www.epc-cep.eu SEPA Security Certification Framework Topic 7 for discussion 25 th COGEPS Ugo Bechis EPC - Cards Working Group Chair Cards Stakeholders Group Co-Chair Bruxelles, 10- October 20
SEPA Card Seciruty Standards: Ecosystem EPC & CSG International Bodies Market Initiatives Principles - Rules Security Standards Requirements Security Implementation & test methodology EPC CWG: SCF EPC: Resolutions TC68/SC2 (Security standardisation) ISO IEC/JTC1/SC27 (IT security) ISO TC68/SC 7 OSeC PCI Other CSG: Volume BoR 4
Card Security Requirements: Volume - chapter 5 Security Single set of Security Requirements for cards & terminals a common, single one, not in the competitive domain Volume BoR Chapter 5 - highlights: 5.2 Data Protection Requirements 5.3 Card Security Requirements 5.4 Terminal / POI Security Requirements 5.5 Payment Application Specific Requirements 5.5.2 Card Not Present - CNP 5.6 End-to-End Security Requirements Chapter 5 referrals to International Standards Bodies Spec.s 5
Cards Certification - CMB: Volume chapter 6 Certification The SEPA Certification Management Body A Framework document CMB Terms of Reference CMB Roles and procedures Volume Standards Requirements Volume Ch. 6 Volume Ch. 5 6
CMB - Certification Framework: Scope & roles CMB: EPC Resolution 23.6.2010, endorsed by CSG 14.9.2010 CMB Governance: Banks and Schemes + Retail for non security matters Scope: harmonise certification processes to 1 SEPA Security Certificate Roles: a) issuing SEPA rules for recognition of Certification Authorities & labs b) listing references for SEPA market certification implementation, c) light oversight, monitoring compliance of certification authorities/processes and acceptance of certificates d) monitoring the certification implementation by the market, e) support convergence of evaluation methodologies 7
EPC Plenary 27.9.20 2.d Resolution on CMB EPC Plenary resolved: CMB be set up as an EPC body, open to the 3 Sectors governance CMB role to be restricted to Certification processes only Standards Requirements & Spec.s to be addressed at Volume level Volume BoR chapter 5 to be extended to Common Criteria Protection Profiles OSeC Pilot outcome will feed Certification processes on POI CSG designated a representative to OSeC Steering Co. 8
SEPA Payments Security: an open issue Payments Security requires harmonized Self-Regulation & Regulation EPC and International Standards Bodies Self-regulation is impacted by some National Authorities regulatory requirements National Authorities (NCB s, other) different sources of legitimacy: > National laws > PSD adoption > Cards Oversight Framework Sources of legitimacy and ruling guidelines have to be harmonized 9
Volume referrals to International Standards Bodies ISO4217 - Currency Codes ISO7810 - Identification cards - Physical Characteristics ISO78 - Identification cards - Recording Technique ISO7812 - Identification cards - Identification of Issuers (IIN, BIN, PAN) ISO7813 - Identification cards - Financial Transaction Cards ISO7816 - Identification cards - Integrated Circuit Cards ISO7 14443 - Identification cards - Contactless Integrated Circuit Cards ISO/IEC4909 - Magnetic stripe data content ISO8583 - Financial transaction card originated messages - Interchange Message Specifications ISO20022 - Financial Services - Universal Financial Industry Message Scheme ICC - Integrated Circuit Card EMV - (Originally) Europay MasterCard Visa PCI - Payment Card Industry PCI DSS - PCI Data Storage Security ----------------------------------------------------------- CIR / SEPA Fast (Common Implementation Recommendations / SEPA Financial Application Specification for SCF Compliant EMV Terminals) CAS - Common Approval Scheme CCD - Common Core Definitions CPA - Common Payment Application PTS - PIN Transaction Security EPAS (Electronic Protocol Application Software) CAPE - Card Payment Exchanges (ISO20022), EPAS Acquirer and TMS protocols CCPAY - Card Clearing Payment Messages (ISO20022 change request) ATICA - Acquirer to Issuer Card Messages CCA - Common Contactless Application IFX - Interactive Financial exchange CEN/XFS - Extensions for Financial Services 10