EBS 105-1

EUROPEAN COMMITTEE
FOR
BANKING STANDARDS

Version 2

PIN-Based POS Systems

Part One
Minimum Criteria for
Certification Procedures

ECBS
Issued: December 1998

 European Committee for Banking Standards. December 1998.

Avenue de Tervueren, 12, 1040, Brussels.
Not to be copied without attribution, and subject to the restriction
under the confidentiality clause below.
Comments or enquiries on the document may be addressed to the
Secretary General at the above address.

This European Banking Standard is Public, and may be copied or

otherwise distributed provided the text is not used directly as a source
of profit.

ECBS - EBS 105 Version 2 PART 1 December 1998

PIN-Based POS Systems
Minimum Criteria for Certification Procedures

Table of Contents

FOREWORD...................................................................................................................................................1
1. INTRODUCTION .......................................................................................................................................2
2. SCOPE .........................................................................................................................................................2
3. DEFINITIONS.............................................................................................................................................3
4. OVERVIEW ................................................................................................................................................3
4.1 THE PARTICIPANTS AND THEIR TASKS ...........................................................................................................4
4.1.1 Administrator of the Card-Accepting Scheme (CAS) .............................................................................4
4.1.2 Evaluation Agency................................................................................................................................4
4.1.3 Auditor .................................................................................................................................................4
4.1.4 Administrator of the Card-Issuing Scheme (CIS) ...................................................................................5
4.2 THE CERTIFICATION PROCEDURE...................................................................................................................5
4.3 SYSTEM CERTIFICATE - MINIMUM REQUIREMENTS .........................................................................................6
4.4 ECBS EVALUATION REPORT - MINIMUM REQUIREMENTS...............................................................................7
4.5 CHANGE PROCEDURES ..................................................................................................................................7

______________________________________________________________________________________
ECBS - Avenue de Tervueren 12 - B-1040 Brussels - Tel: 32 2 733 35 33 - Fax: 32 2 736 49 88
e-mail: ecbs@club.innet.be

ECBS - EBS 105 Version 2 PART 1 December 1998

PIN-Based POS Systems
Minimum Criteria for Certification Procedures

FOREWORD
The evaluation criteria and certification procedures set up by most European countries or the
individual card accepting schemes differ considerably. Issuers wanting cross border acceptance
must rely on compliance with security requirements where they exist. If the criteria and
procedures described in this standard are successfully introduced then both parties will be able
to trust each other and an acceptable level of system security will be attained.
The development and installation of systems conforming to part 3 "POS-Systems with Offline
PIN Verification - Minimum Security and Evaluation Criteria" does not imply implementation
of part 2 "POS-Systems with Online PIN Verification - Minimum Security and Evaluation
Criteria".

______________________________________________________________________________________
ECBS - Avenue de Tervueren 12 - B 1040 Brussels - Tel: 32 2 733 35 33 - Fax: 32 2 736 49 88
e-mail: ecbs@club.innet.be

ECBS - EBS 105 Version 2 PART 1 December 1998

PIN-Based POS Systems
Minimum Criteria for Certification Procedures

1.

INTRODUCTION

This ECBS Standard, in three parts, specifies the minimum security requirements, evaluation
criteria and a certification procedure to enable any issuer to trust any acquirer accepting cards
with PIN in a POS environment. This applies to both magnetic stripe cards and IC cards. The
three parts are titled:
PIN Based POS Systems, Part One, Minimum Evaluation and Certification Procedures,
PIN Based POS Systems with Online PIN Verification, Part Two, Minimum Security And
Evaluation Criteria,
PIN Based POS Systems with Offline PIN Verification, Part Three, Minimum Security And
Evaluation Criteria.
They encompass the security concept of the Card-Accepting Scheme (CAS) as well as the
physical and logical characteristics and the management of the secure cryptographic devices.
The proposed ECBS certification procedure in principle and as a minimum follows the semiformal approach of ISO 13491.

2.

SCOPE

This first part of the standard specifies the ECBS minimum requirements for evaluation and
certification procedures. The underlying structure of the POS system model is shown below. It
illustrates the Card-Accepting Scheme (CAS) which is to be evaluated and certified and is
contained within the continuous line.

CAD

CAH

SCD
CIS
SCD
CAS

CAS
CAD
CAH
CIS
I
SCD

Card-accepting scheme
Card-accepting device
Card-accepting host
Card-issuing scheme
Issuer
Secure Cryptographic Device

______________________________________________________________________________________
ECBS - Avenue de Tervueren 12 - B 1040 Brussels - Tel: 32 2 733 35 33 - Fax: 32 2 736 49 88
e-mail: ecbs@club.innet.be

ECBS - EBS 105 Version 2 PART 1 December 1998

PIN-Based POS Systems
Minimum Criteria for Certification Procedures

3.

DEFINITIONS

The following terms used in TR 105-1 are defined as follows:

CAD

the device used in conjunction with the card and the point of sale to
perform a financial transaction.

CAH

Host processing system that forms the interface between the CAS and
the CIS and to which the CADs are conncted. The CAH collects from
the CADs the data relating to the card transaction and initiates that
data to the CIS. For the processing of security related data an SCD is
part of the CAH processing system.

CAS

a set of technical concepts, rules, protocols, algorithms, functions,

commercial agreements and administrative procedures which form the
basis for a card payment system. The CAS is controlled by its
responsible Administrator (CAS Administrator).

CIS

a set of technical concepts, rules, protocols, algorithms, functions,

commercial agreements and administrative procedures which form the
basis for the issuance of a payment card. The CIS is controlled by its
respective Administrator (CIS Administrator).

Issuer

the financial institution which issues payment cards.

POS

"Point Of Sale" which means the provision of goods and services at

attended and unattended terminals, commonly known as Electronic
Funds Transfer-devices.

SCD

a secure cryptographic device (SCD) is a physically and logically

protected hardware device that provides a secure set of cryptographic
services. In assessing the physical security of any device, the
operational environment is an important consideration.

Supplier

the vendor of a device that is to be certified.

4.

OVERVIEW

The points explained in the description are:

1. The Participants And Their Tasks
2. The Certification Procedure
3. The System Certificate - Minimum Requirements
4. The System Evaluation Report - Minimum Requirements
5. The Change Procedures

______________________________________________________________________________________
ECBS - Avenue de Tervueren 12 - B 1040 Brussels - Tel: 32 2 733 35 33 - Fax: 32 2 736 49 88
e-mail: ecbs@club.innet.be

ECBS - EBS 105 Version 2 PART 1 December 1998

PIN-Based POS Systems
Minimum Criteria for Certification Procedures

4.1

The Participants and Their Tasks

The participants defined herein shall be organised in a way to prevent self-certification.

Technical evaluation and assessment shall be performed by at least two separate parties.
4.1.1 Administrator of the Card-Accepting Scheme (CAS)
Bank or bank-related party which assumes responsibility for the administrative procedures
and for the technical assessment,
certifying party that issues certificates,
accredits evaluation agencies (no special procedures defined, no formal constraints),
initiates the evaluation and certification process,
responsible for outlining the kind of agreement between the evaluation agency and the
supplier.
4.1.2 Evaluation Agency
Security experts with special skills and tools,
independent from the supplier. Performs an unbiased and business independent security
assessment of the CAS's devices or system,
party which evaluates the system in accordance with the ECBS minimum security criteria.
The evaluation is summarised in an evaluation report,
is accredited by the Card-Accepting Scheme. The accrediting procedure is up to the CAS
Administrator.
4.1.3 Auditor
Assigned / appointed by the CAS Administrator (may be within the same organisation),
performs an unbiased and business independent security assessment of the CAS's devices or
system,
checks that the evaluation agency acts correctly on the basis of the ECBS minimum security
criteria as defined in part 2 and 3 of this standard,
is independent from the supplier,
receives the evaluation reports from the evaluation agency, directly or via the CAS
Administrator,
assesses the evaluation report and reports to the CAS Administrator.

______________________________________________________________________________________
ECBS - Avenue de Tervueren 12 - B 1040 Brussels - Tel: 32 2 733 35 33 - Fax: 32 2 736 49 88
e-mail: ecbs@club.innet.be

ECBS - EBS 105 Version 2 PART 1 December 1998

PIN-Based POS Systems
Minimum Criteria for Certification Procedures

4.1.4 Administrator of the Card-Issuing Scheme (CIS)

Administrator of the cards which are to be used in the POS schemes of the CASs,
acknowledges the minimum security criteria as defined in part 2 and 3 of this standard and
this ECBS certification procedure,
acknowledges certificates based on this standard.

4.2

The Certification Procedure

The procedure proposed is described as follows (the different steps are numbered in
accordance with their envisaged order):

Evaluation
Agency

Administrator of
the Card-accepting

Administrator of
the Card-issuing
Scheme (CIS)

Scheme (CAS)

5
Auditor

1. The Administrator of the Card-Accepting Scheme accredits evaluation agencies which

shall work out evaluation reports on the basis of the minimum security criteria as defined in
part 2 and 3 of this standard. Business agreements between both parties are not within the
scope of this standard.
2. The evaluation agency evaluates either the entire POS system or, in case of a component
certification, a system component only on the basis of the ECBS security criteria. The
results according to the ECBS minimum security criteria are summed up in evaluation
reports.
3. The evaluation report is submitted to the auditor, directly or via the Card-Accepting
Schemes Administrator.
4. The auditor assesses whether the evaluation was carried out according to this procedure and
the ECBS minimum security criteria and formulates an approving or disapproving statement
for the CAS Administrator. The auditor signs this statement.
5. The statement is submitted to the Administrator.
6. The Administrator receives the signed statement. In the case of a positive result, a certificate
is given by the CAS Administrator.
7. The component certificate is submitted to the supplier, the certificate of the CAS system to
the issuer. A copy is retained by the CAS Administrator.
______________________________________________________________________________________
ECBS - Avenue de Tervueren 12 - B 1040 Brussels - Tel: 32 2 733 35 33 - Fax: 32 2 736 49 88
e-mail: ecbs@club.innet.be

ECBS - EBS 105 Version 2 PART 1 December 1998

PIN-Based POS Systems
Minimum Criteria for Certification Procedures

8. The issuer acknowledges the CAS certificate.

Within this procedure all parties have to act without delay.

4.3

System Certificate - Minimum Requirements

The CAS system certificate submitted to the issuer shall contain:

Name of the respective Administrator or supplier; identification of the certification subject,
description of the CAS (optional: a global conceptual and functional guide to provide a
basic understanding can be annexed to the certificate),
signature by the CAS Administrator,
date and place of the signature,
auditors declaration: ECBS minimum security criteria fulfilled,
name of the evaluation agency,
statement: Agreement of procedures,
a "non-transferable" clause,
first evaluation / re-evaluation (new version if an expiry date is used),
liability clause Issuer has the right to stop the agreement,
expiry date of the certificate (optional).
The CAS system certificate shall be produced in duplicate, one copy for the CAS
Administrator and one for the issuer or the supplier.
Components can be certified by a CAS Administrator for acceptance in his CAS by the same
procedures. However a component certificate is only valid when used in conjunction with the
system certificate and cannot be used on its own.

______________________________________________________________________________________
ECBS - Avenue de Tervueren 12 - B 1040 Brussels - Tel: 32 2 733 35 33 - Fax: 32 2 736 49 88
e-mail: ecbs@club.innet.be

ECBS - EBS 105 Version 2 PART 1 December 1998

PIN-Based POS Systems
Minimum Criteria for Certification Procedures

4.4

ECBS Evaluation Report - Minimum Requirements

The report shall include:

The evaluation results including a list of weak and strong points referenced to the minimum
security criteria as defined in part 2 and 3 of this standard,
a list of the documentation used for the evaluation,
the justification for the rejection of all failed tests,
a final recommendation of the devices / systems acceptance or rejection,
the name of the evaluation agency,
the name of the auditor,
the date of the evaluation,
the name of the supplier, the CAS Administrator as the responsible party,
identification of the device(s).
The language in which the evaluation report is written shall be agreed upon between the CIS
and the CAS Administrators.

4.5

Change Procedures

Within the individual CAS system adequate procedures concerning changes of the components
and the system shall be followed (hardware and software).
Major security or conceptual changes require notification to the CIS Administrator. In the case
of re-evaluation of the system, the CIS Administrator shall be informed. The supplier shall
inform the CAS Administrator of any change in the security hardware, security software and
the security manufacturing process.
The CAS Administrator has the right to request re-evaluation.
The CAS Administrator shall be responsible to keep the level of security in the CAS in
conformance with the other parts of this standard.

______________________________________________________________________________________
ECBS - Avenue de Tervueren 12 - B 1040 Brussels - Tel: 32 2 733 35 33 - Fax: 32 2 736 49 88
e-mail: ecbs@club.innet.be