BULLETIN ON ELLIPTIC-CURVE CRYPTOGRAPHY (ECC) APPLIED TO CARD PAYMENTS

The ECSG started looking into ECC in 2021 but lacked documentation for standardisation. It was necessary to wait until 2024 to be able to publish the relevant updates through this bulletin before the publication of the next Volume version. 

In the meantime, the association has expanded its scope beyond cards becoming the European Payments Stakeholders Group (EPSG). This bulletin, although published by the EPSG, is related to Volume v10 as published by the ECSG, therefore its ambit is limited to card-based transactions.
It covers changes in Books 1, 2, and 4.

GENERAL PRINCIPLES AND DEFINITIONS

Book 1 includes the definitions of terms used in the SCS Volume which provides a common terminology in card payments and can be used as a reference by the card payment industry. It offers an introduction to the content and structure of the SCS Volume, addressing the information needs of both experts in the field and other parties interested in the subject. It reflects the document change history and the principles governing the maintenance process.

FUNCTIONAL REQUIREMENTS

Book 2 details requirements applicable to transactions initiated with a card, which result in the provision of the different services to the cardholder described in this book. Book 2 enables a card system specialist to identify the operational requirements in the domain that need to be addressed to facilitate harmonisation. To improve the interoperability of cards and terminals, the book also refers to and enhances EMV standards and shows how to use these in conformance with the various services requirements described.

DATA ELEMENTS

Book 3 supports the card message standards defined in ISO (International Organization for Standardization) (e.g. ISO 20022, ISO 8583). It allows card schemes, issuers and acquirers to easily identify enhancements and comparisons with earlier ISO releases. In addition, the data within Book 3 are available within a separate spreadsheet which can assist in the design of related system architecture for implementation. This promotes the harmonisation of existing protocols with both the SCS Volume and the ISO 20022 card message authorisation and clearing standards. Book 3 serves as a major enabling factor to achieve technical interoperability in the area of processing based on the most advanced global message standards available.

DATA ELEMENTS SPREADSHEET

The Book 3 Data Elements Spreadsheet sets out the data elements described in Book 3 of the SCS Volume. This separate spreadsheet can assist in the design of related system architecture for implementation and promotes the harmonisation of existing protocols with both the SCS Volume and the ISO 20022 card message authorisation and clearing standards

security

Book 4 defines requirements in order to achieve a ‘single common set of SEPA card and terminal security requirements’. In defining security requirements, Book 4 refers to PCI (Payment Card Industry) and Common. SECC international security standards. This ‘toolbox’ enables system developers and security professionals to easily identify and implement a single harmonised set of security requirements in a consistent way. SEPA card single security requirements are key to maintaining trust in card payments and to making security a pro-competitive factor to the benefit of all stakeholders in the card industry.

Conformance Verification Process

Book 5 defines the methods which allow to verify actual conformance with the SCS Volume requirements of a given implementation specification. Based on those requirements, an implementation specification can be developed, which allows a solution provider (e.g. a point of sale vendor) to develop products (e.g. a point of interaction terminal) against it. The conformance of a product towards an implementation specification is controlled by a certification process.

The Book defines in particular the SCS Volume Labelling process, which is optional, and verifies that an implementation specification and its provider is conformant to the requirements of the SCS Volume. Type approval is defined as a final validation, performed by an approval body, before the product or solution may be deployed and used. Roles to be considered in VOLUME conformant certification and approval processes are described in the Book.

Implementation Guidelines

Book 6 provides implementation guidance for situations where there may be several ways of implementing a given product or service, or where it is not appropriate for the Volume to set formal requirements.

Cards Processing Framework

Book 7 defines business principles and requirements for market access and participation in card payment processing services. The main objective of this framework is to facilitate an open and transparent market.

Tokenisation

The ECSG has carried out a specific analysis for documenting Tokenisation Considerations for SEPA Card Payments. This document is separate from the Volume books because it covers all aspects of tokenisation in a complete way, from angles deemed of interest to ECSG members.