Card terminal security and accessibility

Keeping card payment terminals secure and accessible for all

It is important that card payment terminals installed in the UK are secure and can be trusted by merchants and consumers alike. It is also important that they are accessible to all customers.

For this reason, UK Finance ensures that card payment terminals (also known as Points of Interaction or POIs) to be installed in the UK are evaluated for security, checked for compliance with basic usability requirements, and where necessary subjected to usability testing.

Initially the testing was specific to the UK, and focused mainly on PIN entry devices. Laboratories evaluated devices using Common Criteria, a government-led security evaluation process. Approved devices from that time are shown below under “Archive of earlier approvals”.

More recently the UK has formed the Common.SECC consortium with the German Banking Industry Committee (GBIC) in order to upgrade its procedures and extend the scope to include the full card payment terminal and innovative device architectures. This still makes use of the Common Criteria. See https://common-secc.org for details of Common.SECC and Common Criteria.

There are now two separate stages of device acceptance. The first is certification, where Common.SECC certifies that the device is secure, having reviewed evaluation reports from a Common Criteria laboratory. Certificates are listed at https://common-secc.org/devices/. The second stage is national approval. UK approval includes a usability element, and this can involve usability tests by the RNIB.

Scheme requirements and guidelines, and a current list of UK-approved terminals, are given under “Scheme description and approvals list” below. Vendors of approved devices are listed under “Approved vendors” below.

For further information, please contact us at common-secc@ukfinance.org.uk.

Common.SECC consortium

More recently the UK has formed the Common.SECC consortium with the German Banking Industry Committee (GBIC) in order to upgrade its procedures and extend the scope to include the full card payment terminal and innovative device architectures. This still makes use of the Common Criteria.

Find out more Click through arrow