Last update : 16/12/2013

Main Objective

The objective of the OSeC pilot will be achieved, if a vendor obtains terminal type approvals by several participating Approval Bodies based on evaluation and certification achieved within the pilot process. Key aspects, such as duration, costs, scope and ownership of the results and intellectual property rights, are included.

Conditions and rules of participation

The conditions and rules for participation in the pilot are outlined in the Evaluation and Certification Framework document, version 1.0, 21 January 2011 and its annexes 1 and 2 :
annex 1: Memorandum of Understanding (MoU); a document committing the OSeC Approval Bodies and,
annex 2: Application Form for Participation in the OSeC Pilot of CC POI Certification and Approval.
The framework document includes the steps to be considered for participation in chapter 2.1.1.
In January 2011, the Point of Interaction Protection Profile, POI PP, was certified by ANSSI.

Participants and organisations

The pilot started in October 2010. Pilot participants are currently:

Vendors: Ingenico / France, VeriFone / Spain, VeriFone / UK, SecureElectrans / UK
Security evaluators: Brightsight / Netherlands, SRC / Germany, T-Systems / Germany, UL/RFI / UK
Certification bodies: ANSSI / France, BSI / Germany, CESG / UK, NLNCSA / Netherlands,

Four evaluations have been performed and four certificates have been issued in 2013 and 2014.

Participation in the pilot, and benefits for stakeholders

Participation from a vendor’s point of view:
A vendor gets all the relevant information from the OSeC web site. This information will finally consist of all technical and procedural documents and details regarding the specification to be implemented; plus the process of how to achieve a certificate including the list of all accredited certification bodies/test labs.
The vendor selects a test lab and a Certification Body and gets into contact with both instances. The resulting certificates can be used to get an approval from all participating Approval Bodies.

Participation from a certification body/test lab´s point of view:
The European usage of the Common Criteria for POS terminal evaluation and certification is new for all participants including the laboratories and certification bodies, although it has been used for PIN entry devices in the UK for several years. To enter into the pilot process they need all the necessary information and motivation coming from the standardization processes of CAS, JIL, JTEMS or other initiatives, the payment schemes and the regulators. A close cooperation of the OSeC Steering Committee and the JIL Working Group has been established to assure the coverage of all interdependencies with the CC Certification Scheme.
The pilot is open for all laboratories, which obtain the new CC accreditation for POI, and for all volunteering CC Certification Bodies. Test laboratories benefit by getting experience of evaluating POI terminals under the new Protection Profile. For certification bodies the new OSeC process will be the first step of getting into future European standardized certification processes within SEPA.

Participation from a bank's and/or payment scheme's point of view:
The banks define the generic principles for security and certification at the EPC level. Due to the Eurosystem’s Oversight Framework, the Card Payment Schemes are responsible for providing an adequate certification infrastructure, through establishing and running the OSeC Steering Committee. Here Approval Bodies define and implement the operational rules and detailed requirements for certification bodies and test laboratories.
The organizational rules for the certification infrastructure are maintained by the OSeC. These rules and requirements are reviewed and updated periodically in a structured and transparent process, which is achieved by multiple consultancy processes with all involved stakeholders.

Participation from a retailer´s point of view:
The retailer decides – according to his business needs – which payment cards he wishes to accept. This business decision defines the approved POI terminal he is able to use. This includes the chance to provide for all contingencies asking for a terminal, that supports the current requirements of all relevant brands. The vendor sells the terminal supporting the business need of the retailer.