GBIC Approval Scheme Version 1.11 11.10.2018 GBIC Approval Scheme Content 1 Management Summary ................................................................................................... 8 2 Introduction .................................................................................................................... 11 2.1 Scope ................................................................................................................... 11 2.2 Objectives ............................................................................................................ 11 2.3 GBIC as Approval Authority .................................................................................. 12 2.4 Starting Points ...................................................................................................... 13 2.4.1 Development of the GBIC Approval Scheme ............................................. 13 2.4.2 Extension to Other Payment Schemes and Approval Bodies .................... 14 2.4.3 Necessity of a Common and Uniform Approval Scheme for Payment Schemes .................................................................................... 14 3 Approval Policy .............................................................................................................. 16 3.1 Overall Objectives ................................................................................................ 16 3.1.1 Compliance with Legal Requirements ....................................................... 16 3.1.2 Interoperability .......................................................................................... 16 3.1.3 Security ..................................................................................................... 16 3.1.4 System Integrity ........................................................................................ 16 3.1.5 Transparency ............................................................................................ 17 3.1.6 Integration of International Standards ....................................................... 17 3.2 Specific Objectives ............................................................................................... 17 3.2.1 Easy Administration .................................................................................. 17 3.2.2 Flexibility and Modularity ........................................................................... 17 3.2.3 Creation of Synergy Effects ....................................................................... 18 4 Approval Scheme .......................................................................................................... 19 4.1 Approval Roles ..................................................................................................... 19 4.1.1 Payment Schemes and Licensees ............................................................ 19 4.1.2 GBIC Approval Infrastructure .................................................................... 20 4.1.2.1 Approval Council ......................................................................... 20 4.1.2.2 Security Committee ..................................................................... 20 4.1.2.3 Technical Committee ................................................................... 21 4.1.2.4 Approval Office ............................................................................ 21 4.1.2.5 Security Evaluator ....................................................................... 22 11.10.2018 Page 1 GBIC Approval Scheme 4.1.2.6 Testing Laboratory....................................................................... 22 4.1.3 Additional Roles ........................................................................................ 22 4.1.3.1 Approval Applicant....................................................................... 22 4.1.3.2 Approval Owner ........................................................................... 23 4.2 Approval Methodology .......................................................................................... 23 4.3 General Conditions ............................................................................................... 24 4.4 Processes within the GBIC Approval Scheme ...................................................... 25 4.4.1 Maintenance Process ................................................................................ 25 4.4.1.1 Purpose and Roles ...................................................................... 25 4.4.1.2 Process Initiation ......................................................................... 26 4.4.1.3 Sub Processes ............................................................................ 27 4.4.2 Approval Process ...................................................................................... 34 4.4.2.1 Purpose and Roles ...................................................................... 34 4.4.2.2 Process Initiation ......................................................................... 34 4.4.2.3 Sub Processes ............................................................................ 34 4.4.3 Administration Process ............................................................................. 53 4.4.3.1 Purpose and Roles ...................................................................... 53 4.4.3.2 General Conditions ...................................................................... 53 4.4.3.3 Sub Processes ............................................................................ 53 4.4.4 Extension of the Approval and Maintenance Process for EMV Debit/Credit ...................................................................................... 54 4.4.4.1 Mapping of Acquirers and GBIC to AC ........................................ 56 4.4.4.2 Mapping of Acquirers and GBIC to TC......................................... 57 4.4.4.3 Security Committee ..................................................................... 58 4.4.5 Refinement of the Maintenance and Approval Process for GBIC ICC Approval Objects ...................................................................... 59 4.4.5.1 Maintenance Process refined for GBIC ICC Approval Objects ......................................................................... 59 4.4.5.2 Consideration of Patches............................................................. 62 4.4.6 Refinement of the Hardware Security Evaluation for GBIC ICC Approval Objects ................................................................................ 63 4.4.6.1 Introduction ................................................................................. 63 Page 2 11.10.2018 GBIC Approval Scheme 4.4.6.2 Process for the Informal Evaluation of GBIC Smart Cards .......................................................................................... 64 4.4.6.3 Evaluation Process of GBIC Smart Cards based on a CC Certificate ........................................................................... 67 4.4.6.4 Re-Assessment of Hardware ....................................................... 70 4.4.6.5 Change and Extended Approval of the GBIC Smart Card ............................................................................................ 71 4.4.6.6 Tabular Overview Based on a CC Certificate............................... 73 4.4.6.7 Glossary – Hardware Security Evaluation for GBIC ICC Approval Objects .................................................................. 74 4.5 Approval Process Documentation ......................................................................... 75 4.5.1 Approval Information ................................................................................. 75 4.5.2 Registration ............................................................................................... 75 4.5.3 Information about the Eligibility for Approval ............................................. 76 4.5.4 Functional Test Report .............................................................................. 76 4.5.5 Security Evaluator Declaration .................................................................. 76 4.5.6 Security Evaluation Report ........................................................................ 76 4.5.7 Intermediate Reply for Approval ................................................................ 77 4.5.8 Contracts and other Documents ................................................................ 77 4.5.9 Approval Letter .......................................................................................... 77 4.5.10 Approval Lists ........................................................................................... 77 4.6 Objects of the GBIC Approval Scheme ................................................................. 77 4.6.1 Approval Object ........................................................................................ 77 4.6.2 Evaluation Object and Security Components ............................................ 78 4.6.3 Test Object ............................................................................................... 79 5 Basic Approval Requirements........................................................................................ 80 5.1 GeldKarte ............................................................................................................. 81 5.1.1 System Description ................................................................................... 81 5.1.2 Agreements/Contracts .............................................................................