The Green Sheet Online Edition
December 12, 2011 • Issue 11:12:01
SEPA moving forward incrementally
Europe is close to adopting a single security standard for payment devices, according to Peter Puttick, VeriFone Inc. Senior Security Manager. Puttick affirmed this at a Vendorcom meeting in London in November 2011.
His comments were good news for the many people working to create a Single European Payments Area (SEPA), a 10-year-old payments integration initiative of the European Payments Council, a group founded by the European Central Bank and the European Commission. In 2006, the European Parliament issued the Payment Service Directive - an attempt to negate national borders when it comes to credit transfers, direct debit and credit cards.
Vendorcom is a European membership organization for the payments industry. Puttick was asked to speak to the group's Terminals and UPT Special Interest Group because he works with a number of groups focusing on the technical challenges of forming a SEPA.
Puttick is also a member of the Secure POS Vendor Alliance, an association founded by equipment manufacturers VeriFone Inc., Hypercom Corp. and Ingenico to promote more effective payment security. The SPVA focuses on such issues as standardized implementation of existing security standards, security of the payment device lifecycle, and security threat analysis and intelligence.
An uphill climb
Given the level of technical difficulty, it is not surprising the road to SEPA has been rocky. Other challenges include multiple security requirements and multiple currencies in different regions, a cautious relationship with the PCI Security Standards Council (PCI SSC), and difficulty in conforming to the timetable mandated by the European Central Bank, Puttick noted.
"Right now there are different approval processes in every zone. This makes it difficult for deploying terminals across the area," Puttick said in an interview with The Green Sheet shortly after his Vendorcom appearance. "SPVA is in negotiations to harmonize the process across the region. This is an important issue to move away from multiple regions with different security requirements to an approval through one process."
The route to compliance
Puttick indicated the effort to establish a single security standard for POS devices is now in the approval process stages with multiple tests going on throughout the regions. Ingenico, for instance, recently launched in France and neighboring countries a card payment acceptance pilot that meets SEPA standards and is within the scope of the OSCar Consortium's technical specifications. In addition, SEPA-compliant pilots underway in Germany and the United Kingdom are designed to demonstrate that international retailers can accept all general purpose cards across the SEPA.
Puttick said each region will have an opportunity to study the test results. "Each region's representatives will view the lab reports to ensure there is sufficient basis to give approval for their region," he said. "We should know the outcome by the end of next year. This is a valuable evaluation methodology that gives the process credibility. In the end we will be able to say to vendors, 'This is the route to compliance.'"
In addition to local approval, the POS device security standard will also need PCI SSC approval in all regions. Puttick said the PCI SSC is interested in the SEPA POS security initiative and will assess the reports to evaluate for compliance and see if a way can be found to move forward from the results.
Puttick expects when the SEPA requirements for payment terminals are in place the "scheme, style, look and feel of the transactions will be the same" no matter where the electronic payment is made in the SEPA. He added that there is "a lot of common ground among the requirements of each region, but there are still a lot of different and specific requirements for each region. The SPVA requirements are built to have all the requirements of each region covered."
A moving target
Puttick pointed out that security needs for POS terminals are changing as new technology such as contactless and near field communication enter the marketplace. "We need to get on top of security to encompass contactless and other new technologies that are coming along," he said. "It is a high priority.
"If you're not involved, you wouldn't realize what progress is being made. There are a lot of people out there working really hard to make this happen. The harmonization of payments across Europe sends the message that Europe is moving to one region rather than a number of diverse economic regions. Everyone will have the same requirements and the same hardware. This is an ongoing battle where moves are made incrementally."
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.