Last update : 11/03/2015
The OSeC Steering Committee decided to close the OSeC project end of February 2015. The OSeC webpages are kept for archive purposes.
OSeC has been created to coordinate an implementation of an Evaluation
Certification Framework whose purpose is to help building a single
scheme for security in payment terminals (Points of Interaction or
'POI') and cards, and multiple recognition of security certification by
card schemes and banking organizations across Europe.
The OSeC Steering Committee is happy to announce that four
Common Criteria POI evaluations are finished and four CC certificates
iPP320-11T and iPP350-11T
HomePay 100 Series
Mx915 and Mx925
Following other standardization initiatives within the European
payment industry (e.g. Berlin Group, EPASorg, CIR and CAS), the OSeC project was set up in 2009
by European and global card payment schemes to reduce costs, including
market entry costs, and thereby increase competition.
In “Evaluation and Certification Framework“ published in January 2011 the final objective of the OSeC project is:
“ … to provide an evaluation and certification framework that will ensure that the security features of a POI needs be evaluated and certified only once in order to secure approval from any Approval Body that agrees to operate within the framework. This concept therefore aims at multiple acceptance of terminal security certifications performed by the Approval Bodies of the participating card schemes or banking organisations. No further centralized functionality is foreseen. …”
This is being achieved through a two-phased approach:
- Phase 1: conducts a pilot
based on the Common Criteria (CC) methodology (ISO 15408) and
infrastructure, to prove that the pilot objectives can be achieved,
- Phase 2: reviews and implements the lessons learnt during phase 1. It refines the overall certification framework process and its governance, and rolls out the process.
The OSeC initiative is undertaken in a SEPA context, under the
umbrella of the generic principles defined by the European
Payment Council (EPC), and in cooperation with the European
Central Bank’s (ECB) Eurosystem.
The Evaluation and Certification Implementation Framework is based
on the :
• SEPA Cards Framework, version 2.1
• the current version of the EPC SEPA Cards Volume / Book of Requirements and
• Oversight Framework For Card Payment Schemes – Standards, January, 2008.
The work of OSeC was established by CAS. “CAS” stands for “Common Approval Scheme”. This Working Group is comprised of Approval Bodies of the European and Global Card Schemes and has acted since 2004 as an industry initiative to harmonize security requirements of smartcards and POI. The security requirements of smartcards were finalized in October, 2008, in a document called “Guidance how to write a Security Target for a smartcard embedded payment application”; the security requirements for POI were finalized in January, 2010, and are published in the EPC Volume/Book of Requirements. CAS established JTEMS in order to provide for a Common Criteria implementation specification of the POI security requirements and established the OSeC Steering Committee in order to provide for an adequate and efficient implementation of the JTEMS implementation specification.
Contribution to a permanent infrastructure:
The OSeC steering committee has committed to maintain and operate a permanent infrastructure for the evaluation and certification of the security of POS terminals and cards in Europe.