French law. However, the Observatory considers that three points in the draft Directive require particular attention: The creation of a third category of payment service provider known as payment institutions; The methods for applying the Directive to payment cards; The definition of the principle of irrevocability Rapport Observatory for Payment Card Security
7 The creation of a specific license for payment institutions The creation of a specific licence for payment institutions responds to a legitimate competitive concern, and from that point of view appears desirable. However, the content of the license is very vague, and the absence of substantial prudential requirements means that the security of funds entrusted by users to payment institutions is not guaranteed. In addition, the ability of payment institutions to obtain direct access to card payment systems (card issuance, acquiring of transactions, connection to electronic card networks, clearing and settlement, etc.), or even to manage them directly, could constitute a risk factor if those institutions do not have sufficient financial guarantees and if they are not adequately supervised. The Observatory also notes that the draft Directive liberalises functions that are currently reserved in France to credit institutions, such as the acquiring of card payment transactions. This could considerably alter the position of actors in the payment chain, by placing acquiring business within the scope of activity of service providers who are not subject to the prudential safeguards that apply to credit institutions. Application of the Directive to payment cards The Observatory feels that the application of certain provisions of the draft Directive to payment cards needs to be clarified. In particular, the current text is vague on the question of whether the threshold of 50 euros for micro-payments (related to information requirements and execution times) applies only to contracts under which no individual transaction can exceed 50 euros (art. 38-1) or, by extension, to any payment below 50 (art. 59). Since the median value of card transactions (approximately 46 euros) lies below that threshold, a policy of applying the threshold to each individual transaction would treat almost half of all payments and withdrawals as 'exceptions'. Other definitions also need to be clarified, such as the definition of the date of payment acceptance, which determines the moment at which payment becomes irrevocable and fixes the starting point for execution times for card transactions, set in the draft Directive at D+1 in The definition of irrevocability The Observatory notes that the definition of irrevocability in the draft Directive is ambiguous. This lack of precision (for example, concerning the date of payment acceptance and the methods for administering the right to reimbursement for remote sales) could challenge legal and contractual arrangements in force in most countries. In France, for example, payment is considered final and irrevocable from the moment the cardholder enters his confidential code. The Observatory would like these points to be clarified, in order to ensure the legal security of card payment transactions and to guarantee the smooth functioning of card systems. Observatory for Payment Card Security 2005 Report 45
8 4 3 Recommendations The Observatory considers that the development of a European framework for card payments raises major security issues, and urges French card issuers to maintain a high level of security for payment cards that will be used in the SEPA area. Since this objective is based on Community standards relating to security, the Observatory invites the EPC to incorporate into the SCF the security standards that are currently missing in the areas of authorisation, acquiring, clearing, and settlement of card transactions, and to consider adopting the Common Approval Scheme, which could become a standard operating procedure applicable to all SCF-compliant card systems. Since this initiative is likely to receive the support of European authorities, the Observatory thinks that the European Commission, as well as the Council and the European Parliament, should consider the possibility of laying out in legislation the criteria for determining the equivalence between the public and private evaluation processes used by card systems in each country. Finally, the Observatory stresses the importance of the operational and financial risks posed by the new class of payment institutions, which could soon be authorised to provide payment services under the terms of the draft Directive that is currently being examined by the Council and the European Parliament. The Observatory therefore recommends strengthening both the prudential requirements that apply to these institutions and the methods for supervising them Rapport Observatory for Payment Card Security
Questions & Answers clarifying key aspects of the SEPA Cards Framework
Doc. EPC075-08 (Version 10.0) 11 June 2008 Questions & Answers clarifying key aspects of the SEPA Cards Framework Circulation: Publicly available Restricted: No SEPA a Guide to the Single Euro Payments
More informationAnswers to the Green Paper Towards an integrated European market for card, internet and mobile payments
Answers to the Green Paper Towards an integrated European market for card, internet and mobile payments Ad 4.1.1. (MIFs) Figure 1. Interchange fees in card payments in Europe (2011). Visa Poland Germany
More informationSingle Euro Payments Area
Single Euro Payments Area Overview SEPA (Single Euro Payments Area) is a European payments initiative which aims to create one single, integrated, standardised payments market in Europe. It is an area
More informationWhat is SEPA? Fact Sheet. Streamlining Payments in Europe
Fact Sheet Streamlining Payments in Europe The Single Euro Payments Area (SEPA) is the area where citizens, companies and other economic players will be able to make and receive payments in euros (whether
More informationSEPA - Frequently Asked Questions
SEPA - Frequently Asked Questions Contents SEPA Overview Questions... 2 What is SEPA?... 2 What is the aim of SEPA?... 3 Where did SEPA come from?... 3 What countries are included in SEPA?... 3 What currencies
More informationTERMS OF REFERENCE FOR THE SEPA COMPLIANCE OF CARD SCHEMES
4 March 2009 TERMS OF REFERENCE FOR THE SEPA COMPLIANCE OF CARD SCHEMES The Eurosystem supports the creation of the Single Euro Payments Area (SEPA) which will enable retail payments in euro to be made
More informationEPC020-08 11.02.2015 SEPA CARDS STANDARDISATION (SCS) VOLUME
EPC020-08 11.02.2015 (Vol Ref. 7.5.1.05) SEPA CARDS STANDARDISATION (SCS) VOLUME BOOK 5 CONFORMANCE VERIFICATION PROCESSES Payments and Cash Withdrawals with Cards in SEPA Applicable Standards and Conformance
More informationSEPA. Frequently Asked Questions
SEPA Frequently Asked Questions Page 1 of 13 Contents General SEPA Questions... 4 What is SEPA?... 4 What is the aim of SEPA?... 4 What are the benefits of SEPA?... 4 What countries are included in SEPA?...
More informationRoadmap for the Single Euro Payments Area
www.europeanpaymentscouncil.eu Roadmap for the Single Euro Payments Area Status and progress Gerard Hartsink Chair - European Payments Council Raad Nederlandse Detailhandel Utrecht, 28 augustus 2009 Agenda
More informationMicrosoft Dynamics NAV. SEPA Credit Transfers and Direct Debits
Microsoft Dynamics NAV SEPA Credit Transfers and Direct Debits July 2012 EXECUTIVE SUMMARY... 1 SEPA PAYMENT INSTRUMENTS... 2 SEPA CREDIT TRANSFERS... 2 SEPA DIRECT DEBITS... 2 OVERVIEW OF SEPA DIRECT
More informationFREQUENTLY ASKED QUESTIONS ABOUT SEPA
FREQUENTLY ASKED QUESTIONS ABOUT SEPA 1. What does SEPA mean? SEPA stands for Single Euro Payments Area. 2. What countries are part of SEPA? The SEPA includes 31 countries: the 27 EU members plus Norway,
More informationEPC020-08 11.02.2015 SEPA CARDS STANDARDISATION (SCS) VOLUME
EPC020-08 11.02.2015 (Vol Ref. 7.7.0.05) 1 2 3 4 5 6 7 8 9 10 11 12 13 SEPA CARDS STANDARDISATION (SCS) VOLUME BOOK 7 CARDS PROCESSING FRAMEWORK Payments and Cash Withdrawals with Cards in SEPA Applicable
More information1 ARE PCI SECURITY MEASURES SUITED TO THE FRENCH MARKET?
1 ARE PCI SECURITY MEASURES SUITED TO THE FRENCH MARKET? As part of its task of monitoring the security policies implemented by issuers and acquirers, the Observatory conducted an assessment in 2010 to
More informationRe-engineering Debit: The Missing SEPA Blueprint
Re-engineering Debit: The Missing SEPA Blueprint ARTICLE Peter Jones Managing Director PSE Consulting (Payment Systems Europe) 14 th March 2005 As the plan for a Single Euro(pean) Payments Area (SEPA)
More informationTHIRD REPORT ON CARD FRAUD
THIRD REPORT ON CARD FRAUD February 14 F e b r u a ry 14 In 14 all publications feature a motif taken from the banknote. European Central Bank, 14 Address Kaiserstrasse 29 6311 Frankfurt am Main Germany
More informationVisa Europe Our response to the European Commission s proposed regulation of interchange fees for card-based payment transactions
Visa Europe Our response to the European Commission s proposed regulation of interchange fees for card-based payment transactions Executive summary On 24 July 2013 the European Commission published a proposal
More informationIrmfried Schwimann. Acting Director 'Financial services and Health-related markets' European Commission, DG Competition. SEPA and competition
Irmfried Schwimann Acting Director 'Financial services and Health-related markets' European Commission, DG Competition SEPA and competition European Payment Council, Coordination Committee offsite meeting
More informationECB-RESTRICTED. Card payments in Europe a renewed focus on SEPA for cards
ECB-RESTRICTED Card payments in Europe a renewed focus on SEPA for cards COGEPS 11 March 2014 SEPA WHERE DO WE STAND SEPA migration end-date (1 February 2014) was a key milestone (regardless of the additional
More informationPayments Package: Questions and Answers
Payments Package: Questions and Answers Date: November 2013 Contact: Ruth Milligan, T: +32 2 737 05 95, milligan@eurocommerce.be A. Introduction The Commission published its Payments Package on 24 July
More informationPayment Card Fraud in the European Union Perspective of Law Enforcement Agencies
images: Fotolia Situation Report - Payment Card Fraud 2012 Public Version Situation Report Payment Card Fraud in the European Union Perspective of Law Enforcement Agencies This Europol product analyses
More informationA Guide to EMV. Version 1.0 May 2011. Copyright 2011 EMVCo, LLC. All rights reserved.
A Guide to EMV Version 1.0 May 2011 Objective Provide an overview of the EMV specifications and processes What is EMV? Why EMV? Position EMV in the context of the wider payments industry Define the role
More informationfor CONSUMERS Information on the SINGLE EURO PAYMENTS AREA
Version 5.0 - February 2014 for CONSUMERS Information on the SINGLE EURO PAYMENTS AREA All you need to know about SEPA EPC Shortcut Series* Shortcut to SEPA Shortcut to the SEPA Direct Debit Schemes Shortcut
More informationIn 2014 all ECB publications feature a motif taken from the 20 banknote. CARD PAYMENTS IN EUROPE A RENEWED FOCUS ON SEPA FOR CARDS
C A R D PAY M E N T S I N E U RO P E A R E N E W E D F O C U S O N S E PA F O R C A R D S A pri l 2 0 1 4 In 2014 all publications feature a motif taken from the 20 banknote. CARD PAYMENTS IN EUROPE A
More informationSINGLE EURO PAYMENTS AREA (SEPA) FROM CONCEPT TO REALITY
SINGLE EURO PAYMENTS AREA (SEPA) FROM CONCEPT TO REALITY JULY 2007 FIFTH PROGRESS REPORT EN SINGLE EURO PAYMENTS AREA (SEPA) FROM CONCEPT TO REALITY FIFTH PROGRESS REPORT In 2007 all publications feature
More informationTowards basic electronic payments A roadmap for competitive and inclusive payment systems in Europe
Towards basic electronic payments A roadmap for competitive and inclusive payment systems in Europe Revised position paper Date: May 2013 What do we need from our electronic payments? What Europe needs
More informationSingle Euro Payments Area SEPA Herman Ciappara Payments & Banking Department Central Bank of Malta
Single Euro Payments Area SEPA Herman Ciappara Payments & Banking Department Central Bank of Malta 1 1 Outline What is SEPA? Objectives Opportunities Important SEPA Dates Impact of SEPA Challenges 2 2
More informationA Steria Report SEPA: will European businesses be ready for the transformation? Prepared in collaboration with. è www.steria.com
A Steria Report SEPA: will European businesses be ready for the transformation? Prepared in collaboration with è www.steria.com 02 SEPA : will European businesses be ready for the transformation? è www.steria.com
More informationSEPA. Changes in the Payment System Implementation of the European SEPA Regulations for Kuna and Euro Payments
SEPA Changes in the Payment System Implementation of the European SEPA Regulations for Kuna and Euro Payments SEPA The Single Euro Payments Area (SEPA) stands for a European Union (EU) payments integration
More informationEuronet s EMV Chip Solutions Superior Protection with Enhanced Security against Fraud
Serving millions of people worldwide with electronic payment convenience. Euronet s EMV Chip Solutions Superior Protection with Enhanced Security against Fraud Copyright 2011 Euronet Worldwide, Inc. All
More information3 1 The use of open networks in the payment card environment
3 TECHNOLOGY WATCH As part of its technology watch, the Observatory conducted two studies in 2006. The first dealt with the impact of the use of open networks in the payment card environment and the second
More informationJoint Media Release. Payments Technology
Joint Media Release Payments Technology Sydney, 13 October, 2006: The Australian Bankers Association (ABA) and Australian Payments Clearing Association (APCA) are releasing today the joint letter that
More informationInformation Security Standards by Dr. David Brewer Gamma Secure Systems Limited Diamond House, 149 Frimley Road Camberley, Surrey, GU15 2PS +44 1276
Information Security Standards by Dr. David Brewer Gamma Secure Systems Limited Diamond House, 149 Frimley Road Camberley, Surrey, GU15 2PS +44 1276 702500 dbrewer@gammassl.co.uk Agenda Background and
More informationHaving regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,
28.8.2014 Official Journal of the European Union L 257/73 REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic
More informationInterchange fees for card-based payment transactions
Briefing March 2015 Interchange fees for card-based payment transactions SUMMARY Card-based payments have a growing share of retail payments, as do non-cash payments in both e-commerce and traditional
More informationCANADIAN PAYMENTS ASSOCIATION ASSOCIATION CANADIENNE DES PAIEMENTS RULE E1
CANADIAN PAYMENTS ASSOCIATION ASSOCIATION CANADIENNE DES PAIEMENTS RULE E1 EXCHANGE OF SHARED ELECTRONIC POINT-OF-SERVICE PAYMENT ITEMS FOR THE PURPOSE OF CLEARING AND SETTLEMENT 2015 CANADIAN PAYMENTS
More informationIt is a great pleasure for me to be here in Madrid to share with you some
Recent developments and policy challenges affecting large-value and retail payment systems in Europe Banque de France It is a great pleasure for me to be here in Madrid to share with you some thoughts
More informationPosition Paper Ecommerce Europe. E-Payments 2012
Position Paper Ecommerce Europe E-Payments 2012 Contents Introduction: Ecommerce Europe 3 1. Payments from the merchants perspective 5 2. Market outlook 6 3. Card-based payments and related fraud issues
More informationTOWARDS AN INTEGRATED EUROPEAN CARD PAYMENTS MARKET
TOWARDS AN INTEGRATED EUROPEAN CARD PAYMENTS MARKET Over the last decade the integration of the European cashless retail payments market has been a high priority for payment service providers, regulators
More informationservices for cards and payments annual report 2011
services for cards and payments annual report 2011 annual report 2011 Foreword Outstanding payment services to support our customers development. The image that its customers have of a bank primarily depends
More informationElectronic Payment Schemes Guidelines
BANK OF TANZANIA Electronic Payment Schemes Guidelines Bank of Tanzania May 2007 Bank of Tanzania- Electronic Payment Schemes and Products Guidleness page 1 Bank of Tanzania, 10 Mirambo Street, Dar es
More informationA Guide to EMV Version 1.0 May 2011
Table of Contents TABLE OF CONTENTS... 2 LIST OF FIGURES... 4 1 INTRODUCTION... 5 1.1 Purpose... 5 1.2 References... 5 2 BACKGROUND... 6 2.1 What is EMV... 6 2.2 Why EMV... 7 3 THE HISTORY OF EMV... 8
More informationEPIF POSITION PAPER ON ACCESS TO BANK SERVICES FOR PAYMENT INSTITUTIONS
Page1 21 MAY 2014 EPIF POSITION PAPER ON ACCESS TO BANK SERVICES FOR PAYMENT INSTITUTIONS ABOUT EPIF (EUROPEAN PAYMENT INSTITUTIONS FEDERATION) EPIF was founded in 2011 to represent the interests of the
More informationCERTIFIED. SECURE SOFTWARE DEVELOPMENT with COMMON CRITERIA
CERTIFIED SECURE SOFTWARE DEVELOPMENT with COMMON CRITERIA CONTENT CC IN A NUTSHELL CC BACKGROUND AIM AND GOAL OF CC ADVANTAGES OF CC WHY DO WE RECOMMEND CC TO DEVELOPERS? WHEN IS CC THE RIGHT CHOICE?
More informationMAKING A REALITY. The definitive Guide to the SINGLE EURO PAYMENTS AREA SEPA COUNTRIES
31 AUSTRIA BELGIUM BULGARIA CYPRUS CZECH REPUBLIC DENMARK ESTONIA FINLAND FRANCE GERMANY GREECE HUNGARY ICELAND IRELAND ITALY LATVIA LIECHTENSTEIN LITHUANIA LUXEMBOURG MALTA NETHERLANDS NORWAY POLAND PORTUGAL
More informationTHE ITALIAN BANKING ASSOCIATION Cards 2009 Cards Revolution. Payment cards between the PSD and SEPA
THE ITALIAN BANKING ASSOCIATION Cards 2009 Cards Revolution Payment cards between the PSD and SEPA Address by the Deputy Director General of the Bank of Italy Giovanni Carosio Rome, 12 November 2009 1
More informationCompetition policy brief
Issue 2015-3 June 2015 ISBN 978-92-79-38783-8, ISSN: 2315-3113 Competition policy brief Occasional discussion papers by the Competition Directorate General of the European Commission The Interchange Fees
More informationREPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL
EUROPEAN COMMISSION Brussels, 25.9.2014 COM(2014) 592 final REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL on the implementation in the period from 4 December 2011 until 31 December
More informationProposal for a Regulation of the European Parliament and of the Council on interchange fees for card-based payment transactions
Proposal for a Regulation of the European Parliament and of the Council on interchange fees for card-based payment transactions About MasterCard MasterCard is a payments technology company that enables
More informationA RE T HE U.S. CHIP RULES ENOUGH?
August 2015 A RE T HE U.S. CHIP RULES ENOUGH? A longer term view of security and the payments landscape is needed. Abstract: The United States is finally modernizing its card payment systems and confronting
More informationAPACS RESPONSE TO THE EUROPEAN COMMISSION INTERIM REPORT ON PAYMENT CARDS
APACS RESPONSE TO THE EUROPEAN COMMISSION INTERIM REPORT ON PAYMENT CARDS 1. Introduction APACS is the UK payments association, a trade association for those institutions delivering payment services to
More informationPCI and EMV Compliance Checkup
PCI and EMV Compliance Checkup ATM Security Jim Pettitt Director, ATM Security Diebold Incorporated Agenda ATM threats today Top of mind risk PCI Impact on Security U.S. EMV Migration Conclusions / recommendations
More informationIl Ruolo della Tecnologia: l importanza delle scelte e l ottimizzazione dei costi SIAnet for SEPA! Giacomo BUICO Network Services Director
Il Ruolo della Tecnologia: l importanza delle scelte e l ottimizzazione dei costi SIAnet for SEPA! Giacomo BUICO Network Services Director sia-ssb 2007 SEPA Topics SEPA impacts technology, legislation
More informationPayments Relating to Online Shopping
131 Payments Relating to Online Shopping Eva Wix Wagner, Payment Systems INTRODUCTION AND SUMMARY Online shopping in Denmark has increased significantly in recent years, and Danish consumers are among
More informationONLINE PAYMENTS: Bridging the Gap between Fraud Prevention and Data Protection
ONLINE PAYMENTS: Bridging the Gap between Fraud Prevention and Data Protection IAPP EUROPE DATA PROTECTION CONGRESS 2014 19 November 2014 Brussels Increase of Payment Card Fraud on Internet Europe: USA:
More informationCABINET OFFICE THE CIVIL SERVICE NATIONALITY RULES
ANNEX A CABINET OFFICE THE CIVIL SERVICE NATIONALITY RULES Introduction The Civil Service Nationality Rules concern eligibility for employment in the Civil Service on the grounds of nationality and must
More informationEuropean Payment Card Systems for the 21 st Century. A paper from MasterCard Europe
U European Payment Card Systems for the 21 st Century A paper from MasterCard Europe For four decades, MasterCard Europe 1 has been working successfully with European banks to deliver secure, efficient
More informationMasterCard response to the Department of Finance public consultation Regulation (EU) 2015/751 on Interchange Fees for Card-based payment transactions
MasterCard response to the Department of Finance public consultation Regulation (EU) 2015/751 on Interchange Fees for Card-based payment transactions MasterCard MasterCard Worldwide (MasterCard) is a public-listed,
More information2: Credit cards, etc. Overview of the sector
19 2: Credit cards, etc Overview of the sector Note: This sectoral guidance is incomplete on its own. It must be read in conjunction with the main guidance set out in Part I of the Guidance. 2.1 A credit
More informationIntroduction. Fields marked with * are mandatory.
Questionnaires on introducing the European Professional Card for nurses, doctors, pharmacists, physiotherapists, engineers, mountain guides and estate agents(to competent authorities and other interested
More informationFBF position paper on the European Commission's proposal for a Directive on bank accounts ****
Paris, June 2013 FBF position paper on the European Commission's proposal for a Directive on bank accounts The French Banking Federation (FBF) is the professional body that represents all banks operating
More informationYour Reference Guide to EMV Integration: Understanding the Liability Shift
Your Reference Guide to EMV Integration: Understanding the Liability Shift UNDERSTANDING EMV EMVCo was formed in February 1999 by Europay, MasterCard and Visa to establish and maintain global interoperability
More informationSEPA Implementation and Migration in GREECE
SEPA Implementation and Migration in GREECE HELLENIC BANK ASSOCIATION Status of preparation and plans as per July 2007 1 Table of contents (1) Introduction 3 (2) Implementation and migration phases 5 (3)
More informationSecuring Internet Payments. The current regulatory state of play
Securing Internet Payments The current regulatory state of play In recent years the European Union (EU) institutions have shown a growing interest on the security of electronic payments. This interest
More informationEuroCommerce position paper Online e-payments
EuroCommerce position paper Online e-payments 16 September 2011 EuroCommerce welcomes the opportunity to comment on online payment issues. We carried out a brief members' survey and consulted within the
More informationGuide to the Electronic Payment Alternatives to Cheque Acceptance
Guide to the Electronic Payment Alternatives to Cheque Acceptance This document has been prepared by the Programme Office of the National Payments Plan for the purpose of informing interested parties about
More informationEMV FAQs. Contact us at: CS@VancoPayments.com. Visit us online: VancoPayments.com
EMV FAQs Contact us at: CS@VancoPayments.com Visit us online: VancoPayments.com What are the benefits of EMV cards to merchants and consumers? What is EMV? The acronym EMV stands for an organization formed
More informationA stocktaking of measures
LA FINANCE SOLIDAIRE CHAPTER OU ÉTHIQUE 1 A stocktaking of measures to protect online card payments 13 13 The Observatory regularly monitors fraud in card-not-present (CNP) payments, which amounted to
More informationOversight of non-cash payment schemes: objectives and implementation procedures
Oversight of non-cash payment schemes: objectives and implementation procedures MARC ANDRIES, CARLOS MARTIN Payment Systems Directorate Oversight of Non-cash Means of Payment Division The use of non-cash
More informationTHE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP
THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP WHERE IS THE U.S. PAYMENT CARD INDUSTRY NOW? WHERE IS IT GOING? Today, payment and identification cards of all types (credit
More informationQuestions & Answers on Payment Statistics
Questions & Answers on Payment Statistics The European Central Bank and the Bank of Finland have compiled statistics on payment transmission before, so what s new? In November 2013, the European Central
More informationSecurity Failures in Smart Card Payment Systems: Tampering the Tamper-Proof
Security Failures in Smart Card Payment Systems: Tampering the Tamper-Proof Saar Drimer Steven J. Murdoch Ross Anderson www.cl.cam.ac.uk/users/{sd410,sjm217,rja14} Computer Laboratory www.torproject.org
More informationSending money abroad. Plain text guide
Sending money abroad Plain text guide Contents Introduction 2 Ways to make international payments 3 Commonly asked questions 5 What is the cost to me of sending money abroad? 5 What is the cost to the
More informationEnhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011
Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011 On 5 th March 2010, The Association of Banks in Singapore announced key measures to adopt a holistic
More informationPRINCIPLES FOR EVALUATION OF DEVELOPMENT ASSISTANCE
PRINCIPLES FOR EVALUATION OF DEVELOPMENT ASSISTANCE DEVELOPMENT ASSISTANCE COMMITTEE PARIS, 1991 DAC Principles for Evaluation of Development Assistance Development Assistance Committee Abstract: The following
More informationPreparing for EMV chip card acceptance
Preparing for EMV chip card acceptance Ben Brown Vice President, Regional Sales Manager, Wells Fargo Merchant Services Lily Page Vice President, Wholesale ereceivables, Wells Fargo Merchant Services June
More informationSEPA Security Certification Framework
www.epc-cep.eu SEPA Security Certification Framework Topic 7 for discussion 25 th COGEPS Ugo Bechis EPC - Cards Working Group Chair Cards Stakeholders Group Co-Chair Bruxelles, 10- October 20 SEPA Card
More informationNOTICE ON OUTSOURCING
CONSULTATION PAPER P018-2014 SEPTEMBER 2014 NOTICE ON OUTSOURCING PREFACE 1 MAS first issued the Guidelines on Outsourcing in 2004 1 ( Guidelines ) to promote sound risk management practices for the outsourcing
More informationAccreditation in Europe
Accreditation in Europe Facilitating regulatory compliance and international trade ACCREDITATION INSPECTION TESTING CALIBRATION EXAMINATION VERIFICATION CERTIFICATION About the EA The EA is appointed by
More informationTHE SINGLE EURO PAYMENTS AREA (SEPA) AN INTEGRATED RETAIL PAYMENTS MARKET
THE SINGLE EURO PAYMENTS AREA (SEPA) AN INTEGRATED RETAIL PAYMENTS MARKET Contents Foreword 3 Introduction 4 1. Creating SEPA 5 Overview of SEPA 5 Stakeholders 5 Why SEPA? 6 What has been achieved so far?
More informationtoast EMV in 2015: How Restaurants Can Prepare for the New Chip-and-Pin Standard
toast EMV in 2015: How Restaurants Can Prepare for the New Chip-and-Pin Standard Table of Contents For more than 40 years, merchants and consumers have used magnetic stripe credit cards and compatible
More informationSTUDY: LEGAL REQUIREMENTS FOR AN EXCHANGE OF FRAUD DATA AMONG CARD ISSUERS
4 STUDY: LEGAL REQUIREMENTS FOR AN EXCHANGE OF FRAUD DATA AMONG CARD ISSUERS In 2003, the Observatory looked at the automatic fraud detection systems implemented by card issuers. This work showed that
More informationINTERNATIONAL. Helping your money travel around the world. International payments travel money and CHAPS. Talk to us today
INTERNATIONAL Helping your money travel around the world International payments travel money and CHAPS Talk to us today Access your money, at home and away Maybe you have family overseas and want to send
More informationConsultation on the future of European Insolvency Law
Consultation on the future of European Insolvency Law The Commission has put the revision of the Insolvency Regulation in its Work Programme for 2012. The revision is one of the measures in the field of
More informationINTERNATIONAL SERVICES TARIFF
INTERNATIONAL SERVICES TARIFF Supporting your international business Our service promise. If you experience a problem, we will always try to resolve it as quickly as possible. Please bring it to the attention
More informationFinal Report for the Project Car Insurance Tariffs. Part I
Final Report - Part I: Project description (Meyer, H.D.) 1 Final Report for the Project Car Insurance Tariffs Part I Project Description H a n s D i e t e r M e y e r * Insurance Advisor * Contact mailto:hansdmeyer@versanet.de
More informationThe Adoption of EMV Technology in the U.S. By Dave Ewald Global Industry Sales Consultant Datacard Group
The Adoption of EMV Technology in the U.S. By Dave Ewald Global Industry Sales Consultant Datacard Group Abstract: Visa Inc. and MasterCard recently announced plans to accelerate chip migration in the
More informationThe European Entrepreneur Exchange Programme
The European Entrepreneur Exchange Programme Users Guide 2 Contents 1.0 Introduction... 5 2.0 Objectives... 6 3.0 Structure... 7 3.1 Basic elements... 7 3.2 Four phases... 8 4.0 Implementation... 9 4.1
More informationTerms of Access to Payment Systems
1 Terms of Access to Payment Systems The Different Positions of Small and Large Banks English summary of Swedish Competition Authority report 2006:1 2 Summary The Swedish banking market is dominated by
More informationSupplementary Appendix Table A DESCRIPTION OF THE DIRECTIVES OF THE FINACIAL SERVICES ACTION PLAN (FSAP)
Supplementary Appendix Table A DESCRIPTION OF THE DIRECTIVES OF THE FINACIAL SERVICES ACTION PLAN (FSAP) Directive Name Directive No. Deadline Implementation of the Settlement Finality Directive 1998/26/EC
More informationFAQ TrustPay internet banking
FAQ TrustPay internet banking General Information What is the difference between TrustPay account and a bank account? TrustPay account is a payment account under the Law 492/2009 of payment services. This
More informationM/Chip Functional Architecture for Debit and Credit
M/Chip Functional Architecture for Debit and Credit Christian Delporte, Vice President, Chip Centre of Excellence, New Products Engineering Suggested routing: Authorization, Chargeback, Chip Technology,
More informationVisa Reloadable Frequently Asked Questions. EMV Travel Card
Visa Reloadable Frequently Asked Questions EMV Travel Card How does the International Prepaid Card work? The International Prepaid Card is a reloadable prepaid Visa debit card, which means you can spend
More informationProposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
EUROPEAN COMMISSION Brussels, 9.1.2014 COM(2013) 937 final 2013/0449 (COD) Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulation (EU) N 260/2012 as regards the migration
More informationCard payments in Sweden
Card payments in Sweden BY LARS NYBERG AND GABRIELA GUIBOURG Lars Nyberg is a Deputy Governor of the Riksbank and Gabriela Guibourg works at the Financial Stability Department. Consumers in the Nordic
More informationAUDIT PROGRAMME. Guide to the design of internal quality assurance systems in higher education. Document 01 V. 1.0-21/06/07
AUDIT PROGRAMME Guide to the design of internal quality assurance systems in higher education Document 01 V. 1.0-21/06/07 INDEX FOREWORD FUNDAMENTALS OF DESIGNING INTERNAL QUALITY ASSURANCE SYSTEMS 1.-
More informationARE THE POINTS OF SINGLE CONTACT TRULY MAKING THINGS EASIER FOR EUROPEAN COMPANIES?
ARE THE POINTS OF SINGLE CONTACT TRULY MAKING THINGS EASIER FOR EUROPEAN COMPANIES? SERVICES DIRECTIVE IMPLEMENTATION REPORT NOVEMBER 2011 EUROPEAN COMPANIES WANT WELL-FUNCTIONING POINTS OF SINGLE CONTACT
More informationEuropean Commission Green Paper on card, mobile and e- payments
European Commission Green Paper on card, mobile and e- payments A Cicero Consulting Special Report 2 Contents page Cicero Introduction Page 3 Current payments landscape Page 5 Objectives Page 5 Possible
More informationAUSTRALIAN PAYMENTS FRAUD DETAILS AND DATA
Australian Payments Clearing Association AUSTRALIAN PAYMENTS FRAUD DETAILS AND DATA 214 Australian Payments Clearing Association Limited ABN 12 55 136 519 CONTENTS OVERVIEW 1 SECTION 1 Fraud rates 4 SECTION
More information