Related Initiatives

Throughout many European countries, the banking industry has set security requirements for POS & PED devices and for smart cards in order to manage risks within payment systems effectively. The compliance of payment systems components with these security requirements has to be proved by security evaluations, which serve as a basis for approval of a payment system component by banking bodies, who are responsible for the risk management and integrity in a payment system in a country.

With the advent of EMV and its use for cross-border transactions as well as for domestic transactions, the technical requirements for cards, POS-terminals and PEDs for payment systems are becoming closely aligned throughout Europe as all members seek the same ultimate goal. This opens up an opportunity to establish not only common technical standards for payment systems components, but also to achieve common security requirements and, importantly, a mutual recognition of security evaluations, thus reducing the number of security evaluations to be performed by manufacturers and reducing the costs of security certification.

At present, the security levels and requirements in the European countries are different which is an obstacle for mutual recognition of security evaluations. In order to overcome this, the Common Approval Scheme (CAS) initiative has been originated to agree on Common Security Requirements for POS devices, PEDs and smart cards to be used within EMV-based payment applications (further payment systems components could be added). These Common Requirements are described in this document.

The CAS approach takes into account, that the international payment schemes and the various domestic systems already mandated and implemented security requirements. The common requirements described in this document harmonize the existing requirements. Where ever possible the PCI criteria are taken to minimize new challenges.

As mentioned above it is the target to reuse evaluations and approvals. Thus the international standard "Common Criteria for Information Technology Security Evaluation" (CC), which is widely accepted in the field of ICC evaluations, must be taken into account.

The work is adjusted with the efforts being undertaken in the ERIDANE project, which is running in parallel. ERIDANE defines standard interfaces of a POI, internal and external interfaces. This project inevitably defines security relevant interface aspects and a POI security architecture.