DOCSLIB.ORG

Point to Point Encryption and Terminal Requirements in Europe

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Point to Point Encryption and Terminal Requirements in Europe Point to Point Encryption and Terminal Requirements in Europe - Status Report - A Study for the European Association of Payment Service Providers for Merchants EPSM prepared by SRC Security Research & Consulting GmbH Graurheindorfer Str. 149 A 53117 Bonn, Germany Bonn, 16 May 2011 Terminal Requirements in Europe - Status Report Contents Management Summary ...................................................................................................................1 1 Background and Objectives......................................................................................................3 2 Basic Items of Interest ..............................................................................................................5 2.1 Scenarios of Merchant Solutions .....................................................................................5 2.2 The Challenge: Defining the PCI DSS Scope ................................................................13 2.3 The Challenge for Merchants ........................................................................................15 3 Requirements for POI.............................................................................................................16 3.1 Requirements of the Global Card Schemes...................................................................16 3.1.1 PCI DSS ............................................................................................................16 3.1.1.1 Overview ..............................................................................................16 3.1.1.2 Standard...............................................................................................17 3.1.1.3 Additional documents ...........................................................................20 3.1.2 PCI PA-DSS.......................................................................................................21 3.1.3 PCI PTS 3.0.......................................................................................................22 3.1.3.1 PED......................................................................................................22 3.1.3.2 SRED ...................................................................................................22 3.1.3.3 Open Protocols.....................................................................................23 3.2 Common Approval Scheme CAS / Open Standards for Security and Certification OSeC.........................................................................................................23 3.3 Zentraler Kreditausschuss ZKA / ZKA Approval Scheme...............................................25 3.3.1 girocard Requirements.......................................................................................25 3.3.2 ZKA Approval Scheme.......................................................................................25 4 Solutions ................................................................................................................................26 4.1 IFSF ..............................................................................................................................26 4.2 EPAS ............................................................................................................................27 4.3 Common Implementation Recommendations CIR/Open Standards for Cards OSCAR...............................................................................................................29 4.4 PNC ..............................................................................................................................31 4.5 Emerging Technologies@POS/Approaches ..................................................................31 4.5.1 Tokenisation.......................................................................................................32 4.5.2 Point-to-Point Encryption....................................................................................33 16 May 2011 page i Terminal Requirements in Europe - Status Report 4.5.2.1 Symmetric and asymmetric encryption...................................................34 4.5.2.2 Key Management: PCI PIN Security Requirements................................34 4.5.2.3 Secure Channel: VPN, TLS (Server authentication, C/S authentication)......................................................................................35 4.6 Industry Solutions..........................................................................................................36 4.6.1 Heartland Payment Systems E3Secure .............................................................36 4.6.2 Verifone VeriShield Protect ................................................................................36 4.6.3 ATOS Worldline .................................................................................................37 5 PCI DSS and EMV .................................................................................................................39 6 PCI DSS and Data Protection.................................................................................................40 6.1 Data Protection Act in EU..............................................................................................40 6.2 Example: Data Protection Act in DE National Requirements .........................................42 6.3 ISO 27001/2 and PCI DSS as Implementations.............................................................43 7 Open Issues ...........................................................................................................................44 8 About SRC .............................................................................................................................45 9 References.............................................................................................................................46 16 May 2011 page ii Terminal Requirements in Europe - Status Report Management Summary The European Association for Payment Service Providers for Merchants EPSM asked for an over- view on requirements to be supported by POS terminals in Europe with the expectation to be pro- vided with a clear guidance how to achieve the best solution. This request is well understood, be- cause the POS environment is one of the most challenging questions today. Especially the security programs of the global card schemes and their specification and certification organization PCI SSC lay down complex and difficult sets of requirements linked to huge investments of the acquiring markets. Due to these programs numerous new solutions emerge in the market promising to solve all challenges. The document at hand provides the overview EPSM has asked for covering the most important sets of requirements. More sets of requirements might have been included, but looking at the se- lection being covered the benefit of an extension would be only marginal. In addition this document describes and assesses the most relevant vendor solutions being currently offered in the market. Both parts result in a lively and coloured status report. EPSM’s expectation on a guidance or best practice solutions to meet the requirements best, how- ever, faces several challenges. The most important one is the lacking guidance on the interpreta- tion and application of the different PCI standards. PCI SSC confirmed during an interview per- formed for this study, that it hopes to publish their guidance document “Validation requirements for P2PE solutions” in Q2/2011. This document is expected to close the gaps identified by the docu- ment at hand. Therefore the current situation can be summarized as follows: • The requirements to be met are numerous, complex and difficult. • Some solutions, which are offered (and installed) today may be approached with respect since some features or requirements are critical or are not clear by now. These solutions are not as mature as they should be. • Other solutions, which are offered (and installed) today may pass the different certification processes, but result in vendor specific dependencies. • Investments being made today for solutions face a high degree of uncertainty and financial risks: Either they may not meet the requirements or may be too complex, i.e. too expensive. To overcome this situation the only way forward is to wait for the guidance document of PCI SSC. The paper is expected to enter the consultation phase with the global card schemes now before being published at the end of 2Q 2011. SRC was offered to be involved. Being provided with this guidance and improved certainty further steps should be envisaged. EPSM and its members are in an excellent position to develop an own implementation guideline or industry standard taking all requirements into consideration. An integrated and state-of-the-art- approach – which may include a few core solutions - will provide huge benefit to the payment ser- vice providers in Europe which are facing more and more requirements within the upcoming SEPA world on one hand and economic pressures on the other hand. Such an approach would also be able to reduce the complexity in many PCI DSS implementation projects not only at payment ser- vice providers but also their customers, the merchants. 16 May 2011 page 1 Terminal Requirements in Europe - Status Report For optimization purposes, EPSM should participate in the PCI SSC Special Interest Group dealing with P2PE to assure that the knowledge and experiences of the European payment service provid- ers will be taken into
Load more

Recommended publications
  • Economic and Welfare Impacts of EU-Africa Epas
    ATPC African Trade Policy Centre Work in Progress No. 10 Economic Commission for Africa Economic and Welfare Impacts of the EU-Africa Economic Partnership Agreements By Stephen Karingi, Rémi Lang, Nassim Oulmane, Romain Perez, Mustapha Sadni Jallab and Hakim Ben Hammouda ATPC ATPC is a project of the Economic Commission for Africa March 2005 with financial support of the Canada Fund for Africa Abstract Th is study examines the economic and social impacts of the trade liberalization aspects of the proposed Economic Partnership Agreements (EPAs) between the European Union (EU) and African countries. It provides a quantitative assessment of the likely implications of EPAs establishing Free Trade Areas (FTAs) between the EU and the various African Regional Economic Communities (RECs). Th e focus of the empirical analysis is on the trade liberalization component of the EPAs. In particular, the following questions are addressed. First, how will an EPA that includes reciprocal market access agreements between the EU and Africa impact on African countries’ GDPs, levels of employment and other macroeconomic aggregates? Second, what sectors in Africa are most likely to lose and what sectors gain with EPAs? Th ird, what are the welfare implications for African countries from the EPAs? Fourth, how will the formation of EPAs aff ect trade expansion through trade creation and trade diversion eff ects? Fifth, what are the potential fi scal implications of the EPAs? Th e main conclusions drawn from the results and the discussions are that full reciprocity will be very costly for Africa irrespective of how the issue is looked at. A focus on deepening integration with a view to enhancing intra-African trade would provide positive results.
    [Show full text]
  • Uk-Africa Trade After Brexit: Challenges and Opportunities a Briefing for the All-Party Parliamentary Group for Africa
    UK-AFRICA TRADE AFTER BREXIT: CHALLENGES AND OPPORTUNITIES A BRIEFING FOR THE ALL-PARTY PARLIAMENTARY GROUP FOR AFRICA NOVEMBER 2020 This is not an official publication of the House of Commons or the House of Lords. It has not been approved by either House or its committees. All-Party Parliamentary Groups are informal groups of Members of both Houses with a common interest in particular issues. The views expressed in this report are those of the group and its partners. FOREWORD As we come to the end of the UK’s transition some of these themes in consideration of both period with the EU, which expires on 31 December the immediate, and longer-term future, for trade 2020, there is an urgency to ensure that the UK’s between the UK and Africa. independent trade policy is not undermining Africa’s vision for development, achievement of The global landscape has of course changed the Sustainable Development Goals (SDGs) or UK quite dramatically since this event was held in aid spending. However, at present, against the Westminster in January of this year. The global advice of the African Union and in contradiction health pandemic resulting from the spread of the Memorandum of Understanding signed of Covid-19 has reminded everyone of how between the AU and the UK in February 2019, interconnected our world has become, and how the UK government is using the Brexit deadline vulnerable its economies are to such a disruption. to push through bilateral deals with some select While the extent of the economic fallout is still not African countries without proper parliamentary clear, the pandemic has brought into sharp focus scrutiny or civil society oversight.
    [Show full text]
  • Continuing the United Kingdom's Trade Relationship With
    Continuing the United Kingdom’s Trade Relationship with the Southern African Customs Union Member States and Mozambique Continuing the United Kingdom’s Trade Relationship with the Southern African Customs Union Member States and Mozambique Economic Partnership Agreement between the Southern African Customs Union Member States and Mozambique, of the one part and the United Kingdom of Great Britain and Northern Ireland, of the other part November 2019 Continuing the United Kingdom’s Trade Relationship with the Southern African Customs Union Member States and Mozambique Economic Partnership Agreement between the Southern African Customs Union Member States and Mozambique, of the one part and the United Kingdom of Great Britain and Northern Ireland, of the other part Presented to Parliament by the Secretary of State for International Trade by Command of Her Majesty November 2019 © Crown copyright 2019 This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned. This publication is available at www.gov.uk/official-documents Any enquiries regarding this publication should be sent to us at [email protected] ISBN 978-1-5286-1671-3 CCS1019362048 11/19 Printed on paper containing 75% recycled fibre content minimum Printed in the UK by the APS Group on behalf of the Controller
    [Show full text]
  • The Argumentative Dimension to the EU-Africa Epas Stephen R. Hurt
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by E-space: Manchester Metropolitan University's Research Repository The Argumentative Dimension to the EU-Africa EPAs Stephen R. Hurt, Donna Lee, and Ulrike Lorenz-Carl Abstract Not only is the participation of developing countries in international trade negotiations growing, so is their influence over the global trade agenda. This article highlights the increasing activism and impact of African states through a detailed study of the current Economic Partnership Agreement (EPAs) negotiations with the European Union (EU). In examining African resistance to EPAs, the article develops a constructivist approach to North-South trade negotiations that pays close attention to the role of development discourses. We argue that the growing willingness of African states to challenge the EU to deliver on its development promises during the decade-long EPA process was crucial to informing their sustained opposition to the EU‟s goal of completing a comprehensive set of sub-regional economic agreements. We document African resistance to EU trade diplomacy in the EPAs, exploring how these otherwise weak countries were able to pursue normative based negotiation strategies by recourse to the EU‟s promise of a „development partnership‟. Introduction During the last decade, African states have begun to develop a more active and confident approach to multilateral and regional economic negotiations in which they are involved. This is particularly clear in their attitude towards, and their preventative negotiating behaviour in, the Economic Partnership Agreement (EPAs) talks with the European Union (EU).1 While African negotiators still lack the highly resourced deliberative capacities of their European counterparts, they have successfully navigated the negotiations and enhanced their influence in EU-African regional economic governance processes.
    [Show full text]
  • Project Results Epas (Itea 05008)
    PROJECT RESULTS EPAS (ITEA 05008) •••••••••••••••• Card-based protocols Ensuring interoperability of electronics payments Partners Atos Worldline (Belgium and across Europe and globally Germany) BP ••••••••••••••••••••••••• CETREL Equens Galitt payments industry in Europe. A Groupement des Cartes crucial element is the harmonisation Bancaires (CB) of the billions of electronic retail Hypercom payments made with debit and Integri Ingenico credit cards. Lyra Network PAN Nordic Card Association Such harmonisation requires PayLife issuers, acquirers, card schemes Retail Services Company (RSC) and operators to adapt to the SEPA Royal Bank of Scotland (RBS) card framework. Key features are SERMEPA cardholders can pay with one card SIBS all over the euro area, and retailers Wincor Nixdorf International Simplifying card payments Europe wide will be able to accept all SEPA (photo: Joël Gavy) cards in a single terminal. As a Associate partners result, payment-card processors American Express Services EPAS set out to overcome will be able to compete and to Europe obstacles to the interoperability offer services throughout the euro Gemalto of electronic payments schemes area. This will make the market for Logic Group in the single European market. processing card payments more Mellon Technologies It developed and demonstrated reliable and cost efficient. Monext three major card-based protocols Point International built on open and interoperable To avoid unnecessary legislation, POS Partner standards to support the banks, retailers, vendors, services Quercia (Unicredit Group) Scheidt & Bachmann successful creation of the providers, card schemes and Servebase users teamed up in the Electronic Single Euro Payments Area VeriFone (SEPA). The same approach Protocol Application Software Visa Europe is now being made available (EPAS) initiative to deliver the worldwide through an ISO 20022 necessary standards to meet the standardisation process.
    [Show full text]
  • Continuing the United Kingdom's Trade Relationship with The
    Continuing the United Kingdom’s trade relationship with the CARIFORUM States Continuing the United Kingdom’s trade relationship with the CARIFORUM States Economic Partnership Agreement between the CARIFORUM States, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part May 2019 Continuing the United Kingdom’s trade relationship with the CARIFORUM States Presented to Parliament by the Secretary of State for International Trade by Command of Her Majesty May 2019 © Crown copyright 2019 This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government- licence/version/3 Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned. This publication is available at www.gov.uk/government/publications Any enquiries regarding this publication should be sent to us at [email protected] ISBN 978-1-5286-1286-9 CCS0519196036 05/19 Printed on paper containing 75% recycled fibre content minimum Printed in the UK by the APS Group on behalf of the Controller of Her Majesty’s Stationery Office Contents Introduction 6 Legal approach 7 Resources 7 Economic Background 8 Economic impact of the existing EPA 11 Potential loss to UK if the CARIFORUM-UK EPA is not ratified 12 Immediate impact if not ratified 12 Explanation of this Agreement, including Significant Differences between the CARIFORUM-UK EPA and the Existing EPA 16
    [Show full text]
  • STOP Epas Day Statement 27 September 2007
    STOP EPAs Day Statement 27 September 2007 The 27th September marks the fifth anniversary of the start of negotiations for Economic Partnership Agreements (EPAs) between the EU and the ACP (African, Caribbean & Pacific) countries. While presenting EPAs as “instruments for development”, the EU is pushing for agreements with far-reaching and comprehensive economic liberalisation terms. The EU proposals for EPAs would not only eliminate most tariffs on goods, but would also impose the inclusion of issues that go beyond WTO commitments. Such EPAs will open up ACP markets to devastating competition from EU exports. This will lead to increased social inequality and poverty through the destruction of local industries and small- scale agriculture, damaging employment and livelihoods. The terms set within the EPAs will sharply reduce the necessary democratic policy space for ACP countries to regulate and to design their own national and regional integration policies to meet their development goals and needs. In the face of the formal deadline of 31 December 2007, the EU is putting tremendous pressure on the ACP countries to sign EPAs by the end of the year, including threats to reduce development aid and increase tariffs on their exports into the EU market. We condemn the use of such bullying tactics against many of the world’s poorest countries. We strongly oppose the EU’s demand for reciprocal trade relations between countries of such unequal economic strength. We - social movements, farmer organisations, trade unions, faith organisations, and NGOs from Africa, the Caribbean and Pacific and the European Union - call on the EU to: • not impose trade liberalisation and other ‘trade-related’ terms upon the ACP countries • refrain from putting pressure on ACP countries to sign EPAs this year • offer non-reciprocal alternatives, like an improved GSP+, and to ensure that exports to the EU from ACP countries will not be interrupted We also urge ACP countries not to give in to EU pressures.
    [Show full text]
  • Belgium Aviation Safety Programme V2
    Belgium Aviation Safety Programme Produced by the Belgian Civil Aviation Authority in conjunction with the Federal Public Service of Mobility and Transport and the Belgian Air Accident Investigation Unit. Version: 2.0 Status: August 1st , 2017 Belgium Aviation Safety Programme 1 Foreword One of the duties of the Belgian State is to create an environment in which the aviation sector can perform its activities at the highest possible safety level. The Belgian Civil Aviation Authority (BCAA) is responsible, on behalf of the Belgian State, for developing and maintaining the Belgium Aviation Safety Programme (BASP) in accordance with the requirements of ICAO. The BASP applies to the BCAA, the Belgian Air Accident Investigation Unit (AAIU(Be)) and the Ministry of Defense. The BASP is a description of the various regulations and activities for maintaining and improving aviation safety and explains how Belgium operates in compliance with EU regulations and the safety management requirements set forth in the appendices to the Chicago Convention. The BASP describes how Belgium has ensured through legislative means that the service providers have the required safety management systems, that the BCAA monitors the functioning of these safety management systems and that the responsibilities of the individual service providers in Belgium are clearly defined. The BASP also serves as a tool for describing the complex network of regulations composed of the legislation of individual sectors of aviation as a single, clear entity with the objective of improving aviation safety. The BASP also addresses the dimension of safety assurance and mainly details how safety oversight is performed within the Belgian State.
    [Show full text]
  • Portugal's Post-Colonial Relations with Angola
    Journal of Contemporary European Research Volume 9, Issue 2 (2013) Between Europeanization and Domestic Influences: Portugal's Post-colonial Relations with Angola António Raimundo University of Minho Citation Raimundo, A. (2013). ‘Between Europeanization and Domestic Influences: Portugal's Post‐colonial Relations with Angola’, Journal of Contemporary European Research. 9 (2), pp. 242‐260. First published at: www.jcer.net Volume 9, Issue 2 (2013) jcer.net António Raimundo Abstract This paper builds on the Europeanization literature to explore the impact of EU membership on Portuguese foreign policy towards Angola. The analysis is centred on trade issues, focusing on Portugal’s accession negotiations and the reform of the Lomé Convention. Portugal is a small and open economy, with a colonial past in Angola. Trade is one of the most integrated policy areas of the EU, which has long and highly institutionalised relations with Africa. Preliminary results point to great evidence of Europeanization understood as national adaptation to the EU. However, the projection of Portuguese priorities onto the European level also received some support. History, cultural links and the presence of strong national interest groups appear to have limited the EU’s impact on Portuguese preferences. Such findings give support to studies stressing the need to adequately account for domestic conditions, even in highly integrated EU policy areas and for smaller member states. Keywords Foreign Policy Analysis; Europeanization; European integration; Foreign policy; trade; interest groups For many centuries Portugal’s foreign priorities were oriented towards the Atlantic and its overseas territories. That general orientation was also the one adopted under the authoritarian Estado Novo (1933-1974), which deliberately distanced Portugal from European issues and emphasised its Atlantic and African “vocation”.
    [Show full text]
  • European Plan for Aviation Safety (EPAS) 2019-2023 Including the Rulemaking and Safety Promotion Programmes
    European Plan for Aviation Safety (EPAS) 2019-2023 including the Rulemaking and Safety Promotion Programmes nd European Aviation Safety Agency, 22 November 2018 Page 1 of 170 European Plan for Aviation Safety (EPAS) 2019–2023 Table of contents Table of contents Volume I 1 Executive Summary ........................................................................................................................ 5 2 Introduction ................................................................................................................................... 7 2.1 The Global Aviation Safety Plan (GASP) ............................................................... 7 2.2 The ATM MP and the GANP ................................................................................. 7 2.3 How EPAS is developed ...................................................................................... 8 2.4 How EPAS is structured .................................................................................... 11 2.5 How EPAS is monitored .................................................................................... 15 3 Strategy ........................................................................................................................................ 16 3.1 Strategic priorities ........................................................................................... 17 3.2 Strategic enablers ........................................................................................... 34 3.3 Better regulation ............................................................................................
    [Show full text]
  • What Next for the Economic Partnership Agreements? Thoughts on Deepening the EU-Africa Trade Partnership
    A Service of Leibniz-Informationszentrum econstor Wirtschaft Leibniz Information Centre Make Your Publications Visible. zbw for Economics Brandi, Clara; Hulse, Merran; Keijzer, Niels Research Report What next for the Economic Partnership Agreements? Thoughts on deepening the EU-Africa trade partnership Briefing Paper, No. 9/2017 Provided in Cooperation with: German Development Institute / Deutsches Institut für Entwicklungspolitik (DIE), Bonn Suggested Citation: Brandi, Clara; Hulse, Merran; Keijzer, Niels (2017) : What next for the Economic Partnership Agreements? Thoughts on deepening the EU-Africa trade partnership, Briefing Paper, No. 9/2017, Deutsches Institut für Entwicklungspolitik (DIE), Bonn This Version is available at: http://hdl.handle.net/10419/199797 Standard-Nutzungsbedingungen: Terms of use: Die Dokumente auf EconStor dürfen zu eigenen wissenschaftlichen Documents in EconStor may be saved and copied for your Zwecken und zum Privatgebrauch gespeichert und kopiert werden. personal and scholarly purposes. Sie dürfen die Dokumente nicht für öffentliche oder kommerzielle You are not to copy documents for public or commercial Zwecke vervielfältigen, öffentlich ausstellen, öffentlich zugänglich purposes, to exhibit the documents publicly, to make them machen, vertreiben oder anderweitig nutzen. publicly available on the internet, or to distribute or otherwise use the documents in public. Sofern die Verfasser die Dokumente unter Open-Content-Lizenzen (insbesondere CC-Lizenzen) zur Verfügung gestellt haben sollten, If the documents
    [Show full text]
  • Entrustable Professional Activities in Primary Care Paediatrics
    Entrustable Professional Activities in Primary Care Paediatrics ECPCP ▪ Entrustable Professional Activities © ECPCP Curriculum Working Group 2020 ISBN: 978-84-121659-6-8 Legal deposit: M-31909-2020 Lúa Ediciones 3.0, S.L. www.luaediciones.com All rights reserved. 2 ECPCP ▪ Entrustable Professional Activities AUTHORS CURRICULUM WORKING GROUP Akos Kovacs, M.D. Beata Kartousova, M.D. Primary Care Paediatrician Primary Care Paediatrician Budapest. Hungary Bratislava. Slovakia Maria Aparicio Rodrigo, M.D., Ph.D. Manuel Katz M.D., M.P.H. Primary Care Paediatrician Primary care Pediatrics University teacher, Complutense University Past President Israel Paediatric Association and Ambulatory Madrid. Spain Pediatric Society Be‟er Sheva. Israel Shimon Barak, M.D. Primary Care Paediatrician, Maccabi Healthcare Services Innocenza Rafele, M.D. Senior Paeditrician, Dana-Dwek Children´s Hospital, TASMC Primary Care Paediatrician Tel Aviv. Israel Rome. Italy Patrizia Calamita, M.D.,Ph.D. Laura Reali, M.D. Primary Care Paediatrician Primary Care Paediatrician Rome. Italy Contractor professor, The Catholic University of the Sacred Heart Rome. Italy Katja Dejak Gornik, M.D. Primary Care Paediatrician Stephen Reingold, M.D. Ljubljana. Slovenia Medical Officer Maternal and Child Health, Preventive Health Services Folkert Fehr, M.D. Jerusalem. Israel Primary Care Paediatrician University teacher, Heidelberg University Werner Sauseng, M.D. Sinsheim. Germany Primary Care Paediatrician Kumberg. Austria Dr. Elke Jaeger-Roman, M.D. Primary Care Paediatrician Carmen Villaizán Pérez, M.D., Ph.D. Berlin. Germany Primary Care Paediatrician Chair of the ECPCP Curriculum Working Group Chief Editor Toledo. Spain 3 ECPCP ▪ Entrustable Professional Activities ACKNOWLEDGMENTS We wish to thank Professor Alfred Tenore for his invaluable feedback.
    [Show full text]