Professional Documents
Culture Documents
EUROPEAN COMMITTEE
FOR
BANKING STANDARDS
Version 2
ECBS
Issued: December 1998
Table of Contents
FOREWORD...................................................................................................................................................1
1. INTRODUCTION .......................................................................................................................................2
2. SCOPE .........................................................................................................................................................2
3. DEFINITIONS.............................................................................................................................................3
4. OVERVIEW ................................................................................................................................................3
4.1 THE PARTICIPANTS AND THEIR TASKS ...........................................................................................................4
4.1.1 Administrator of the Card-Accepting Scheme (CAS) .............................................................................4
4.1.2 Evaluation Agency................................................................................................................................4
4.1.3 Auditor .................................................................................................................................................4
4.1.4 Administrator of the Card-Issuing Scheme (CIS) ...................................................................................5
4.2 THE CERTIFICATION PROCEDURE...................................................................................................................5
4.3 SYSTEM CERTIFICATE - MINIMUM REQUIREMENTS .........................................................................................6
4.4 ECBS EVALUATION REPORT - MINIMUM REQUIREMENTS...............................................................................7
4.5 CHANGE PROCEDURES ..................................................................................................................................7
______________________________________________________________________________________
ECBS - Avenue de Tervueren 12 - B-1040 Brussels - Tel: 32 2 733 35 33 - Fax: 32 2 736 49 88
e-mail: ecbs@club.innet.be
FOREWORD
The evaluation criteria and certification procedures set up by most European countries or the
individual card accepting schemes differ considerably. Issuers wanting cross border acceptance
must rely on compliance with security requirements where they exist. If the criteria and
procedures described in this standard are successfully introduced then both parties will be able
to trust each other and an acceptable level of system security will be attained.
The development and installation of systems conforming to part 3 "POS-Systems with Offline
PIN Verification - Minimum Security and Evaluation Criteria" does not imply implementation
of part 2 "POS-Systems with Online PIN Verification - Minimum Security and Evaluation
Criteria".
______________________________________________________________________________________
ECBS - Avenue de Tervueren 12 - B 1040 Brussels - Tel: 32 2 733 35 33 - Fax: 32 2 736 49 88
e-mail: ecbs@club.innet.be
1.
INTRODUCTION
This ECBS Standard, in three parts, specifies the minimum security requirements, evaluation
criteria and a certification procedure to enable any issuer to trust any acquirer accepting cards
with PIN in a POS environment. This applies to both magnetic stripe cards and IC cards. The
three parts are titled:
PIN Based POS Systems, Part One, Minimum Evaluation and Certification Procedures,
PIN Based POS Systems with Online PIN Verification, Part Two, Minimum Security And
Evaluation Criteria,
PIN Based POS Systems with Offline PIN Verification, Part Three, Minimum Security And
Evaluation Criteria.
They encompass the security concept of the Card-Accepting Scheme (CAS) as well as the
physical and logical characteristics and the management of the secure cryptographic devices.
The proposed ECBS certification procedure in principle and as a minimum follows the semiformal approach of ISO 13491.
2.
SCOPE
This first part of the standard specifies the ECBS minimum requirements for evaluation and
certification procedures. The underlying structure of the POS system model is shown below. It
illustrates the Card-Accepting Scheme (CAS) which is to be evaluated and certified and is
contained within the continuous line.
CAD
CAH
SCD
CIS
SCD
CAS
CAS
CAD
CAH
CIS
I
SCD
Card-accepting scheme
Card-accepting device
Card-accepting host
Card-issuing scheme
Issuer
Secure Cryptographic Device
______________________________________________________________________________________
ECBS - Avenue de Tervueren 12 - B 1040 Brussels - Tel: 32 2 733 35 33 - Fax: 32 2 736 49 88
e-mail: ecbs@club.innet.be
3.
DEFINITIONS
the device used in conjunction with the card and the point of sale to
perform a financial transaction.
CAH
Host processing system that forms the interface between the CAS and
the CIS and to which the CADs are conncted. The CAH collects from
the CADs the data relating to the card transaction and initiates that
data to the CIS. For the processing of security related data an SCD is
part of the CAH processing system.
CAS
CIS
Issuer
POS
SCD
Supplier
4.
OVERVIEW
______________________________________________________________________________________
ECBS - Avenue de Tervueren 12 - B 1040 Brussels - Tel: 32 2 733 35 33 - Fax: 32 2 736 49 88
e-mail: ecbs@club.innet.be
4.1
______________________________________________________________________________________
ECBS - Avenue de Tervueren 12 - B 1040 Brussels - Tel: 32 2 733 35 33 - Fax: 32 2 736 49 88
e-mail: ecbs@club.innet.be
4.2
The procedure proposed is described as follows (the different steps are numbered in
accordance with their envisaged order):
Evaluation
Agency
Administrator of
the Card-accepting
Administrator of
the Card-issuing
Scheme (CIS)
Scheme (CAS)
5
Auditor
4.3
______________________________________________________________________________________
ECBS - Avenue de Tervueren 12 - B 1040 Brussels - Tel: 32 2 733 35 33 - Fax: 32 2 736 49 88
e-mail: ecbs@club.innet.be
4.4
4.5
Change Procedures
Within the individual CAS system adequate procedures concerning changes of the components
and the system shall be followed (hardware and software).
Major security or conceptual changes require notification to the CIS Administrator. In the case
of re-evaluation of the system, the CIS Administrator shall be informed. The supplier shall
inform the CAS Administrator of any change in the security hardware, security software and
the security manufacturing process.
The CAS Administrator has the right to request re-evaluation.
The CAS Administrator shall be responsible to keep the level of security in the CAS in
conformance with the other parts of this standard.
______________________________________________________________________________________
ECBS - Avenue de Tervueren 12 - B 1040 Brussels - Tel: 32 2 733 35 33 - Fax: 32 2 736 49 88
e-mail: ecbs@club.innet.be