Payment terminals and payment solutions are becoming more complex, containing more technologies and having more application interfaces than before. The development within payment solutions drives the need to comply with an increasing number of technical standards and requirements. In addition, repeated incidents with card and card data, emphasizes the importance of taking safety and risk seriously. It is also important to protect a payment scheme’s reputation and consumer privacy.
Bits is responsible for BankAxept security requirements. Often, our requirements match international requirements from organisations such as Payment Card Industry Security Standards Council (PCI SSC), European Payments Council (EPC), PAN-Nordic Card Association (PNC), EMVCo and other relevant organisations. Bits is responsible for ensuring that the payment terminals offered for BankAxept payments in the Norwegian market, comply with the requirements.
To handle the increasing workload, with constant updates of competence and need of good quality, Bits wishes to enter agreements with companies that can verify BankAxept payment terminals against functional and security requirements by conducting tests of terminal software and safety approvals for terminals. Bits have defined two different roles which your company may take and can operate on behalf of Bits:
Role 1: Test Laboratory
The Test Laboratory requirements include expertise in certifying payment solutions, competence within payment terminals and payment cards. The Test Laboratory must be independent towards terminal operators in the market. The Test Laboratory may already certify for other card schemes. The role includes the following tasks:
- Verify payment terminal compliancy with BankAxept functional requirements through testing of terminals
- Verify that the terminal has the necessary external approvals in accordance with BankAxept security requirements
- Recommend approval of BankAxept payment application and payment terminals
Please contact Bits for a complementary requirement list.
Role 2: Third-Party Auditor
The Third-Party Auditor requirements include expertise in quality assurance and security evaluations of payment solutions and payment terminals, and preferably with certification as Quality Security Assessor from PCI. The Third-Party Auditor may already approve terminal security and certify for other certification bodies within the payment industry in the Nordic market. The role includes the following tasks:
- Evaluate and approve terminal data encryption and terminal data handling
- Evaluate and approve usage of algorithms
- Evaluate and approve PIN pad privacy shield
- Evaluate and approve software upload routines
Please contact Bits for a complementary requirement list.
The Third-Party Auditor can supplement with advisory services if it possesses the necessary expertise.
By filling out the application form, your business may apply to become a BankAxept Test Laboratory and/or a BankAxept Third-Party Auditor. Bits will through its website publish lists of accredited Test Laboratories and Third-Party Auditors.
Please submit a completed application form with attachments to terminalsert@bits.no. If you have questions related to this, Håkon Hertzberg can be contacted by phone +47 23 28 45 70 or e-mail hakon.hertzberg@bits.no.