Point of Interaction "POI-PED-ONLY and Open Protocol Package"

POI / Hardware Boxes with Security Boxes

Certification Body

Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI)

Sponsor

Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI)

Point of Contact

certification.anssi@ssi.gouv.fr

Certification ID

ANSSI-CC-PP-2015/06

PP Version

Version 4.0

CC Version

3.1 Revision 4

CC Conformance Claim

CC part 2 extended
CC part 3 conformant
EAL_POI - PED-ONLY
Conformance claims to this protection profile requires strict conformance

Certification status

Certified 31 March 2015

Language

English

Summary

The “Common Approval Scheme” (CAS) group is intended to harmonize security requirements for European payment systems within the scope of the “Single European Payment Area” (SEPA). For this purpose it has issued a Protection Profile for payment terminals (PP POI). This PP has then been maintained by a subgroup of the “Joint Interpretation Library” (JIL) called “Joint Terminal Evaluation Methodology Subgroup” (JTEMS).

The POI Protection Profile identifies six basic configurations, each one described in a specific certification report. In some cases optional modules may be added to those basic configurations, leading to a total of ten different possible configurations. Each of those ten configurations describes a different TOE that corresponds to a particular security need identified by the CAS group.

The six basic configurations are the following:

  • PED-ONLY
  • PED-ONLY and Open Protocol Package
  • POI-COMPREHENSIVE
  • POI-COMPREHENSIVE and Open Protocol Package
  • POI-CHIP-ONLY
  • POI-CHIP-ONLYand Open Protocol Package

The products in the scope of this Protection Profile are payment terminals with Integrated Circuit (IC) Card based online and offline transaction capabilities. Products range from simple PED with PIN keypad, display and IC and Magnetic Stripe Card Readers to complete terminals (POI) that manage transaction data and provide external communications capabilities. Other functionalities than payment, which might be processed by the same device, e.g. fleet card processing, are out of scope of this PP.

Relation to other PPs

The Protection Profile is an update of the following Protection Profile:

  • v2.0 (ANSSI-CC-PP-2010/08 to ANSSI-CC-PP-2010/10)