BY LISA ZELLER AND JOACHIM HAMMER
The role and tasks of the German Banking Industry (Deutschen Kreditwirtschaft (DK))
The DK, as successor of the German Credit Committee, is a committee of all German banks for the preparation and monitoring of regulations regarding payments. This includes, among other things, the network operation for physical payments at the point of sale (POS). As the owner of this network operation, the DK is responsible for creating and monitoring the regulations. First and foremost, this concerns the Girocard, whose scheme is represented by the German banking world. For the acceptance of further payment cards at POS, especially credit cards, the regulations are created by the corresponding schemes and the DK takes them over into its network operation. The DK uses the appropriate technical, security and scientific competence for the preparation of the technical requirements, as well as for their control and monitoring.
The network operators are therefore obligated to purchase only certified terminals from the various manufacturers to integrate them in their network. The approval of the terminals is subject to the manufacturers, and the approval of the network operation is subject to the network operators.
The authorization procedure
The authorization as a Girocard payment transaction terminal is always transferred to the respective network operator as approval for the use of the terminal in a certified Girocard network operation.
Prerequisite for the authorization of terminals in the electronic cash network operations is the prior terminal type approval for the terminal manufacturer.
The authorizations are only granted by the authorization office of the DK (Federal Association of Public Banks in Germany, VÖB, Berlin). They are based on the valid specifications of the Technical Annex (TA) of the network operator contract with the DK.
The authorization procedure comprises the following sub-processes:
1. Registration of a specific hardware & software configuration for the approval of the terminal type by the terminal manufacturer
2. Application for the authorization of the terminal in the network operation
3. Assessment of the terminal and the existing security certificate by a DK test laboratory
4. Terminal function test at a test laboratory of the DK (test of the terminal interfaces regarding conformity with TA/DC-POS) by the terminal manufacturer with the support of the network operator
5. Integration function test at a test laboratory of the DK (test of the network operator-specific processes of the terminal) and preparation of an integration report by the network operator
6. Decision of the authorization by joint decision within the DK
7. Written notification of the terminal manufacturer about the terminal type approval
8. Written notification (registration certificate) from the network operator about the authorization of the terminal for the network operation by the DK approval office.
The duration of the approval and possible retests (and thus the amount of costs) depends largely on the expertise of the supporting network operator and usually ranges between 6 and 18 months.
The requirements and implementation of the PCI regulations
The abbreviation PCI stands for “Payment Card Industry” and describes the security requirements for processing credit cards at POS. The credit card number is the focus of their attention.
This means that the entire communication must be cryptographically secured, and the hardware used on the terminal side, the network components and the central HOST components must be secured against any kind of access. The surrounding buildings and the services used are also subject to these requirements.
Only an “end-to-end encryption (point to point encryption (P2PE))” in compliance with the service requirements allows to take the network and central HOST components out of focus.
There is a common approval procedure with a uniform specification for a payment transaction terminal that processes both Girocard and international debit and credit cards. This specification, known as “DC POS”, is now successfully implemented, and used at a large number of terminals in the German market.
The subareas “POS Terminal (EMV Debit/Credit)”, “Host System (EMV Debit/Credit)” and “Provider (EMV Debit/Credit)” require approval by the DK and an acquirer. This is issued as a type approval.
On the basis of the DC-POS specification and the joint approval procedure, an acquirer in the course of a so-called “delta” test checks only the proper functioning of the terminal in its system environment and other additional requirements specified by the international card organizations.
Offering Value-Added Services (VAS) without the need for a new license
Any changes that affect the payment application on the terminal will inevitably lead to a new approval process. To avoid this, additional terminal software can be used which does not interfere with the existing payment software. In this way, new services (e.g. loyalty programs, advertising, reporting) can be implemented quickly and easily on the terminal without a renewed approval process. Most providers (such as CCV or Clover) provide their own App Store for this purpose.
SHC is developing a cross-vendor and cross—operator solution for the easy integration of VAS, which will significantly reduce development and integration times for new services. Stay tuned for further information on this.