Common.SECC is an international security certification scheme for card payment terminals (known as points of interaction or POIs).
Currently Common.SECC covers POIs deployed at merchants in Germany and the UK, but that scope may be extended, and other nations and approval bodies are welcome to join Common.SECC.
In Germany, the Common.SECC process replaces many aspects of the existing POI security evaluation process. (There are additional requirements for the German market, relating to functional terminal and network testing and POI application evaluation. These will continue to be performed, but POIs must first have a Common.SECC certificate.)
In the UK, the Common.SECC process replaces the pre-existing UK POI Common Criteria security evaluation process.
It applies to new POIs. POIs that have been evaluated under previous arrangements may continue to be maintained under those previous arrangements with the agreement of those schemes’ operators, although there may be time limits on this. Common.SECC reserves the right to decide whether a device is ‘new’ and thus falls under the Common.SECC scheme. The vendor may opt to take the Common.SECC route.
As well as POIs (or “Devices”), Common.SECC will certify Components and Payment Applications. The general term “Product” is used for any object to be certified.
Components are modules within POIs and their certification is offered in order to allow them to be verified separately and listed as certified. They must subsequently be re-evaluated as part of evaluation of a complete POI, but their prior certification should reduce the evaluation effort. Components are not suitable for approval and deployment. Examples of Components are “plug-ins” that are developed separately, and PIN entry devices that are not POIs in their own right.
Payment Applications are certified in order to show that they have been assessed. Certification of Payment Applications is not mandated by Common.SECC but may be mandated by an approval body.
Our missions are as follows:
Mission 1 – protect the security of card payment transactions adequately
Common.SECC requires that terminals are evaluated for security using Common Criteria (CC), the ISO-standardized, card-scheme-independent, government-sponsored methodology for IT Security Evaluation. Security evaluations are performed by laboratories that are government-accredited for the type of product being assessed.
The advantage of this standard is that it is designed to ensure that the required assurance level is truly achieved, irrespective of the application. CC itself was not designed to follow a specific risk policy, but once a risk policy is defined, CC will ensure that it is satisfied. CC is thorough and methodical.
The generic CC standard was first customised for card payment terminals in 2003, according to a risk policy defined by the owners of the risk in card payments – the card issuers and acquirers. The security requirements were set at a level that ensured the best security that would be achievable by the market. Over the last ten years that work has been extended at an international level in a multi-stakeholder open collaboration of vendors, laboratories, governmental certification bodies and card schemes, a process observed by the ECB. Common.SECC therefore relies on a mature, comprehensive, well elaborated evaluation standard which is based on the widest possible industry consensus.
Common.SECC is commensurate and not excessive. As well as looking at individual products, it ensures that vendors achieve a level of security in their systems that can support secure product development. An impact that was best identified in the early stages was that vendors were being asked to demonstrate processes similar to those demanded by ISO 9000 and ISO 27000 for quality assurance and IT security management.
Lower security only increases the banks’ costs through fraud and bad reputation. There is an argument that an emphasis on security in face-to-face payments is misplaced since fraud in that area is low. Common.SECC believes that if it is low that is largely the result of schemes such as ours, and the origins of any particular fraud are not easy to establish.
Common.SECC is widely supported by the industry. Our website demonstrates a long list of certificates issued for a large variety of vendors and POI types.
Mission 2 – listen to and support the risk owners
Card issuers and acquirers take most of the risk of fraud in card payments, and also have a responsibility to protect cardholders and merchants. Those taking the risk should be able to control their risk, and with Common.SECC this can be achieved. The main risk owners are at the core of Common.SECC and provide the direction and strategy. Common.SECC listens to the risk owners and allows them to organise and implement their own suitable security assets and strategies. They are free to decide on any updates or amendments to the evaluation standard in each participating banking community. The underlying ISO 15408 methodology allows for a self-governed approval scheme for the UK and German markets with global interoperability. Common.SECC assures independence.
Mission 3 – provide a checkpoint for risk owners
Common.SECC provides a checkpoint at which risk owners can ensure that additional requirements are met, ahead of device deployment. One aspect of this is that vendors’ products can be checked for accessibility and usability as well as security, and any changes to support usability can also be assessed to ensure that security is not compromised. There can then be a dialogue involving representatives of those taking the risks. Accessibility is essential, but people with disabilities should not have to suffer weaker security. Without the scheme, this checkpoint and dialogue would be absent.
Mission 4 – meet new regulations
CC is a government-approved scheme, and Common.SECC ensures recognition by the regulators (EU, ECB and ECSG) as providing an adequate degree of security, operational reliability and business continuity according to the ECB’s Oversight Framework for Card Payment Schemes Standards, covering all related SEPA standards of the ECSG’s Volume Book of Requirements. Regulation is aimed at banks, not at card schemes, and Common.SECC’s bank approach suits the regulations better than a card-scheme-based approach.
New regulations include:
- PSD2: Article 95 requires banks to establish a framework to manage the operational and security risks relating to payment services
- EBA RTS on SCA: Article 3 requires banks to test and evaluate the implementation of their security measures for the authentication of payers
- GDPR: requires the safeguarding personal data, including card numbers and PINs
Common.SECC is the best solution to comply with these by:
- using global standards – CC is a globally accepted evaluation methodology standardised at ISO level using SEPA security requirements
- ensuring a high level of security in card payment products, as the rigour of CC delivers a higher assurance than other schemes that the requirements are implemented
Mission 5 – provide transparency, independence, fairness and openness
Common.SECC’s processes are handled in a fair and transparent way, using laboratories that have been approved in a transparent manner by scheme-independent government agencies rather than through private methods.
Common.SECC is independent of card schemes, and can reflect the risk appetite and customer protection needs of the main risk owners rather than those of other stakeholders. While it is independent, the same laboratories perform both CC and PCI PTS assessments and some costs can be avoided where duplication of effort might otherwise exist.
Through Common.SECC, fairness is achieved by keeping the security bar at the same level irrespective of the terminal design, to ensure a level playing field. Common.SECC is designed for state of the art as well as for new technologies and innovations.
Common.SECC is always open to cooperation with others. We have had close links with the global schemes and with PCI SSC, and would value further cooperation, leading for example to the recognition of Common.SECC certificates for the UK and German markets.