The European Cards Stakeholders Group (ECSG), the industry association in charge of cards standardisation in the Single Euro Payments Area (SEPA), is today releasing version 8.5 of the SEPA Cards Standardisation Volume (the Volume) for a three-month public consultation. The Volume is considered a key document for the cards industry, with a goal of achieving cards standardisation, interoperability, and security in Europe.
Following the same timing and methodology as the Volume version 8.5 consultation, Tokenisation Considerations for SEPA Card Payments is also being published for consultation on the ECSG website. This document details the requirements or recommendations for the adoption and implementation of tokenisation in the SEPA region and includes references to global standards where available.
To ensure that the proposed documents truly reflect market needs, all stakeholders are invited to supply feedback on both consultations by 29 March 2019.
The three-month public consultation for the Volume is part of a regular planned cycle which ensures that the Volume is kept up-to-date with developments in card technology and regulation. An important update to the Acquirer-to-Issuer Card Messages (ATICA) Standard is not available in this cycle, so Book 3, on Data Elements, will undergo a separate consultation in 2019. However, subject to the timely availability of the ATICA Standard, the final version of Book 3 will be delivered as part of version 9.0 at the same time as all other Books in the Volume with no impact on the final publication deadline in December 2019 or January 2020. For the first time, the Volume Books – with the exception of Book 3 – will be published in versions with tracked changes. However, comments are also expected on the ‘clean’ published versions.
The main scope of the update for the Volume Books addresses regulatory and innovative aspects as well as performance updates as part of the standard Volume cycle. Below is a list of the main amendments applied to the Volume Books:
General updates relating to Compliance with European Regulations and Directives (the revised Payment Services Directive (PSD2), the Regulatory Technical Standards (RTS) on strong customer authentication (SCA) and secure open standards of communication (CSC) as well as the General Data Protection Regulation (GDPR)).
Additions and clarifications to the functional requirements listed in Book 2 based on analysis of PSD2 and RTS SCA/CSC as well as the introduction of Consumer Device Cardholder Verification Method (CDCVM) and biometrics. New references to more recent and updated publications have been added for Mobile Contactless Card Applications and Mobile Devices. Information concerning language selection for contactless application selection has also been added, in addition to clarifications for initiating contactless transactions at automated teller machines (ATMs).
New security updates to Book 4, including descriptive sections and new security requirements for compliance with PSD2 and the RTS SCA/CSC, and an updated overview with related requirements for mobile contactless payments, particularly for Host Card Emulation (HCE)-based payments.
SEPA Cards Transaction flow now includes a section on “typical configurations for accepting card data”, migrated from Book 4.
As mentioned earlier, the ECSG has performed a separate initiative for documenting Tokenisation Considerations for SEPA Card Payments. This document should be considered separate to the Volume Books although it is subject to the same consultation period. It addresses the topic of tokenisation from angles deemed of interest to ECSG members:
A holistic approach that covers different tokenisation models (issuer, acquirer, merchant).
A view on both payment and non-payment tokens.
Adoption of global standards and guidelines from EMVCo and PCI, among others.