OVERVIEW OF NZBA PCI PED APPROVAL PROCESS

Introduction

The NZBA PED Certification Group meet monthly to review EFTPOS vendors’ applications to have PEDs approved as suitable for use in the New Zealand market. The PED Certification Group consists of:-

  • NZBA staff;
  • Paymark – EFTPOS Technical Reviewer;
  • EFTPOS New Zealand Limited – EFTPOS Technical Reviewer; and
  • Chairperson – Bank representative from the NZBA Cards Sub Committee.

The technical reviewers assess a PED’s suitability based on details and documentation provided by the vendor.

Under the New Zealand EFTPOS Standards PEDs must be PCI PED approved. In addition to PCI PED approval the following factors are taken into account when assessing suitability:-

  • support for triple DES encryption;
  • EMV Co level 1 and 2 approval;
  • support for EMV offline and online PIN; and
  • master key session key.

It is unlikely a PED would be approved if the above items are not supported - refer to the section below “Tips to get PEDs Certified”.

Other factors will also be taken into account based on the technical reviewers’ assessment of Visa, PCI and security reports.

Application Process

To have a PED assessed vendors should send the following documents to the NZBA:-

The NZBA will confirm receipt of the application to the vendor by e-mail and advise the vendor of the EFTPOS technical reviewers contact details.

Vendors should contact the EFTPOS technical reviewers* and make arrangements to:-

  • execute any non-disclosure agreements required by the vendor; and
  • send a copy of the full version of the security evaluation report.

Documents can be couriered or e-mailed to the NZBA and the technical reviewers – PGP encryption is available for e-mails.

* Upon request NZBA will provide the contact details of the technical reviewers

Review Process

The PED Certification Group meets monthly on the first Thursday of the month.

Applications received at least 10 days before a meeting will be reviewed at the next meeting (if all of the documentation is complete).

Applications received within 10 days of a scheduled meeting will be carried over to the next meeting.

If there is insufficient information to make a decision at the meeting the NZBA will request more information from the vendor. The PED will then be reconsidered at the next monthly meeting.

Outcome of the Review

The NZBA will e-mail vendors to advise if a PED has been approved or declined. For PEDs that are approved a PED approval letter will be issued by the NZBA within 10 days of the meeting. The approved PEDs will be listed on the NZBA public website when it is updated next (usually monthly).

NZBA PED approval indicates a PED is suitable for use in New Zealand under the EFTPOS Standards. It is important to note that vendors will still need to complete EFTPOS certification on the appropriate EFTPOS network(s). It is up to the vendor to establish and pass EFTPOS certification requirements.

Tips to get PEDs Certified

The following information will assist the efficient approval of PEDs:-

  • Ensure all documentation is complete – full versions of the reports are to be supplied to the technical reviewers.
  • Ensure VISA/PCI reports are not too “old” - while each application is treated on its own merits, experience has shown that reports over two years old will not contain information that would indicate a PED is suitable. The monetary thresholds would have to be well exceeded at the time of testing for a PED to still be considered suitability secure today.
  • Documentation should reflect how a PED will be implemented in New Zealand. Any differences should be explained by the vendor and supporting documentation from labs supplied with the application.
  • Vendors should provide details of why the PED should be considered suitable if it doesn’t support triple DES, offline/online PIN, master key session key and have EMV level 1 and 2 approvals. Excepions can be considered but vendors need to provide the information to the PED Certification Group. Vendors should not assume any previous discussions with an EFTPOS switch or acquirer has been passed on to the technical reviewers. Often delays in approvals occur due to a lack of information.

Applications will only be discussed with the contact persons named on the PED certification and application checklist. Include any names of local agents if they are to be included in any discussions.

 
For further information contact:-

New Zealand Bankers' Association
Telephone: 00 64 4 802 3351
Facsimile: 00 64 4 473 1698