CONSULTATION ANNOUNCEMENT
Consultation on electronic money systems security objectives
Please note that the deadline for submission of comments has been extended to 18 September 2002.
19 March 2002 E-money schemes are gradually gaining popularity as a means of payment in some countries of the euro area. The introduction of the euro and the switch from bank cards with magnetic stripes to smart cards could further stimulate the use of e-money and make it an attractive payment instrument for small amounts. Central banks have always had a strong interest in such developments on account of their overall responsibility for overseeing payment systems and promoting the smooth functioning of those systems. In August 1998, the Eurosystem, namely the European Central Bank (ECB) and the 12 national central banks of the euro area, defined a common policy line with regard to electronic money ( 1 ) and established a set of general requirements which electronic money schemes should fulfil. These requirements serve as a basis for the oversight of e-money schemes by all the national central banks (NCBs) of the euro area. One of the requirements stated explicitly in the Report on Electronic Money is that e-money schemes must maintain adequate technical, organisational and procedural safeguards to prevent, contain and detect threats to their security.
In the light of its interest in ensuring both the soundness and efficiency of payment systems, the Eurosystem has recently developed a list of more specific security objectives for e-money schemes. These security objectives should ensure the overall reliability and technical security of the schemes, and should increase public confidence in these systems. These objectives are also designed to level the regulatory playing-field for the different schemes. Furthermore, they have the potential to facilitate the interoperability of e-money schemes.
The draft security objectives, as established and explained in the draft report entitled "Electronic Money System Security Objectives"(EMSSO), are available for comment by all interested parties. Hard copy of the EMSSO report can be obtained from the ECB and the NCBs on request. Annex 1 of this press release contains a list of contact points that may also be approached for further information on the report.
The Eurosystem's Electronic Money System Security Objectives
The EMSSO report is based on the Common Criteria (CC) framework, an internationally agreed and standardised framework for the specification of security requirements. The EMSSO follows the structure of a Protection Profile, which is a component of the CC framework, and consists of six chapters, including a general description of an e-money system and its environment, a list of security objectives, the application notes with additional information and a rationale which shows that the security objectives cover the security needs of the e-money system.
The CC framework has been chosen by the Eurosystem because it has been developed internationally and constitutes a standardised framework, providing an adequate structure for specifying and evaluating the technical security features of e-money systems.
At this stage, the Eurosystem has deliberately focused on the security objectives only, being aware that a Protection Profile normally also includes security requirements and a pre-defined level (or "strength") of evaluation. The next step in the process will be to elaborate the security requirements for e-money schemes on the basis of the security objectives identified in this report. Further investigations should be undertaken in order to determine how this work may best be conducted, and by whom.
Practical information
Comments on the report should focus particularly on the model and the list of security objectives. Comments are particularly welcome on the issue of whether the model contained in the report would be adequate for evaluating all e-money schemes in operation. Moreover, views are invited on whether the list of security needs is complete and on whether these needs are adequately covered by the list of security objectives set out in the report. Finally, views on the development of security requirements are also welcome.
Comments should be submitted directly to one of the contact points listed in the annex by:
18 September 2002.
The "Report on electronic money" of 1998 is available at www.ecb.europa.eu/pub/.
Annex 1
List of contact points
European Central Bank
Payment Systems Policy Division
Kaiserstraße 29
60311 Frankfurt am Main
contact persons:
Mr. Francisco Tur Hartmann
tel: +49 69 13 44 74 69, fax: +49 69 13 44 74 09
e-mail: e-money@ecb.int
Mr. Benjamin Hanssens
tel: +49 69 13 44 63 11, fax: +49 69 13 44 74 09
Austria
Oesterreichische Nationalbank
Financial Markets Analysis and Surveillance Division
Otto-Wagner-Platz 3, POB 61
1011 Vienna
contact person: Mr. Martin Oppitz
tel: +43 1 40 42 03 12 1, fax: +43 14 04 20 31 99
e-mail: martin.oppitz@oenb.co.at
Belgium
National Bank of Belgium
Department International Cooperation & Financial Stability
Boulevard de Berlaimont 14
1000 Brussels
contact persons:
Mr. Benoît Bourtembourg
tel: +32 22 21 27 07, fax: +32 22 21 31 04
e-mail: benoit.bourtembourg@nbb.be
Mr. Philippe Jourquin
tel: +32 22 21 29 21, fax: +32 22 21 31 04
e-mail: philippe.jourquin@nbb.be
Finland
Bank of Finland
Financial Markets Department
00101 Helsinki
P.O. BOX 160
contact person: Ms Heli Paunonen
tel: +35 89 18 32 18 3, fax: +35 89 62 48 42
e-mail: paysys@bof.fi
France
Banque de France
Direction des Moyens de Paiement, 11-1072 DSP
31, Rue Croix des Petits Champs
75049 Paris Cedex 01
contact person: Mr. Carlos Martin
tel: +33 1 42 92 26 91, fax: +33 1 42 92 54 23
e-mail: carlos.martin@banque-france.fr
Germany
Deutsche Bundesbank
Wilhelm-Epstein-Straße 14
60431 Frankfurt am Main
contact person: Mr. Thomas Rühlemann
tel: +49 69 95 66 86 45, fax: +49 69 95 66 50 86 45
e-mail: technical-oversight@bundesbank.de
Greece
Bank of Greece
Monetary Policy and Banking Department/Payment Systems Oversight Bureau
21 E. Venizelos Avenue
10250 Athens
contact person: Ms Maria Stefanopoulou
tel: +30 10 32 03 22 0, fax: +30 10 32 44 64 2
e-mail: mstefanopoulou@bankofgreece.gr
Ireland
Central Bank of Ireland
Payments and Securities Settlement Department/Policy and Oversight Section
Dame Street, P.O. Box 559
Dublin 2
contact person: Mr. Peter Hopkins
tel: +35 31 67 14 28 2, fax: +35 31 67 74 34 1
e-mail: peter.hopkins@centralbank.ie
Italy
Payment Systems Oversight Office
Banca d'Italia
Via Nazionale nr.60/G
00184 Roma
contact persons:
Mr. Luigi Sciusco
tel: +39 06 47 92 58 48, fax: +39 06 47 92 50 43
e-mail: sciusco.luigi@insedia.interbusiness.it
Mr. Ravenio Parrini
tel: +39 06 47 92 50 32, fax: +39 06 47 92 50 43
e-mail: parrini.ravenio@insedia.interbusiness.it
Luxembourg
Banque centrale du Luxembourg
Boulevard Royal 2
2983 Luxembourg
contact person: Mr. Marc Ronkar
tel: +352 47 74 44 48, fax: +352 47 74 49 52
e-mail: paysys@bcl.lu
Portugal
Banco de Portugal
Departamento de Sistemas de Pagamentos
Av. Almirante Reis, 71-7
1150-012 Lisboa
contact person: Mr. Adelino Aguiar
tel: +35 12 13 12 82 89, fax: +35 12 13 12 81 05
e-mail: aaguiar@bportugal.pt
Spain
Banco de España
Oficina de Sistemas de Pago
Calle Alcalá 50
28014 Madrid
contact person: Mr. Sergio Gorjon
tel: +34 91 33 85 43 1, fax: +34 91 33 86 23 6
e-mail: paymentsystem@bde.es
Sweden
Sveriges Riksbank *
Avdelningen for finansiell stabilitet/Enheten for finansiell infrastruktur
Brunkebergstorg 11
10337 Stockholm
contact person: Mr. Dimitrios Ioannidis
tel: +46 8 78 70 47 4, fax: +46 8 21 05 31
e-mail: dimitrios.ioannidis@riksbank.se
The Netherlands
De Nederlandsche Bank
Payment Systems Policy Department
Westeinde 1
1017 ZN Amsterdam
contact person: Mr. Leon Strous
tel: +31 20 52 42 74 8, fax: +31 20 52 42 51 3
e-mail: l.a.m.strous@dnb.nl
* Sveriges Riksbank, although not part of the Eurosystem, is also involved in this project, and thus may also be contacted
Press and Information Division Kaiserstrasse 29, D-60311 Frankfurt am Main Tel.: +49 69 13 44 61 70, Fax: +49 69 13 44 Internet: http://www.ecb.europa.eu