Home | Member Login | Contact | Blog

FAQs

Join

Membership Application

Meeting Request

For your convenience, a list of Frequently Asked Questions has been developed to answer any questions you may have concerning SPVA.

What is the SPVA?
Why was SPVA formed?
What is the mission of the SPVA?
What value will the SPVA bring to the market?
Why did the founding members decide to cooperate in this area?
Is the SPVA open to other secure point of sale payment vendors?
Is the SPVA open to other players in the payment industry?
What are Technical Working Groups?
What issues will the Technical Working Groups address?
What benefits should merchants expect from the SPVA’s efforts?
What benefits should the acquirers expect from the SPVA’s efforts?
How is the SPVA organized? How is it governed?
What is the benefit of being a General Member?
What is the benefit of being an Associate Member?
How does the SPVA relate to the work of other organizations such as the PCI Security Standards Council, EMVco or card brand rules?
Will the SPVA guidelines conflict with or override PCI SSC standards requirements?
What sort of issues or gaps are you trying to address?
Can the SPVA describe an area in which you envision creating enhanced standards or requirements?
Will the SPVA establish a compliance lab or other type of certification process?
Will the SPVA enforce compliance requirements?
How can I stay informed of the SPVA news and current events?

Q: What is the SPVA?

A: The SPVA is a non-profit organization that works with the multiple stakeholders of the payment value chain. Its aim is to develop an end-to-end security framework and to enhance security elements of payment solutions which protect cardholder information and defend merchants and acquirers against security breaches, while reducing fraud and lowering risk for all electronic payment stakeholders.

Q: Why was SPVA formed?

A: The world of electronic commerce has changed: overall complexity has increased and payments have gone global, bringing a new set of security and regulatory challenges and making life more demanding for merchants and acquirers to implement and manage secured and cost effective payment solutions.

The multiplicity of rules leads all stakeholders to have a common understanding of the whole value chain to make sure that security challenges are well understood and anticipated and therefore solutions provided are compliant with security requirements and safe against future risks.

The purpose of the SPVA is to ensure that every stakeholder plays its role and that the overall payment environment is secured.

Q: What is the mission of the SPVA?

To develop a common understanding of various security requirement and standards
To increase awareness of security issues
To provide payment solutions implementation guidelines to ensure security, durability and interoperable solutions against evolving fraudulent attack’s risks
To encourage adoption of best practices and security enhancements.

Q: What value will the SPVA bring to the market?

A: The SPVA members provide the key security elements among consumers, merchants and transaction acquirers and issuers. Members of the SPVA deliver a unique experience with security guidelines, ensure best practice implementation and continue to evolve security enhancements and interoperability required to reduce fraud and lower risk for all participants in card payment transactions.

The SPVA members deliver more value to their customers by enhancing security solutions that protect cardholder information and defend merchants and acquirers against security breaches.

Through education of third parties engaged in the payment system, the SPVA will increase awareness of security issues, encourage adoption of best practices and eliminate inconsistencies between standards governing disparate components and participants in the payment environment.

Q: Why did the founding members decide to cooperate in this area?

A: Representing a large expertise in the payment systems arena, the members believe that this type of cooperation will accelerate widespread adoption of enhanced security guidelines that are necessary to protect cardholder information and defend merchants and acquirers against security breaches, while reducing fraud and lowering risk for all electronic payment stakeholders. All three recognize that stakeholder confidence in standards and rules is a vital issue in the continued growth of the electronic payments industry.

Q: Is the SPVA open to other secure point of sale payment vendors?

A: Yes. The SPVA is open to all vendors that develop secure POS payment systems. These vendors can become “General Members” and are eligible to be elected to serve on the Management Committee. They may vote to elect Management Committee representative from General Membership and may participate in, contribute and chair a Technical Working Group.

Q: Is the SPVA open to other players in the payment industry?

A: Yes. The SPVA is open to any organizations that are not a secure POS payment developers but have products or solutions that interact with secure POS payment devices: retailers, acquirers, SW vendors, banks. These companies can become “Associate Members” and are eligible to be elected to serve on the Management Committee. They may vote to elect Management Committee representative from Associate Membership, and may participate in and contribute to Technical Working Groups.

Q: What are Technical Working Groups?

A: Technical Working Groups are appointed by the Management Committee to research security topics and develop guidelines to be implemented by the alliance.

Q: What issues will the Technical Working Groups address?

A: Critical issues have been identified as a first step. Each of them could be covered by a Technical Working Group such as:

Standardized Implementation of existing Security Standards
Security of Payment Device Lifecycle
Security Threat Analysis and Intelligence
End-to-End Security of Transactions

Q: What benefits should merchants expect from the SPVA’s efforts?

A: Merchants that choose solutions that are compliant with the SPVA guidelines will be assured that they are providing consumers with the highest level of security currently possible and protection against future threats. They will be able to more easily comply with current industry security mandates, such as PCI, and compliance with individual card brand rules. This will reduce their risks and insure their investments against future changes to security requirements.

Q: What benefits should the acquirers expect from the SPVA’s efforts?

A: Acquirers that choose to deploy solutions that are compliant with the SPVA guidelines will significantly lower their risk of security compromise. Because such solutions will require secure POS vendors to provide more proactive and comprehensive security mechanisms and tools, they will be able to more quickly respond to current and future security threats as they develop.

Q: How is the SPVA organized? How is it governed?

A: The SPVA is governed by a Management Committee consisting of five Directors made up of the three members (Ingenico, Hypercom and VeriFone) and two elected Directors, one each from the ranks of the “General Members” and “Associate Members”. The two elected Directors will be chosen by their respective membership group and serve a two-year term.

The representatives of the members serving on the Management Committee’s Board are:

TK Cheung, Chairman (Hypercom)
Paul Rasori, Vice Chair & CTO (VeriFone)
Christophe Dolique, Secretary/Treasurer (Ingenico)
Robert Carr, Associate Member Director (Heartland)

Q: What is the benefit of being a General Member?

A: Through their participation and leadership on Technical Working Groups, General Members can help shape future security guidelines and acquire first-hand knowledge of current security threats as discussed in working group meetings.

Q: What is the benefit of being an Associate Member?

A: Through their participation on Technical Working Groups, Associate Members can help shape future security guidelines and get first-hand knowledge of current security threats as discussed in working group meetings.

Q: How does the SPVA relate to the work of other organizations such as the PCI Security Standards Council, EMVco or card brand rules?

A: A major objective of the SPVA is to foster widespread compliance to existing security standards. The SPVA members already work closely with these standard bodies and expect to offer a more unified voice to these organizations going forward.

Q: Will the SPVA guidelines conflict with or override PCI SSC standards?

A: No. The intent of the SPVA is to ensure that PCI compliance is a baseline requirement of “solutions that comply with SPVA guidelines”. The goal is to ensure that there is no confusion regarding implementation of PCI standards in payment appliances, and to ensure that from a payment appliance perspective we are moving beyond minimal compliance to a focus on the best security available.

Q: What sort of issues or gaps are you trying to address?

A: Each of the major card brands affiliated with PCI sets its own interpretations of the PCI standards, resulting in differences in deadlines, affectivity, waivers and scope of compliance. Merchants, banks and acquirers are frequently confused by how these rules have been individually interpreted and how to rationalize overlaps and gaps among those interpretations. There is currently no entity that provides a consolidated view of these unique implementations of the standards and, as a result, individual secure POS payment device providers are asked by customers to provide their own interpretations. The SPVA wants to avoid the confusion that this current situation creates.

Additionally, there are different sets of standards for different areas—such as networks, data storage, hardware requirements and software requirements—for the most part, these are complementary but may not mesh perfectly; for example PA-DSS doesn’t encompass operating system security, PCI hardware standards only address PIN entry, and network standards disregard dial-up lines. The goal of the SPVA is to work with card brands and security organizations to smooth out these issues, ensure that customers aren’t confused by different standards and to make compliance easier and less costly

Q: Can the SPVA describe an area in which you envision creating enhanced standards or requirements?

A: The initial charter of the SPVA will create Technical Working Groups to focus on:

Common interpretation and implementation of existing industry Security Standards
Common vision and position on SEPA for POS terminals
Security of Payment Device Lifecycle framework, by developing end-to-end lifecycle security, and
End-to-end security framework from Terminal to Host.

Q: Will the SPVA establish a compliance lab or other type of certification process?

A: Yes. Once guidelines are published, the SPVA will authorize third-party laboratories to perform to compliance testing to the SPVA guidelines. Vendors of secure POS payment devices seeking to obtain an “SPVA-compliant solution” designation will need to submit their products to an authorized SPVA laboratory. Upon positive completion, such vendor may submit the lab approval report to the SPVA for final approval and listing.

Q: Will the SPVA enforce compliance requirements?

A: Yes. “SPVA-compliant solutions” found to be out of compliance post approval will be stripped of their approval until such time the situation is properly corrected and passes third-party lab re-evaluation.

Q: How can I stay informed of the SPVA news and current events?

A: Regularly visit the SPVA Website at www.spva.org.