Conformance with the EPC/CSG "Volume"

The EPC and Cards Stakeholders published the SEPA Cards Standardisation Volume v7.0 (reference EPC020-08) on 12 December 2013. 

Acquiris issues a voluntary conformance statement for the C-TAP specifications to clarify that implementations align with the SEPA Cards Standardisation Volume v7.0. In addition, these specifications offer functionality that matches with market requirements that have not yet been formulated in the “Volume”.

A document illustrates the conformance of the C-TAP specifications for POI connecting to acquiring host systems and the Acquiris role as “Specification provider” and “Certification Provider” with this “Volume”. 

The headlines are captured below with a statement on the principal books 2 to 5.

Book 2 - Functional Requirements 

This book is an essential element of the specifications as it lists in sufficient detail which functions and features a specification should cover to conform to the “Volume’s” intentions. 

The C-TAP implementation specification conforms to Book 2. There are deviations on some detailed items where the Volume’s requirements do not match with the present market requirements as perceived by the Acquiris members. In one instance, a volume requirement will be implemented under the control of the Acquiris implementation specifications’ management. 

Book 3 - Data Elements and Book 3 - Data Element Spreadsheet 

Acquiris is of the opinion that the application design takes precedence over definition of data elements and messages. The usage of these Data Elements is therefore mainly dictated by this application and those card scheme requirements that lead to the detailed design for this application. Data elements are shared in many cases between the cards applications, the terminal application and the multiple host acquiring systems to which terminals connect. 

A common repository of data, such as delivered by Book 3, has its value as these data elements are also used by e.g. acquirers in their communication with issuers. 

The data elements defined under ISO20022 CAPE are represented using the “BER-TLV" data object syntax (see ISO/IEC 8825).

All data elements of Book 3 that are relevant to the implementation specification are also integrated in the C-TAP data dictionary. 

Book 4 - Security Requirements 

The security principles guiding the Acquiris certification procedure are in most cases these imposed by major schemes to acquiring members. As a result, Acquiris developed innovative solutions to implement these requirements. They vastly overlap with what is what is formulated in Book 4. Some elements are highlighted below.

The C-TAP specifications and security requirements conform to Book 4. Acquiris members presently impose these security requirements emanating from major schemes. There is presently no members’ mandate for EPC+, but it is expected that the EPC+ requirements will be integrated in the security requirements emanating from major schemes (PCI). 

Book 5 - Conformance Verification Procedures 

Acquiris combines the management of implementation specifications and the certification process for POI. The certification process covers both security (members impose PCI certification, EPC+ is a regional option in addition to the Acquiris requirements) and the functional certification. Implementation specifications cover the requirements of multiple technologies (contact, contactless, magnetic stripe) and multiple schemes. These C-TAP specifications could therefore be considered as scheme-independent. 

Some schemes take part in the governance model; others are represented by the acquirers that signed up with these schemes. 

Acquiris also manages the dissemination of operational data required to drive the multi-card schemes, multi-acquirer POI and provides a forum to actively monitor interoperability. 

In addition, the industry-scale Acquiris model is field proven since years as members now operate about 450.000 POI and merchants can potentially accept more than 30 card brands on these terminals with multiple acquirers. The merchants decide which brands they accept and which acquirers will process them by simple configuration. Their configuration can be configured and modified at their will without affecting the POI hardware of applications. 

The certification process described in Book 5 is more theoretical and will probably need more practical elaboration. It is different from the market practice of most schemes operating is SEPA. Vendors have no direct relations with most schemes and most schemes do no act as or operate through approval bodies. Acquiris presently operates under a delegation mandate providing the acquirers the assurance that terminals meet scheme requirements. Acquiris can also operate in a modus whereby vendors are granted a conformance statement that they can present to an approval body or scheme. 

The C-TAP specifications management and certification process conform to Book 5. Acquiris would welcome a formal labeling process.

The conformance statement summary is attached.
Ċ
Acquiris Secretariat,
6 Nov 2014, 00:28