Keeping card payment terminals secure and accessible for all

It is important that card payment terminals installed in the UK are secure and can be trusted by merchants and consumers alike. It is also important that they are accessible to all customers.

For this reason, UK Finance ensures that card payment terminals (also known as Points of Interaction or POIs) to be installed in the UK are evaluated for security, checked for compliance with basic usability requirements, and where necessary subjected to usability testing.

Initially the testing was specific to the UK, and focused mainly on PIN entry devices. Laboratories evaluated devices using Common Criteria, a government-led security evaluation process. Approved devices were listed at http://www.theukcardsassociation.org.uk/Terminals/pin_entry_device_library.asp.

More recently the UK has formed the Common.SECC consortium with the German Banking Industry Committee (GBIC) in order to upgrade its procedures and extend the scope to include the full card payment terminal and innovative device architectures. This still makes use of the Common Criteria. See https://common-secc.org for details of Common.SECC and Common Criteria.

There are now two separate stages of device acceptance. The first is certification, where Common.SECC certifies that the device is secure, having reviewed evaluation reports from a Common Criteria laboratory. Certificates are listed at https://common-secc.org/devices/. The second stage is national approval. UK approval includes a usability element, and this can involve usability tests by the RNIB.

Further details, and a current list of UK-approved terminals, are given here.

For further information, please contact us at common-secc@ukfinance.org.uk.