Press Release - Payments industry agrees new SEPA Card Standards
January 09, 2020
The new release of the SEPA Cards Standardisation Volume integrates the latest regulatory and technological changes.
The European Cards Stakeholders Group (ECSG), the industry association overseeing cards standardisation in the Single Euro Payments Area (SEPA) has today published version 9.0 of the SEPA Cards Standardisation Volume (‘the Volume’). This initiative, actively supported by all of the key stakeholders in the card payment ecosystem, will help ensure the interoperability and security of cards in Europe. The Volume achieves this through defining a standard set of requirements to enable an interoperable and scalable card and terminal infrastructure across SEPA, based on open international card standards.
Version 9.0 of the Volume is released to the industry following a 3-month public consultation. In addition to the feedback received during the consultation, updates to the books were made to accommodate the following;
•Conformance to new European regulations General Data Protection Regulation (GDPR), the second Payment Service Directive (PSD2) and the European Banking Authority Regulatory Technical Standards (RTS) on Strong Costumer Authentication (SCA) and Common Secure Communication (CSC);
•Integration of global standards for card payments including Host Card Emulation, remote payments using EMV 3DS and a reference to the industry standards body Fast IDentity Online (FIDO);
•Contactless card acceptance at Automated Teller Machines (ATMs);
•The production of a separate Tokenisation Annex.
The Volume version 9.0 takes effect immediately for a three-year period.
Note: Book 3 “Data Elements” is currently under maintenance to integrate the new ISO 20022 ATICA Version 2 standard. A separate release cycle was therefore decided for this Book which will lead to a separate publication in September 2020.
Public consultation - SEPA Cards Standardisation Volume v8.5 and Tokenisation Considerations for SEPA Card Payments
December 16, 2018
The European Cards Stakeholders Group (ECSG), the industry association in charge of cards standardisation in the Single Euro Payments Area (SEPA), is today releasing version 8.5 of the SEPA Cards Standardisation Volume (the Volume) for a three-month public consultation. The Volume is considered a key document for the cards industry, with a goal of achieving cards standardisation, interoperability, and security in Europe.
Following the same timing and methodology as the Volume version 8.5 consultation, Tokenisation Considerations for SEPA Card Payments is also being published for consultation on the ECSG website. This document details the requirements or recommendations for the adoption and implementation of tokenisation in the SEPA region and includes references to global standards where available.
To ensure that the proposed documents truly reflect market needs, all stakeholders are invited to supply feedback on both consultations by 29 March 2019.
The three-month public consultation for the Volume is part of a regular planned cycle which ensures that the Volume is kept up-to-date with developments in card technology and regulation. An important update to the Acquirer-to-Issuer Card Messages (ATICA) Standard is not available in this cycle, so Book 3, on Data Elements, will undergo a separate consultation in 2019. However, subject to the timely availability of the ATICA Standard, the final version of Book 3 will be delivered as part of version 9.0 at the same time as all other Books in the Volume with no impact on the final publication deadline in December 2019 or January 2020. For the first time, the Volume Books – with the exception of Book 3 – will be published in versions with tracked changes. However, comments are also expected on the ‘clean’ published versions.
The main scope of the update for the Volume Books addresses regulatory and innovative aspects as well as performance updates as part of the standard Volume cycle. Below is a list of the main amendments applied to the Volume Books:
General updates relating to Compliance with European Regulations and Directives (the revised Payment Services Directive (PSD2), the Regulatory Technical Standards (RTS) on strong customer authentication (SCA) and secure open standards of communication (CSC) as well as the General Data Protection Regulation (GDPR)).
Additions and clarifications to the functional requirements listed in Book 2 based on analysis of PSD2 and RTS SCA/CSC as well as the introduction of Consumer Device Cardholder Verification Method (CDCVM) and biometrics. New references to more recent and updated publications have been added for Mobile Contactless Card Applications and Mobile Devices. Information concerning language selection for contactless application selection has also been added, in addition to clarifications for initiating contactless transactions at automated teller machines (ATMs).
New security updates to Book 4, including descriptive sections and new security requirements for compliance with PSD2 and the RTS SCA/CSC, and an updated overview with related requirements for mobile contactless payments, particularly for Host Card Emulation (HCE)-based payments.
SEPA Cards Transaction flow now includes a section on “typical configurations for accepting card data”, migrated from Book 4.
As mentioned earlier, the ECSG has performed a separate initiative for documenting Tokenisation Considerations for SEPA Card Payments. This document should be considered separate to the Volume Books although it is subject to the same consultation period. It addresses the topic of tokenisation from angles deemed of interest to ECSG members:
A holistic approach that covers different tokenisation models (issuer, acquirer, merchant).
A view on both payment and non-payment tokens.
Adoption of global standards and guidelines from EMVCo and PCI, among others.
Keep open to other existing payment token solutions such as ‘alternate PAN’ or ‘dynamic’ virtual numbers.
Considerations about the Token Service Provider (resulting in the adoption of a Business Principle).
Retailer needs following the introduction of tokenisation, and in particular, considerations around the EMVCo Payment Account Reference (PAR) data element.
Clarifying the flexibility needed around PAR generation and:
exploring the links between co-badging and tokenisation,
European regulatory considerations, especially GDPR.
The European Cards Stakeholders Group (ECSG), the industry association in charge of cards standardisation in the Single Euro Payments Area (SEPA), today published version 8.0 of the SEPA Cards Standardisation Volume (‘the Volume’). This self-regulatory initiative will help ensure the interoperability and security of cards in Europe. Version 8.0 incorporates comments received during the public consultation, and takes effect immediately. In particular, it provides guidelines to facilitate the implementation of some aspects of the Interchange Fee Regulation (IFR).
Over one thousand comments were received from stakeholders of the complete card value chain during the public consultation for this release.
Version 8.0 of the Volume therefore includes:
Final guidelines to ease compliance with some aspects of the IFR related to contactless payments and choice of application.
Since June 2016, the IFR has required that all cards must be electronically identifiable (including those used in contactless payments), enabling payers and payees to unequivocally identify which brands and categories of prepaid cards, debit cards, credit cards, or commercial cards are chosen by the payer. The resulting implementation can be managed in several ways, so the Volume includes a non-exhaustive set of concrete examples that show card acceptors how to achieve it. These examples provide helpful clarifications on some complex aspects of the IFR.
Details regarding the use of a unique ID for the set of transactions used for pre-authorisation in the hospitality sector.
This ID will make it convenient for card issuers and acquirers to follow the transaction created when, for example, customers booking a hotel room are asked to pre-authorise a guaranteed amount with their card.
A new annex providing a simplified overview of a card transaction.
The transaction flow of each card payment may differ for commercial or technical reasons (e.g. if the card terminal includes multi-function touchscreen capabilities or only a minimum display, or if the card is used to make an online payment or to pay in a physical store). The annex explains why these differences in the payment process can in turn create different experiences for the customer. This annex aims to enhance understanding in the market of a card transaction flow. It doesn’t contain requirements.
The Volume version 8.0 takes effect immediately for a three year period. The ECSG delayed the publication by two months to ensure that the high volume of comments was given sufficient analysis.
Please click here for more information on this release of the Volume.
Earlier this month, the European Cards Stakeholders Group (ECSG) welcomed the opportunity to respond to the European Banking Authority (EBA) consultation on the draft regulatory technical standards on strong customer authentication and common and secure communication under PSD2. This response represents the first harmonised multi-sector response to a public consultation from the ECSG since its formation earlier this year.
Directive (EU) 2015/2366 on payment services in the internal market (PSD2) entered into force in the European Union on 12 January 2016 and will apply as of 13 January 2018. The PSD2 has conferred 11 mandates on the EBA, one of which relates to the development, in close cooperation with the European Central Bank (ECB), of draft Regulatory Technical Standards (RTS) on strong customer authentication and secure and common communications (Article 98 of the PSD2). The requirements cover strengthened customer authentication, enhanced protection of user’s security credentials and common and secure open standards for communications between the various types of providers in the payments sector.
Whilst focusing on four of the main questions, the ECSG’s response emphasises that establishing a workable balance between the need for payment security and end user convenience is critical to ensure the establishment of an innovative and competitive digital single market in Europe. Such a balance should be based on the key principles defined in Article 98 of PSD2.
The response can be downloaded via the link below.