Summary 4th Eurosystem Security Certification Forum



Similar documents
A Guide to EMV. Version 1.0 May Copyright 2011 EMVCo, LLC. All rights reserved.

SEPA Security Certification Framework

EPC SEPA CARDS STANDARDISATION (SCS) VOLUME

Mobile Near-Field Communications (NFC) Payments

Paving the way for a SEPA wide Payment Solution. The OSCar Project June 2013

Questions & Answers clarifying key aspects of the SEPA Cards Framework

U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon

Roadmap for the Single Euro Payments Area

Transaction Security. Test & Certification and Security Evaluation

Transaction Security. Training Academy

1i. What other gaps or opportunities not mentioned in the paper could be addressed to make improvements to the U.S. payment system?

ECB-RESTRICTED. Card payments in Europe a renewed focus on SEPA for cards

A Guide to EMV Version 1.0 May 2011

Payments Transformation - EMV comes to the US

The Adoption of EMV Technology in the U.S. By Dave Ewald Global Industry Sales Consultant Datacard Group

EMV and Small Merchants:

INTRODUCTION AND HISTORY

A RE T HE U.S. CHIP RULES ENOUGH?

welcome to liber8:payment

Mobile Payment: The next step of secure payment VDI / VDE-Colloquium. Hans-Jörg Frey Senior Product Manager May 16th, 2013

EPC SEPA CARDS STANDARDISATION (SCS) VOLUME

Private Label Payment Systems. White Label Systems

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

PCI and EMV Compliance Checkup

BGS MOBILE PLATFORM HCE AND CLOUD BASED PAYMENTS

Transaction Security. Advisory Services

EuroCommerce position paper Online e-payments

Your Partner for European Payment Processing

American Express Contactless Payments

Asian Payment Card Forum

Payments and Withdrawals with Cards in SEPA Applicable Standards and Certification Process

Visa Recommended Practices for EMV Chip Implementation in the U.S.

PCI DSS Compliance Services January 2016

We make cards and payments work for people as a part of everyday life. We bring information to life

EMV Migration and Certification in the U.S. UL's View on Optimizing EMV Brand Certification Processes

Position Paper Ecommerce Europe. E-Payments 2012

Unleashing the Power of Smart Payment

Euro Retail Payment Board

Terms of Reference of the SEPA Cards Certification Management Body (SCCMB)

EMV in Hotels Observations and Considerations

JTEMS A Community for the Evaluation and Certification of Payment Terminals

European Payment Card Systems for the 21 st Century. A paper from MasterCard Europe

Visa Europe Our response to the European Commission s proposed regulation of interchange fees for card-based payment transactions

AUSTRALIAN PAYMENTS FRAUD DETAILS AND DATA

for CONSUMERS Information on the SINGLE EURO PAYMENTS AREA

Wayne EMV Solutions. Protect your business with a complete EMV Solution inside and out.

Asian Payment Card Forum Growing the Business: Launching Successful Consumer Payments Products

HCE and SIM Secure Element:

World-wide trends in innovation on the acquiring side

The Canadian Migration to EMV. Prepared By:

What is EMV? What is different?

Position Paper e-payments

Meet The Family. Payment Security Standards

Securing the future of mobile services. SIMalliance Open Mobile API. An Introduction v2.0. Security, Identity, Mobility

ERPB FINAL REPORT MOBILE AND CARD-BASED CONTACTLESS PROXIMITY PAYMENTS

Interoperable Mobile Payment A Requirements-Based Architecture

Euronet s Contactless Solution

EMP's vision is to be the leading electronic payments processing company in the emerging markets of Africa and the Middle East.

Position Paper. issuers. how to leverage EC s regulation proposal. on interchange fees for card-based payment transactions

Your Reference Guide to EMV Integration: Understanding the Liability Shift

Payment Card Industry (PCI) Data Security Standard. PCI DSS Applicability in an EMV Environment A Guidance Document Version 1

Position Paper - Acquirers. acquire. maximum business advantage. from new EU Regulation on interchange. fees for card-based payment transactions

Il Ruolo della Tecnologia: l importanza delle scelte e l ottimizzazione dei costi SIAnet for SEPA! Giacomo BUICO Network Services Director

Or the. EPASOrg Annual Conference ISO card payment standards development. William VANOBBERGHEN, Secretary General, EPASOrg

Android pay. Frequently asked questions

ACI TOKEN MANAGER FOR MOBILE: TOKEN SERVICE PROVISION, HCE AND EMBEDDED SECURE ELEMENT IN THE CLOUD

Competition policy brief

Mobile Financial Services

What is SEPA? Fact Sheet. Streamlining Payments in Europe

OT PRODUCTS AND SOLUTIONS EMV-IN-A-BOX

EPC Version 2.0

EMV-TT. Now available on Android. White Paper by

OpenEdge Research & Development Group April 2015

ACQUIRER OR ACQUIRING BANK A financial institution (often a bank) where a merchant has an account to process transactions and card payments

EPC GSMA Mobile Contactless Payments Service Management Roles Requirements and Specifications. Doc: EPC , Version 2.

5th Asian Payment Card Forum

Transcription:

DIRECTORATE GENERAL MARKET INFRASTRUCTURE & PAYMENTS MARKET INTEGRATION DIVISION ECB-PUBLIC 22 September 2014 Summary 4th Eurosystem Security Certification Forum 1. Introduction On 7 April 2014 the European Central Bank organised the 4th Eurosystem security certification forum (the forum) with the objective of promoting the harmonisation of the card payment terminal security requirements, the card terminal security evaluation methodology and the certification process, which were currently missing components of SEPA for cards. Moreover, the Eurosystem also aimed to help remove some of the bureaucratic barriers that a terminal manufacturer faced in order to produce and be able to sell a terminal throughout SEPA. In fact, the terminal security certification process is currently so diversified across SEPA such that terminal manufacturers incur high costs for several administrative activities when trying to successfully market their products in all SEPA countries. The participants in the forum included representatives from the Eurosystem, Europol, the European Commission, the Cards Stakeholders Group (CSG) 1, the European Payments Council (EPC) 2, merchants, terminal and chip manufacturers, card schemes and approval bodies, as well as from laboratories, card transaction processors, the Open Standards for Security and Certification (OSEC) 3 project and from the PCI Security Standards Council (PCI SSC) 4. The agenda included a welcome address by the ECB, followed by several presentations and panels involving the participants of the forum. The presentations and panels provided an overview of the various different market players views in respect of card and terminal security certification. Finally, the card schemes presented their views on the possible development of contactless technology. 1 2 3 4 The CSG is a de facto association composed of five representatives from the cards sector (retailers: vendors: processors: schemes and the EPC). These representatives have come together to participate in a structural cards dialogue. Further information on the CSG is available on its website. The EPC is the coordination and decision-making body of the European banking industry in relation to payments. Further information on the EPC is available on its website. The OSEC project is valuable in terms of achieving a harmonised point of interaction (POI) terminal for security certification in Europe that is based on the Common Criteria (CC) methodology. Further information on the OSEC project is available on its website The PCI SCC is an open global forum, which was launched in 2006 and is responsible for the development, management, education, and awareness of the PCI Security Standards. Further information on the PCI SCC is available on its website. 4th Eurosystem Security Certification Forum - Summary_ Page 1 of 11

2. The policy environment session 2.1 ECB/Eurosystem s objectives in the field of terminal security evaluation and certification methodologies The chair of the forum, Mr Ruttenberg (ECB), opened the forum by welcoming all the participants. Mr Tur Hartmann (ECB) began the working session with a presentation on the importance of shifting the focus to SEPA for cards now that the migration of credit transfers and direct debits in SEPA had almost been completed. From Mr Tur Hartmann s point of view, the main factors that were hampering a broader acceptance of all cards, and as such the realisation of SEPA for cards, were the varying regional business practices and rules and the non-compatible technical standards. The ECB strongly promoted the efforts to harmonise the principles, business practices and rules, and the technical standards adopted by the payments industry. The ultimate goal of the ECB was to establish an efficient, safe and reliable card payment arena, which also encompassed a low level of fraud. The ECB welcomed the work carried out by the CSG on further developing the Cards Standardisation Volume (the Volume) and supported the use of the ISO 20022 5 for card messages in the terminal-to-acquirer and acquirer-to-issuer domains for both authorisation and clearing and settlement. The latter would facilitate using the same infrastructures for card payment transactions and clearing and settlement as those already in place for SEPA credit transfers and SEPA direct debits. In the field of terminal security certification, the ECB had been monitoring and acknowledged the progress made by the payments industry. Moreover, the ECB supported the aim of achieving a single or a restricted number of SEPA-terminal security certification methodologies. In this respect, the ECB expected the convergence of terminal security certification methodologies to take place in accordance with the roadmap defined in the aforementioned Volume. To conclude, Mr Tur Hartmann presented the objectives, the composition and the functioning of the Euro Retail Payments Board. 2.2 Europol - electronic payment fraud in Europe Mr Godart presented an overview of the threats that Europol currently faced in respect of card payments. Criminal organisations existed at the international level and they were constantly improving their techniques. The law enforcement agencies needed to coordinate their work in order to maintain the necessary pace and resilience with which to combat these criminal activities. Mr Godart explained the common practices being used to initiate card payment fraud and presented some of the mission s achievements on the part of Europol in the face of card fraudsters thus far. One of the prominent features of Mr Godard s presentation was the fact that criminal organisations had largely been using stolen and counterfeit cards to subsidise their internal logistics (e.g. air travel, hotels, restaurants, etc.) rather than 5 The ISO 20022 is an international standard laid down by the International Organization for Standardization (ISO) Technical Committee TC68 Financial Services. Further information on these standards are available on ISO s website. 4th Eurosystem Security Certification Forum - Summary_ Page 2 of 11

trying to directly monetise the stolen goods. Furthermore, Europol predicted that mobile payments and other new technologies as the key areas in which criminal organisations would be more active in the future. Owing to the global impact of fraud, Mr Godart wanted to look into possibilities for improvement within the international cooperation mechanisms of law enforcement agencies so as to better respond to criminal activities. 2.3 ECB - third Eurosystem report on card fraud Mr Hofmeister (ECB) presented the third Eurosystem report on card fraud. Following a short introduction on the provision of data, Mr Hofmeister explained the main findings of the report. In 2012, the total value of card fraud in SEPA amounted to 1.33 billion; an increase of 15% compared with 2011. This fraud was largely concentrated in card-not-present transactions (60% of fraud) and in cross-border transactions (50% of the value of fraud compared with 7% of the total transaction value), there were large discrepancies in the level of fraud across the different EU countries. Mr Hofmeister concluded that there was a need to increase the level of security for card-not-present transactions, but that this would be addressed once the SecuRe Pay recommendations 6 were fully implemented by 1 February 2015. Moreover, even if migration to EMV 7 had improved security for card payments, a geo-blocking authorisation strategy remained an important component of the anti-fraud strategy, certainly as long as the magnetic stripe with all of the payment-related data was still on the card. 3. The industry s state-of play session 3.1 Cards Stakeholders Group SEPA cards standardisation Volume v7.0 8 Security and Security Certification Mr Bechis and Mr Massey (Co-chairs of the CSG) presented the progress made in Volume v7.0 with the focus being on Book 4 Security. The CSG expected the market to be able to comply with Volume within three years of its publication (January 2014). Mr Massey explained that the security requirements defined in the Volume referred to international standards (for example PCI, EMV, ISO and Common Criteria (CC) 9 ). The CSG was focusing its efforts on security and was further developing the Volume. The next version of the Volume was expected to be published in the second half of 2014; this update would also include remote payment security requirements. Mr Bechis and Mr Massey presented the content of Book 5, which 6 7 8 9 The SecuRe Pay recommendations are available on the ECB s website. The EMV is a global standard for the interoperation of integrated circuit cards and chip card-capable point-of-sale (POS) terminals and automated teller machines (ATMs) for the purpose of authenticating card transactions. The organisation responsible for developing and updating the standard is EMVCO. Further information on the EMV and the EMVCO can be found on the EMVCO s website. The Volume is available on the EPC s website. The Common Criteria for Information Technology Security Evaluation (otherwise known as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. 4th Eurosystem Security Certification Forum - Summary_ Page 3 of 11

is the conformance verification process as per the Volume, the labelling, and the different types of approval and certifications processes used in the payments industry. Furthermore, the CSG was currently working on Book 7 Processing, as well as on an update of Book 3 - Data elements. With regard to terminal security certification, the CSG reported on its evaluation of the OSECOSEC project. The project was assessed against four objectives: i) security assurance; ii) capacity and timing; iii) competition; and iv)cost. As a result of this assessment, the CSG decided: i), to continue working together with OSEC for the next two years given that the objective of harmonisation/convergence of security certifications for the point of interaction (POI) was still considered feasible; ii), that there was a need for the card schemes and the approval bodies to decide on which security certification methodology to use (as described in Volume v7.0). In the interim period, card schemes and approval bodies within SEPA needed to collaborate in order to find out which certificates were being most widely used, so as to streamline the efforts to be made by the vendors and the merchants and to minimise approval costs in SEPA. Mr Bechis and Mr Massey presented the results of a survey on POI evaluation methodology among card schemes and approval bodies. All survey participants supported the security requirements defined in the Volume. Moreover, the survey examined the preferences with regard to the two main terminal security methodologies (PCI or CC) and the concept of convergence. The survey results showed that: i) 100% of the respondents supported the Volume s POI security requirements; ii) 71.4% of the respondents were generally in favour of the PCI methodology, whilst 14.3% were in favour of the CC methodology and 14.3% were in favour of converging the two; and iii) 85.7% of the respondents would accept PCI certification for terminal approval, 14.3% would accept CC certification and 57.1% were in favour of converging certification (they could accept both certifications). Mr Blasche (VÖB/GBIC) noted that the security requirements defined in the Volume covered the market s needs to a large extent and that the definition of these requirements had been the outcome of a long negotiation process within the CSG. 3.2 Panel 1 The need for harmonised European payment products and solutions for managing a multi-country business Mr Bourron (Total) began his presentation with the key figures from his company, thereby stressing the complexity of managing and accepting different payment instruments for fuel retailers. As an integrated cross-border merchant, Total needed to be able to deploy a single POI solution in order to increase its efficiency, reduce costs and achieve greater time-to-market (TTM). He also explained that fuel retailers had specific needs in terms of integrating the special needs relating to fuel cards and the general purpose payment cards. Total had chosen to implement EPAS 10 and IFSF 11 10 http://www.epasorg.eu/ 4th Eurosystem Security Certification Forum - Summary_ Page 4 of 11

standards. In this context, he stressed the need for SEPA for cards to be achieved and for the pace of the convergence process of the PCI and CC security evaluation and certification methodologies to be increased. Mr Bourron appreciated the work already carried out by the CSG on the Volume, but at the same time, he expressed his concerns regarding the results of the OSEC pilot (length of the project, absence of mutual recognition between the OSEC and the PCI). With regard to terminal security, he suggested using the PCIs and working to improve faith in the PCI s methodology by means of revamping the governance and revising the requirements. Moreover, he proposed removing type approval by card schemes/approval bodies for certified terminals. Mr Joliveau (SIA) presented the views of processors active at the international level. SIA processes several payment instrument transactions in various different countries. SIA offers services aimed at reducing card fraud by means of more advanced transaction authorisation. He assessed the importance of standardisation across Europe in order to achieve economies of scale and to reduce the TTM within SEPA. The standardisation process should focus on the terminal-to-acquirer (T2A) domain rather than the acquirer-to-issuer (A2I) domain, because: i) acquirers, either directly or through their processors, are already used to using several different standards (international, domestic and private card schemes) in order to connect with issuers; ii) terminals use different protocols from country to country and also different certification requirements. Moreover, he expected market players to view migration, at equal functionality, from an existing version of ISO8583 12 to a common ISO8583 version or to ISO20022, rather negatively owing to the high costs of migration, whereby the efforts would not outweigh the benefits. Mr Joliveau believed that, in the long run, the efforts to achieve greater standardisation would bring advantages to both the market and to processors, however, he noted that customisations were required to fully respond to customers requirements. 3.3 Panel 2 The different terminal security certification methodologies and the results of the OSEC pilot Ms Quentmeier (OSEC Chair; SRC) presented the results of the work of the Open Standards for Cards (OSEC) project. She illustrated the advantages of the CC methodology, listed the OSEC project participants expectations with regard to the project and described the pilot. Ms Quentmeier stressed the relevance of the terminal security certification as a key component of payment card security and described the project s developments and achievements. Moreover, Ms Quentmeier supported the idea that only one harmonised assurance level would lead to common acceptance for type approval (by card schemes or approval bodies) and that the Labelling for security certification methods, as it stands in the Volume, could lead to market fragmentation. 11 International Forecourt Standards Forum. source: http://www.ifsf.org/home.aspx 12 The ISO 8583 is a standard for financial transaction card-originated messages. Card market players operate using different customisations of this standard. 4th Eurosystem Security Certification Forum - Summary_ Page 5 of 11

Ms Quentmeier reflected on the outcome of the evaluation of the OSEC approach performed by the Cards Stakeholders Group. Clearly, approval bodies currently did not share a common view on the results of the OSEC approach. Therefore, the project would continue for a further two years in order to: i) complete the experience with other CC evaluation and certification pilots; ii) investigate organisational models and establish formal governance of the project; iii) improve the TTM; and iv) cooperate with PCI SSC to achieve greater convergence. Participants in the forum took stock of the achievements of the OSEC project in that: i) all European card schemes and approval bodies involved in terminal approval had participated in the project; ii) many of the new security requirements identified had also been adopted by the PCI; iii) the JTEMS 13 had been established together with all relevant parties in order to develop new requirements and processes. Ms Quentmeier stated that the CC approach achieved a higher level of security for the terminal, because the evaluation methodology was more rigorous and was based on an omni-comprehensive approach. Moreover, Ms Quentmeier proposed that a CC certificate for terminals might be used to issue a PCI certificate. The German Banking Industry Committee (GBIC), the UK Card Association and Cartes Bancaires showed their willingness to help establish a coordination body in the field of certification that might benefit from the OSEC experience. Mr Whittacker (VISA Europe) presented the PCI Pin Transaction Security s (PTS) view in this field. First, he provided an overview of the PCI process for obtaining certificates, second he presented the governance of the PCI SSC PTS Working Group, which is responsible for developing and maintaining the PCI s certification standards (PCI PTS, PCI HSM 14 and PCI PIN) as well as reviewing and making recommendations on laboratory assessments and device evaluation reports. Third, Mr Whittacker presented developments in the PCI PTS methodology over the years. An increasing number of requirements had been requested over time for the new PCI PTS version. These new requirements had been introduced partly thanks to the experience gained from the OSEC project and now it demonstrates that the PCI PTS requirements can be reused in order to meet the EPC Plus security requirements defined in the Volume. Mr Whittacker is critic in regards of the OSEC pilot results for the following reasons: i) So far there have been insufficient evaluations to prove the validity of the pilot; ii) the current pilot identified a number of divergent approaches between national certification bodies; iii) there is no recognised widespread willingness to commit resources to formalise the OSEC processes and structures; iv) it is not practical to use a CC evaluation report in order to produce a PCI certificate owing to the structure and size of the documentation. 13 JIL Terminal Evaluation Methodology Subgroup (JTEMS) is a subgroup of the Joint Interpretation Library, which suggests specific tailoring of the CC methodology for card payment terminals. 14 Hardware Security Module. 4th Eurosystem Security Certification Forum - Summary_ Page 6 of 11

Finally, Mr Whittacker concluded that the PCI SSC represented the right solution for a global industry (common risk appetite and tolerances) compared to a common threat, as it did not subordinate national interests. Moreover, he questioned the security assurance level of the CC evaluation compared with the PCI PTS and the convenience of adopting the CC methodology. Mr Brown (UL laboratories 15 ) introduced to the discussion the views of a laboratory involved in performing both PCI and CC tests. Mr Brown presented the UL laboratories experience during the OSEC project. UL laboratories tested a Secure Electrans terminal against the CC CAS 16 POI protection profile. During the evaluation, UL laboratories identified security issues related to the terminal software. The terminal vendor resolved these issues and the product became more secure as a result of the evaluation process. Mr Brown stated that the laboratories involved in the OSEC project had worked cooperatively (in the JTEMS) to ensure consistency of the CC approach across the different countries subject to the oversight of different national certification bodies. Mr Brown concluded that working within the framework of the OSEC pilot had been a fruitful experience. The OSEC certification model was still in the early stages of its development, and for this reason, the OSEC pilot had incurred delays and implementation issues. 3.4 Panel 3 The roadmap for harmonisation of the terminal security evaluation and certification methodologies Mr Blasche (VÖB/GBIC) introduced the German banking industry s position on the terminal security certification. He informed the forum that the GBIC had a proprietary methodology for the terminal security certification that granted a high level of security (no major security incidents for the past 20 years) and a good cost/benefit ratio. The GBIC had decided to move over to the CC methodology in order to employ a harmonised European methodology for both evaluation and certification. The GBIC thereby aimed to achieve greater convergence of the current methodologies, as foreseen in the Volume. Along the same lines as Ms Quentmeier, he also believed that the labelling of different methodologies in accordance with the Volume would not help the current situation of market fragmentation and it would, therefore, potentially lead to different/inconsistent security levels. Mr Blasche listed the reasons that had led the GBIC to use the CC as the future terminal security certification methodology: i) the evaluation is carried out using the white box approach ; 17 ii) the CC recommends the immediate coverage of all publicly known attacks; iii) a systematic approach covering the entire life-cycle is in place and the approach is open, transparent and decentralised; iv) there is repeatability, comparability and traceability of the results; and v) it is possible to have open European governance. 15 UL laboratories account for around 45% of all PCI approval on a global scale. 16 Common Approval Scheme. 17 The tester knows how the terminal is built. 4th Eurosystem Security Certification Forum - Summary_ Page 7 of 11

To conclude, Mr Blasche supported OSEC s pilot work, as he believes it is a workable solution. The GBIC will insist upon the usage of CC testing before granting its scheme s certification, as from 2017. Moreover, CC certification is already regarded as an agreed option. Mr Alonso (Servired) began his presentation with an overview of the Spanish market, mainly as an acquiring country making cross-border transactions. Mr Alonso supported the need for having interoperable solutions with globally active card schemes and further compliance with the Volume. In the field of terminal security certification, the Servired representative claimed that working both with the PCI and the CC required a great deal of effort, therefore, there was urgent need for harmonisation between the different methodologies. Servired had chosen to use the PCI approach, because: i) it ensures interoperability and is widely recognised; ii) the PCI SSC security requirements are consistent with the Volume. Mr Whittacker (Visa Europe) also provided Visa s view on this issue. For Visa, there was clear evidence that the results of the OSEC pilot were useful. Mr Whittacker claimed that the PCI was able to deal rapidly with the security issues of the terminals, whilst OSEC did not provide any clear timing for its certification process. Moreover, the costs of setting up a security certification infrastructure based on common criteria were not outweighed by the benefits. Visa would always request a PCI certificate, because its global platform required global rules and processes to be in place within the framework of the four-party model. Nevertheless, he recognised that the OSEC project had contributed to gaining insight into software attacks on the terminals. Mr Whittacker concluded that the major challenges for the payment card market in the future were related to the type of acceptance points and the mobile payment devices. The security level of these new environments raised new challenges for the industry, since these devices were mainly designed to respond to business needs rather than to the type of security features, particularly on the acceptance side. In this context, one of the most interesting and challenging innovations was the Host Card Emulation for NFC contactless mobile payments with the card being cloud-based. 3.5 Developments in security, the view of a vendor Mr Jacquis (Ingenico), following an introduction of the key indicators of Ingenico, proposed looking at retail payments using a new approach. Mr Jacquis presented some of the recently observed consumer behaviour trends for retail purchases, the main conclusions drawn were: i) 50% of consumers have stopped buying in shops owing to the time spent in queues; ii) 91% of consumers retrieve information online before buying in shops (excluding food). Therefore, retailers are changing the way in which they interact with consumers and finalise orders, retailers are trying to integrate the web experience into their traditional sales channels (web-to-store, store-to-web, and web-instore). Mr Jacquis indicated that security represented a major challenge in this new environment. Given that payment solutions were developing so rapidly in this sense, the security rules obviously needed to follow along the same path. In order to overcome these challenges, Mr Jacquis said that the TTM for new 4th Eurosystem Security Certification Forum - Summary_ Page 8 of 11

solutions should be taken into account and, in particular, the trade-off between the TTM and security, the current situation might favour new entrants which would radically innovate the payments market. Ingenico was supportive of the SEPA security certification harmonisation process and had joined the OSEC pilot. However, its feedback on the pilot was negative, because the TTM and cost efficiency criteria had not been met. 3.6 Payment card and mobile platform certification: views of the Smart Payment Association (SPA) 18 Mr Gaston (Gemalto) presented the views of the Smart Payment Association on the UICC 19 (new generation SIM card with payment capabilities) security certification. He explained all the steps required to obtain certification for the UICC. The UICC certification process lasts for several months and accounts for a significant part of the production costs. At present, card manufacturers certify their products in accordance with the schemes requirements and/or the methodology stipulated by the national security authorities. Ms Gaston stressed the fact that the EMV technology had, thus far, provided a high level of confidence and security in the face-to-face environment. Mobile payment platforms based on SIM cards, issued by a mobile network operator, currently allow for card payments using a mobile. The security level of mobile payment components should be at the same level as any standard transaction. The security certification of the UICC component raised challenges for the implementation of mobile payment programs, the main ones being: i) mobile payment applications on open platforms with different life-cycles compared with the card payment industry based mainly on closed platforms to date; ii) the renewal of the respective certifications creates synchronisation issues and uncertainty for the issuer mobile network operators (MNOs). Mr Gaston was of the opinion that the global UICC life certification process was too cumbersome. The SPA was therefore working on several initiatives in order to optimise the certification process and hence to promote payments via mobile devices. The on-going initiatives by the SPA to promote mobile payments were: i) to propose a new UICC certification process through the development of a unified UICC/payment application end-of-life policy; ii) to facilitate the dialogue between mobile telecom operators, payment schemes and banks; and iii) to explore the options for Trusted Service Managers (TSM) to improve users experience managing mobile payment applications. Moreover, Mr Gaston expressed his doubts regarding the security level ensured by the Host Card Emulation (HCE) services related to mobile payments. 18 The Smart Payment Association (SPA) is the trade body of the smart card payment industry; its members are Giesecke & Devrient, Gemalto, Oberthur Technologies, Austria Card, Incard and Morpho. With more than 975 million smart payment cards delivered by its members in 2012, the SPA represents more than 85% of the smart payment card market. Source: http://www.smartpaymentassociation.com 19 Universal Integrated Circuit Card. 4th Eurosystem Security Certification Forum - Summary_ Page 9 of 11

3.7 Panel 4 Contactless technology - setting up interoperable standards in the early stages of implementation Mr Lourenco (MasterCard) introduced the last panel on contactless technology. For MasterCard, contactless technology was already a reality: there are more than 1 million cards in several countries in Europe and there are specific requirements for contactless terminals (both for the PCI and the CC). Contactless technology was designed to speed up payment, displace cash and increase card usage for low value transactions (usually below 25). Contactless cards can take different forms (cards, stickers, mobiles, wristbands, key fobs) and these multiple forms enable new electronic payments as opposed to using cash. Mr Lourenco presented the elective target for contactless products. Contactless products met the needs of consumer segments such as the affluent, mass affluent, young professionals and optimistic and emerging multicultural people. The usage of contactless products drives value, whereby speed and convenience have the greatest relevance for the payer and the payee. The business environments in which contactless products might create greater value were drugstores, fast food restaurants, supermarkets, airports and transit businesses. Mr Lourenco identified the main advantages for the payee as being the reduction of cash handling costs, the promotion of higher spending at the POI, a faster check-out and the opportunity to enable mobile payments. On the other hand, the card issuer is able to promote the frequent usage of the card, thereby increasing customer loyalty and displacing cash. At last, Mr Lourenco reported on some recent research showing that, in many countries, cash is considered to be among the dirtiest mediums, and consumers would be happy to replace it with electronic payments, mainly for the cleanliness factor. Mr Sarazin (Cartes Bancaires - CB) presented some key figures from the CB (more than 10 billion transactions in 2013). CB analysed the distribution of the payment transactions done by consumers with different instruments (cash, CB cards, cheques, and other) arranged by transaction value. The analysis showed that the wide majority of all transactions below 15 were executed in cash and that around 50% of all payment transactions were actually below this value. CB has gradually introduced contactless technology to the market over the past two years. Currently, there are more than 1 million contactless payment users with more than 2 million payments per month, CB is experiencing very strong growth in contactless transactions but still Mr Sarazin expects even stronger growth in this technology for the time to come. He said that one of the key elements for the success of contactless technology was the acceptance in the transit industry, where the speed of transaction is one of the required features of the payment instrument. CB has a full co-badged strategy with Visa and MasterCard on contactless technology. Mr Sarazin claimed that migration to SEPA standards could take around ten years, as was the case for migration to EMV. 4th Eurosystem Security Certification Forum - Summary_ Page 10 of 11

4. Conclusion The Chair, Mr Ruttenberg, concluded that focusing on security for card-not-present transactions was a top priority. However, reducing card fraud also depended on the physical terminal security features, given the fact that card data were often captured and stolen in the context of the physical environment. The ECB took stock of the progress made by the initiatives in the field of terminal security certification and continued to promote the harmonisation of the market with a view to creating SEPA for cards: a harmonised, competitive and innovative European card payments area. The ECB recognised the fact that a single harmonised framework for terminal security certification would be optimal. The convergence of multiple security frameworks to a chosen few was already considered to be a major achievement, given the market conditions and diverging stakeholders interests. The ECB recognised that the convergence process of the terminal security certification methodologies was not completely straightforward. In fact, there were differing interpretations of the convergence concept among stakeholders and further work was required in this area. The ECB equally recognised that major technological developments had been made in the area of electronic payment instruments and that these developments were affecting consumer behaviour at the POI. The ECB would continue to monitor developments in the field of card payment functional and security standardisation. Furthermore, the ECB would continue acting as a catalyst in the context of SEPA in order to enhance further market integration. 4th Eurosystem Security Certification Forum - Summary_ Page 11 of 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information