Noticias de prensa - Organismo de Certificación de la Seguridad de las Tecnologías de la Información

Novedades:

Firma del Acuerdo Europeo SOGIS MRA v3 de Reconocimiento Mutuo de Certificados de Seguridad de Productos TIC.

European Governmental IT security organisations extend Common Criteria security evaluations to payment terminals as a contribution to the Single Euro Payments Area

End of 2006, the European Parliament issued the Payment Service Directive to improve the efficiency of European payment instruments by erasing national borders for credit transfer, direct debit and cards, thus creating a Single Euro Payments Area (SEPA) in 2010.

As a contribution to this harmonisation, European Governmental IT security schemes, who have been using the Common Criteria methodology to certify the security of smart cards for the past decade, have decided to enhance their support to the European credit industry by supporting the use of the Common Criteria to card-activated payment terminals.

The Common Criteria (CC) methodology is an international standard (ISO 15408) which imparts objectivity, impartiality, repeatability and comparability to the evaluation of the security of IT products.

Since the worldwide inception of the CC ten years ago, several hundreds of IT products have been issued a CC certificate at the outcome of a successful evaluation.

The CC certification schemes supported by the national governmental bodies of France (DCSSI), Germany (BSI), Netherlands (NLNCSA), Spain (CCN), United Kingdom (CESG), share experiences and further improve the application of the CC together in the Joint Interpretation Working Group (JIWG).

The success of the CC in smartcard evaluations owes much to the support of two JIWG subgroups created at the request of Eurosmart, an association representing the smart card industry. In these subgroups, manufacturers and evaluation laboratories suggest specific tailoring of the CC methodology for smart card evaluations, for example a specific scale to grade attacks, documents compiled in the Joint Interpretation Library (JIL).

The JIWG has now founded a similar subgroup for terminals, the JIL Terminal Evaluation Methodology Subgroup (JTEMS). Membership is open to terminal manufacturers, to payment schemes and to CC-accredited evaluation laboratories of the European governmental certification schemes experienced in security evaluation of this type of products.

The Payment Service Directive focuses on the removal of legal and technical barriers and is based on self-regulation by the European credit industry. At present, card payment schemes operating in Europe each individually prescribe security requirements which imply multiple evaluations. This puts on manufacturers a burden that the European Commission and the European Central Bank want to eliminate with the implementation of SEPA before the end of 2010.

The decision of European governmental certification schemes to support the use of CC for payment terminals should help the European credit industry, which has been working to the harmonization of smart card and terminal security evaluations for the past three years.