Industry Alignment for Payment Device Approvals

AusPayNet requires all payment devices and solutions used by its members to be approved by AusPayNet. A list of Approved Devices is published on its website.

AusPayNet recently examined its approach to payment device approvals and decided to introduce a new streamlined process for Payment Card Industry Security Standards Council (PCI-SSC) approved devices and solutions, effective 16 December 2021.

Alignment

AusPayNet has participated continuously in various standards bodies over the years including PCI-SSC and the International Organization for Standardization (ISO), resulting in closer alignment between industry standards and Australian requirements.

Industry consultation over the past 12 months has revealed broad consensus, given this alignment: AusPayNet would enable competition and innovation and promote efficiency, while managing risks within the payments acceptance ecosystem, by explicitly aligning its device approval process with these international standards.

A new approval process

Under the new Device Approval Process, AusPayNet will register (and approve) devices that meet Accepted Standards, without any additional requirements, replacing the current PCI-plus approval process.

What are the Accepted Standards for payments devices?

Under the new Device Approval Process, Accepted Standards are the standards published by PCI. The initial four PCI Standards and the devices defined within those PCI programs are:

1.PCI PIN Transaction Security (PTS) Point of Interaction (POI), Version 6+, which may be relevant to the following devices:
a. Encrypting PIN pad for ATM, Vending, AFD or Kiosk (EPP)
b. Secure (encrypting) card reader (SCR)
c. Secure (encrypting) card reader PIN (SCRP)
d. Non-PED POI device
e. Other secure components for a PIN entry device

2.PCI PIN Transaction Security (PTS) Hardware Security Module (HSM), Version 3+, which may be relevant to the following devices:
a. Hardware Security Modules (SCMs or HSMs)
b. Key-Loading Devices
c. Remote Administration

3.PCI Contactless Payments on COTS (CPoC)

4.PCI Software-Based PIN Entry on COTS (SPoC)

How will AusPayNet approve payments devices?

When a vendor, acquirer, or deployer is seeking approval for a device, they can submit an Application for Registration (downloaded from their website) to PAG@auspaynet.com.au together with the appropriate PCI Attestation of Compliance.

AusPayNet will review the Application for Registration and examine the Attestation of Compliance for validity. If the Attestation of Compliance is successfully validated, AusPayNet will send a Letter of Approval to the Device Approval Applicant, with the Approval Period linked to the Attestation of Compliance. The Approved Device will then be published on AusPayNet’s Approved Devices List.

What happens if a payments device does not meet an Accepted Standard?

If a device does not meet an Accepted Standard, AusPayNet will continue, for now, to assess the device through the Process for Considering Non-Standard Technologies (Device Approval Process, Schedule 1). Devices assessed through the Non-Standard Process require sponsorship by an Acquirer and submission of an Initial Assessment Checklist (Device Approval Process, Schedule 1, Part 3) to PAG@auspaynet.com.au. As this process may be complex, depending on the device, it is best to contact AusPayNet and the Acquirer to discuss your application.

Interested applicants are invited to contact AusPayNet at PAG@auspaynet.com.au to discuss what this new approval process means for your device.

Author: Arthur Van Der Merwe, Information Security & Compliance Manager, AusPayNet

***

The above excerpts have been published with permission from Auspaynet. Read the full article here.

If you enjoyed reading this article and would like to be notified when future articles are posted, please sign up for our email newsletter.