Industry Alignment for Payment Device Approvals

Payment Terminal Keypad

14 December 2021

By Arthur Van Der Merwe, Information Security & Compliance Manager, AusPayNet

AusPayNet requires all payment devices and solutions used by its members to be approved by AusPayNet. A list of Approved Devices is published on its website.

AusPayNet recently examined its approach to payment device approvals and decided to introduce a new streamlined process for Payment Card Industry Security Standards Council (PCI-SSC) approved devices and solutions, effective 16 December 2021.

Pre- December 16, 2021

Under the current device approval process, all devices used in payments must be assessed by AusPayNet. Laboratory reports, evaluating a device against existing international standards and Australian-specific requirements (PCI-Plus requirements), are required to be provided by the applicant and assessed by AusPayNet before a device is approved for use. Devices that do not comply with standards are assessed by AusPayNet and evaluated by agreed laboratories under the Process for Considering Non-Standard Technologies (Device Approval Process, Schedule 1).

Alignment

AusPayNet has participated continuously in various standards bodies over the years including PCI-SSC and the International Organization for Standardization (ISO), resulting in closer alignment between industry standards and Australian requirements.

Industry consultation over the past 12 months has revealed broad consensus, given this alignment: AusPayNet would enable competition and innovation and promote efficiency, while managing risks within the payments acceptance ecosystem, by explicitly aligning its device approval process with these international standards.

A new approval process

Under the new Device Approval Process, AusPayNet will register (and approve) devices that meet Accepted Standards, without any additional requirements, replacing the current PCI-plus approval process.

What are the Accepted Standards for payments devices?

Under the new Device Approval Process, Accepted Standards are the standards published by PCI. The initial four PCI Standards and the devices defined within those PCI programs are:

  1. PCI PIN Transaction Security (PTS) Point of Interaction (POI), Version 6+, which may be relevant to the following devices:
    1. Encrypting PIN pad for ATM, Vending, AFD or Kiosk (EPP)
    2. Secure (encrypting) card reader (SCR)
    3. Secure (encrypting) card reader PIN (SCRP)
    4. Non-PED POI device
    5. Other secure components for a PIN entry device
       
  2. PCI PIN Transaction Security (PTS) Hardware Security Module (HSM), Version 3+, which may be relevant to the following devices:
    1. Hardware Security Modules (SCMs or HSMs)
    2. Key-Loading Devices
    3. Remote Administration
       
  3. PCI Contactless Payments on COTS (CPoC)
     
  4. PCI Software-Based PIN Entry on COTS (SPoC)

Alignment with these Accepted Standards means that AusPayNet will no longer assess payment applications. Additionally, AusPayNet will no longer assess and list complete ATM devices; it will only require PIN entry devices (EPP) to be evaluated to the Accepted Standard (PCI-PTS) before approval.

How will AusPayNet approve payments devices?

When a vendor, acquirer, or deployer is seeking approval for a device, they can submit an Application for Registration (downloaded from our website) to PAG@auspaynet.com.au together with the appropriate PCI Attestation of Compliance.

AusPayNet will review the Application for Registration and examine the Attestation of Compliance for validity. If the Attestation of Compliance is successfully validated, AusPayNet will send a Letter of Approval to the Device Approval Applicant, with the Approval Period linked to the Attestation of Compliance. The Approved Device will then be published on AusPayNet's Approved Devices List.

What happens if a payments device does not meet an Accepted Standard?

If a device does not meet an Accepted Standard, AusPayNet will continue, for now, to assess the device through the Process for Considering Non-Standard Technologies (Device Approval Process, Schedule 1). Devices assessed through the Non-Standard Process require sponsorship by an Acquirer and submission of an Initial Assessment Checklist (Device Approval Process, Schedule 1, Part 3) to PAG@auspaynet.com.au. As this process may be complex, depending on the device, it is best to contact AusPayNet and the Acquirer to discuss your application.

AusPayNet is also reviewing this Non-Standard Process. In March 2022, it expects to replace the Non-Standard Process with a structured risk assessment on devices that do not meet an Accepted Standard. This structured risk assessment process will manage the risks within payments acceptance, but because it will be less complex than the current Non-Standard Process, it will better enable competition and innovation. AusPayNet will provide a further, more fulsome update on the structured risk assessment process in the new year.

A streamlined and simplified process

The new Device Approval Process for PCI-SSC approved devices will streamline and simplify the approval process. The Device Approval Process, Application for Registration and Device Evaluation FAQ version 2.0 will be available on AusPayNet’s website from 16 December 2021.

Interested applicants are invited to contact AusPayNet at PAG@auspaynet.com.au to discuss what this new approval process means for your device.