Standardization

1. introduction

In the innovative and open European card market, the girocard system is recognized by many new market participants as an interesting card payment system with potential. Market access is facilitated by SEPA, which opens up the possibility of expanding girocard in other European countries. The requirements for POS terminals are reduced by girocard's concept of simplified terminals, which also offers expanded market opportunities.

the Germany Banking Industry Committee GBIC) has accompanied and supported the European standardization work essential to its payment system from the very beginning. Standards not only reduce costs and increase competition, but also support more efficient procedures for the certification and approval of products across national borders. Uniform technical interfaces ensure low development costs and shorter implementation times.

The new, standardized European certification procedures and the simplified and distributed terminal will simplify production, application and use on many levels. The effort and costs for retailers to operate terminals in the field will be reduced.

Last but not least, in addition to market-driven standardization initiatives and projects, the European Commission and the European Central Bank are also interested in harmonizing card-based payment services Europe. In this context, the European Cards Stakeholders Group (ECSG), with representatives from various areas of the European card market, plays an important role.

The key standardization initiatives relevant to girocard for the Germany Banking Industry Committee are presented below.

2 European regulation and SEPA Cards Standardization Volume of the EPSG (SCS Volume)

The long-term goals for Europe were already formulated in the Lisbon Agenda in 2000: the single market is to be strengthened. This also includes payment services the card business as a sub-sector.

Nevertheless, payment systems operating in the European market also have an interest in efficient and innovative processes as well as in expanding their market share. As early as 2003, the Germany Banking Industry Committee founded the CAS initiative together with European and global payment systems - the "Common Approval Scheme (CAS)" defined basic general requirements for the security of POS terminals and cards and their assessment.

In the years that followed, the OSCar, OSeC and Berlin Group standardization initiatives were formed with the participation of the German banking industry; the first pilot projects were successfully launched. These initiatives have developed further and are now reflected in nexo, CFCF and Common.SECC with the involvement of GBIC .

The following framework conditions are important for all initiatives:

The SCS Volume of the European Payments Stakeholder Group (EPSG, formerly ECSG) describes generic requirements for POS terminals, smart cards, and certification, both in terms of functionality and security. The seven books of the SCS Volume are currently being developed and maintained by the EPSG, a working group of various market participants from the retail sector, manufacturing, processors, banks, and payment systems. This ensures the broad and politically desired involvement of affected and interested market participants.

Standardization activities in card payment transactions in Europe are extensive. Pilot projects show that it is possible to combine all requirements and translate them into uniform solutions. The European Interchange Fee Regulation (IFR), which came into effect on June 9, 2016, also calls for the use of international standards, but without specifying concrete requirements. Nevertheless, the aim is to achieve a uniform European internal market for payments quickly – through market-driven standardization efforts and further regulatory initiatives. The European Banking Authority (EBA) also specifies certain security requirements. In addition, the ECB's Euro Retail Payments Board (ERPB), created in 2013, is also working to promote standardization activities in cashless payment services.

Through its early involvement in European standardization, the Germany Banking Industry Committee has already laid the foundations for implementation in the coming years. Market-driven use is supported, which is why value is placed on the involvement of market participants. This approach is preferable to setting binding migration dates for European standards at short notice through government regulation, which could mean high investments with declining returns for all parties involved in the card business.

Left:

• European Payments Stakeholders Group
• Interchange Fee Regulation (IFR)

3. certification and approval by the Germany Banking Industry Committee as the "governance authority" of the girocard system

Certification is the confirmation of compliance with certain implementation requirements. A certificate is usually issued to a manufacturer for a specific product to be certified.

In the standardization initiatives CFCF (Common Functional Certification Framework) and Common.SECC (Common Security Evaluation & Certification Consortium), a uniform European certification infrastructure is being established as part of the standardization process:

Common.SECC is based on the international certification standard Common Criteria (CC). The British UK Finance and the Germany Banking Industry Committee have established the certification of POS terminals for use in both markets based on this evaluation method.

CFCF is expanding the certification infrastructure for POS terminals already provided by OSCar in recent years in the functional area. The consortium, which currently includes the French Cartes Bancaires and the Germany Banking Industry Committee , defines the conditions for certifications that are recognized by participating payment systems as part of an approval. Approval is the release by a card payment system so that a certified product can be used on the market (type approval). In addition to the valid certificates, other objectively necessary, payment system-specific requirements are taken into account in the decision on approval. For example, type approvals for terminals in the girocard system are always granted on the basis of a valid certificate for compliance with functional and security-related requirements.

The approval procedure of the German Banking Industry is described in the document "GBIC Approval Scheme". Specifications, security requirements, options and other requirements are described in detailed approval requirements for each component. Questions regarding approval can be addressed directly to the German Banking Industry Approval Office at the VÖB, by e-mail to zulassungsbuero@voeb.de.

Questions about CFCF certification and the integration of European standards can also be sent directly by e-mail to the VÖB certification body at zulassungsbuero@voeb.de.

Link:

• Approval Scheme

4 SEPA Card Clearing (SCC)

Back in 2004, European payment systems came together to form the so-called "Berlin Group" - named after the city where it was founded, Berlin. The aim of this market-driven standardization initiative, which today comprises 31 organizations from numerous European countries, is to develop implementation specifications for uniform, payment system-neutral clearing and authorization of card transactions.

The specifications are freely available and can be used by any payment system. In practice, they could be used today, for example, for cross-border POS and ATM transactions as part of bilateral agreements with the girocard system.

An important step for the girocard system was the migration to a standardized SEPA Card Clearing (SCC) specified by the Berlin Group at the end of 2015, as the German data carrier exchange (DTA) procedure for clearing card payment transactions in Germany, which was first introduced in 1976, was discontinued by the Deutsche Bundesbank at the beginning of 2016 as part of the changeover to standardized SEPA formats for credit transfers and direct debits.

The transition to SEPA card clearing had tonetwork provider by banks (ATM operators, card issuers), processors, andnetwork provider . The main change that SCC brings compared to DTA is the implementation of IBAN/BIC in SEPA format and XML-structured processing of card transactions (card containers).

At the same time, this migration generates synergy effects for Automated Clearing Houses (ACHs), banks and creditors by using the existing SEPA infrastructure due to the technical proximity to other SEPA transactions according to ISO 20022 formats.

SCC is implemented for:

• girocard (POS and GA), GeldKarte billing
• V PAY, Maestro, bilateral cooperation - so-called "last mile" for connecting the institutions to the card processors

Link:

• Berlin Group

5. simplified terminal (chip-only)

The so-called "simplified" terminal, which can also be referred to as a "chip-only" terminal, is unique in Europe. What is behind it?

When the electronic cash system was launched in 1990, girocard then still known ascard) transactions were processed using the magnetic strip; since 1998, they have also been processed using the chip card. Since the end of February 2013, girocard transactions have been processed exclusively using the EMV chip application. Hardware protection for magnetic strip processing and PIN entry is no longer required, but chip processing security requirements remain. In a purely chip-based card payment system, security is based primarily on card ownership, and the chip technology for card payments introduced in 1998 has proven to be secure and reliable. The term "simplified terminal" is derived from this reduction in hardware requirements.

The chip-only terminal has potential for manufacturers, as girocard now only have to meet "simplified" security requirements. Development, production, and certification costs are significantly reduced in some cases. Market entry for manufacturers is made easier, and acquisition and investment costs for merchants are also likely to fall as a result.

With "simplified" terminals, new terminal infrastructures can continue to be developed and operated, which in turn lead to lower administration costs. The operation of POS terminals via so-called "distributed" structures is becoming easier. For example, server solutions are increasingly becoming available - certain applications from the POS terminal can be transferred to other components (e.g. smartphones that act as a retailer's cash register).

New, innovative terminal concepts are necessary and strengthen the competitiveness of the girocard system in Germany and Europe. A more flexible and efficient operation of terminals facilitates terminal administration. It will be possible to connect merchant groups to the girocard system that could not previously be reached.

The security criteria of the German Banking Industry for chip-only terminals correspond to the requirements in the "Book of Requirements" of the European Payment Council (EPC), "Volume book 4".

6 Common Security Evaluation & Certification Consortium (Common.SECC)

Common.SECC operates the certification of POS terminals on the basis of the payment system-independent Common Criteria Methodology (CC/ISO 15 408). The consortium was founded after the end of the OSeC initiative. The aim of UK Finance and the GBIC is to create a standardized security certification as a basis for granting approval on the basis of a POS terminal that has been evaluated and certified once.

The CC certificates issued in the OSeC pilot proved that the Common Criteria method, which originally comes from IT security, also works for POS terminals. Since then, the Germany Banking Industry Committee has also accepted CC certificates in its approval process. A migration in the approval process to the exclusive use of CC as an evaluation method for POS terminals took place at the beginning of 2017. By joining Common.SECC, mutual acceptance of the evaluation results was achieved. Common.SECC is therefore relevant for terminal manufacturers. The OSeC project was not only important due to the general switch to a standardized European evaluation method. The depth of evaluation of Common Criteria also meets the requirements of the German banking industry for the security of POS terminals used in the girocard system.

Left:

• Common Security Evaluation & Certification Consortium
• Senior Officials Group Information Systems Security

7. the European Card Payment Cooperation (ECPC)

The European Card Payment Cooperation (ECPC) was founded as a cooperative in Belgium. The ECPC's task is to establish and support the development of the CPACE specification for cards and terminals in the payment industry.

CPACE (Common Payment Application Contactless Extension) is an independent card and mobile payment application that can be used for transactions of all payment systems and is independent of contactless specifications of global payment systems.

The use of CPACE has significant potential as it builds on CPA (Common Payment Application), a widely used EMVCo standard for cards (already > 300 million cards issued) and due to the number of cards represented by the systems currently involved in CPACE development. CPACE can also be used to secure remote transactions in accordance with the regulatory requirements of the latest EU directives and the associated RTS (PSD2 Strong Customer Authentication). CPACE enables the use of the same payment application specification for different environments (contact cards, contactless cards, contactless terminal application, e-commerce transactions, etc.).

ECPC also enables the cross-payment system certification of CPACE card and terminal applications ("one-stop shopping").

Link:

• European Card Payment Cooperation

8 Joint platform strategies of the German banking industry

8.1 SECCOS
With SECCOS, GBIC has developed a platform strategy that allows issuers of payment cards - but also issuers of other cards - to fulfill the requirements regardless of the payment system.

SECCOS meets the requirements of modern multi-application platforms and is an optimal basis in terms of functionality and security, especially for supporting payment applications.

The SECCOS strategy basically comprises two components:

• The SECCOS specifications define uniform technical requirements for a multi-application platform that makes it possible to support new applications by changing the personalization, i.e. without changing the smart card operating system. This includes all elements of smart card software that should be available for multiple applications, such as the commands supported by the smart card, the data structures and the overall security architecture required, which includes security functions and access conditions for smart card data. These specifications are freely available to all interested manufacturers. This creates competition between chip card manufacturers.
• The approval procedure, which guarantees uniform quality and security of the chip cards and their interoperability in the overall system on the basis of a comprehensive functional test procedure and a neutral security assessment.

SECCOS is therefore not a chip card operating system from a single manufacturer. Rather, SECCOS is the banking industry's "specification" for chip card operating systems used on banking payment cards, supplemented by a comprehensive approval process that ensures compliance with technical requirements. SECCOS is available to manufacturers free of license fees and enables card issuers to offer various applications on a card free of license fees.

The term "SECCOS" itself is derived from "Secure Chip Card Operating System" and has been used for this strategy since 1999.

Chip cards that have been proven to meet the functional and security requirements of the banking industry may be referred to as SECCOS chip cards. A special trademark was introduced for this purpose for the first time in 2005, which may only be used for products that have been approved by the Germany Banking Industry Committee . SECCOS thus also stands for "tested quality and security". With this approach, the banking industry ensures that competition between chip card manufacturers is conducted on the basis of uniform requirements and that a uniformly high level of quality is guaranteed for the chip cards to be issued by the credit institutions.

SECCOS is permanently maintained and further developed by GBIC . This ensures the comprehensive involvement of all relevant stakeholders in further development. The comprehensively coordinated migration cycles for the introduction of additions or changes to the standard ensure maximum investment security for manufacturers and card issuers.
SECCOS is geared towards the high security requirements for credit industry applications and also meets all the requirements placed on legally compliant signature cards. SECCOS benefits from the ongoing review of technical specifications within the banking industry against the background of current developments in the field of IT security.

8.2 DC POS
the Germany Banking Industry Committee and the acquirers operating in Germany have agreed on a joint, cross-payment system approval procedure in the interest of an efficient and harmonized EMV POS-capable terminal infrastructure for the introduction of EMV in the German market in 2005. This covers the requirements of all card payment systems relevant to the German market, including their debit and credit products.

The prerequisite is a uniform specification for the payment transaction application that processes both debit and credit cards. This specification, known as "DC POS", is now successfully implemented and in use at almost all terminals on the German market.

The joint approval procedure based on this specification creates cost-benefit advantages for all parties involved: one specification, one implementation, one functional test lead to several type approvals for one and the same product.

The terminal specification jointly defined by GBIC and acquirers is an essential prerequisite for acceptance and implementation by international manufacturers for the girocard market.

9. nexo

nexo AISBL emerged from the European standardization initiatives EPAS, CIR and OSCar in 2014.

While EPAS defines and further develops the terminal management, acquirer and retailer protocols, CIR's goal between 2010 and 2014 was to develop a standardized payment transaction application for processing cards from multiple payment systems at the POS terminal and acquirer host and OSCar to provide a standardized European certification infrastructure.

Following initial pilots of OSCar terminals in France, Portugal and Germany, the initiative has joined forces with EPAS to achieve synergy effects and jointly promote terminal standardization in Europe. nexo provides the implementation specifications required by the market participants on the basis of the volume requirements and supports them during implementation.

There is great interest in the new standards, which bring together the card and terminal protocols. The necessity is obvious: whereas until now each card payment system or country has specified and operated its own proprietary POS applications, the effort involved in developing and implementing a European application will be significantly reduced. Further advantages are

•  Country-specific POS implementations can be eliminated in favor of country- and payment system-independent solutions Changing acquirers/network operators becomes easier for merchants thanks to interoperable protocols and interfaces.
•  Standardized, cross-border terminal and host solutions as well as new business models can be offered in an optimized manner.
•  The cross-border connection of retailers is made easier.
•  Development/implementation/certification efforts are reduced at all levels.
•  Technical migrations and/or updates can be carried out more quickly in future.

Terminal manufacturers and network provider have their products certified by CFCF based on nexo standards and obtain approval in the girocard system from the Germany Banking Industry Committee recognition of CFCF certificates. Simplifications compared to the current approval process are guaranteed with the support of nexo standards. As an active member of nexo, the Germany Banking Industry Committee activities related to the specification of interfaces.

For the functional part of the POS terminals, nexo follows the specifications from the ECSG's "Volume"; CFCF also follows these specifications for the certification of terminals.
nexo also supports the use girocard and the CPACE application for contactless card acceptance.

10 Common Functional Certification Framework (CFCF)

The French card organization Cartes Bancaires (CB) and the Germany Banking Industry Committee , representing the girocard system, agreed in spring 2015 to recognize the new card payment standard OSCar as well as the underlying EPAS and SEPA FAST specifications, now nexo standards. CFCF is effectively continuing the work begun under OSCar to establish a uniform certification infrastructure.

The consortium agreement therefore covers the infrastructure for the certification of these products, which includes the use of joint certification bodies as well as uniform validation requirements. The certification bodies are currently the French PayCert and the VÖB.

Uniform certification of the nexo products will also lead to a harmonization of the functional requirements for the approval of card payment terminals used by both systems and is an important step towards the integration of card payments in Europe:

• For device manufacturers, this means a single development process and "one-stop shopping" for certification. They are now in a position to address the French and German markets, which together account for more than 2 million terminals. This enables economies of scale on a pan-European level and a faster market launch for further innovative terminals.
• For acquirers, these common and less fragmented processes enable both economies of scale and the ability to focus on innovation and service levels for their retailers.
• Retailers and cardholders benefit from the ability to use the same card payment terminals in the same way in a larger market environment. Retailers that are active in both markets thus achieve economies of scale and can in turn implement innovations or new services more effectively.
• For all parties involved, the use of this common specification and certification infrastructure is a necessary step towards achieving a more closely integrated card payment market in Europe.
• With this initiative, CB and girocard, especially in France and Germany, are making a significant contribution to the SEPA for Cards project for all stakeholders in the European card payment market ecosystem, which is thus moving a step closer. CB and girocard expect other card schemes in the European Union to join this initiative in the near future.

Link:

• Common Functional Certification Framework

11. communication with market participants

Participation in the European standardization initiatives relevant to the girocard system is open to all market participants. Interested market participants should therefore contact the coordinators of these groups directly.

the Germany Banking Industry Committee offers workshops and round tables for the implementation of the new standards in the girocard system. If you are interested or have individual questions, please contact us using the contact form. The questions will then be forwarded to the relevant departments within the banking industry for answering and coordination.

Further regular working meetings and working groups exist between the German Banking Industry and the authorized girocard network operators.

For further questions about technical interfaces, protocols and implementation in the market, please also use our contact form.