Whether in retail, at ticket machines or at e-charging stations – payment terminals have become an integral part of our everyday lives. To ensure that payments can be processed reliably and securely, these devices must meet high IT security requirements. An important component in this context is the security assessment according to Common.SECC.
But what is behind this term? And what does it mean for manufacturers, suppliers and product managers? In this article, we provide an overview of the process.
What is Common.SECC?
Common.SECC is a security standard for payment terminals based on the internationally recognized Common Criteria (CC) scheme. The Common Criteria are globally recognized requirements for the security assessment of IT products. Within this framework, Common.SECC specifically describes how the security tests for terminals in the area of card-based payment transactions should be carried out.
The main aim is to make trust in the security of payment terminals traceable and verifiable. Common.SECC was developed in the European environment – among others by girocard / Deutsche Kreditwirtschaft. The goal: standardized, comprehensible requirements that all market participants can use as a guide.
Why does a terminal need a Common.SECC assessment?
Anyone who wants to offer or operate payment terminals in Germany or other European markets can hardly avoid Common.SECC. Especially for the acceptance of girocard payments, an evaluation according to this standard is often a prerequisite. International payment systems also rely on similar requirements.
But it’s not just about regulatory requirements: A security assessment creates trust among banks, merchants and end customers. It ensures that sensitive data such as PINs or cryptographic keys are effectively protected – and that attackers find it as difficult as possible to access this data or manipulate the system.
For manufacturers and suppliers, this is not only a mandatory program, but also a proof of quality and a competitive advantage.
What is checked during a Common.SECC examination?
The evaluation focuses on the safety-related properties of the terminal. This includes questions such as:
-
How well does the device protect against physical attacks and manipulation?
-
Are the cryptographic procedures implemented correctly?
-
Is communication with other systems (e.g. backend servers) sufficiently secure?
-
How is sensitive data stored, processed and deleted?
The checks are based on so-called protection profiles – i.e. defined requirement profiles for different terminal types. These profiles determine which security mechanisms are required and which threat scenarios need to be considered.
How does an evaluation according to Common.SECC work?
A Common.SECC project usually begins with joint coordination between the provider and the test laboratory. This determines which protection profile is relevant and which documents and technical verifications are required.
In the next step, the test laboratory analyzes the terminal – often at different levels:
-
Document review (design, security concepts)
-
Source code analysis of certain components
-
Technical tests, e.g. for tamper protection or cryptographic implementation
-
Penetration tests to cover typical attack scenarios
At the end, there is a test report that summarizes the results in a comprehensible manner. Depending on the results, this test report can then serve as the basis for acceptance by payment service providers or card organizations.
Conclusion: Security that creates trust
Common.SECC is a central building block for security and trust in card-based payment transactions. The assessment shows that a terminal meets the requirements for tamper protection, data protection and secure communication – and helps providers to position themselves in the market.
If you have any questions about the process, the requirements or the feasibility of an assessment: The SRC team will be happy to assist you.
