JTEMS – Common Criteria POI Evaluation for the European Market

In November 2007, the European Parliament issued the Payment Service Directive to improve the efficiency of European payment instruments by bringing down national borders for credit transfer, direct debit and cards, thus creating a Single Euro Payments Area (SEPA).

As a contribution to this harmonisation, the European credit industry decided to start evaluation and certification pilots to investigate their support for this European target by using the Common Criteria to card activated payment terminals in close cooperation with the European Governmental IT security organisations, who had already been using the Common Criteria methodology to certify the security of smart cards since the late 1990s. See https://www.sogis.eu/uk/detail_operation_en.html.

Following the successful JHAS approach for smart cards the JTEMS (JIL Terminal Evaluation Methodology Subgroup) working group was founded within the SOGIS platform in February 2008. Associating payment schemes, certification bodies, evaluation laboratories and POI vendors, since 2009, JTEMS is the only open and scheme independent experts’ platform for the development of POI security and evaluation focussing on Common Criteria. Including the International Card Schemes JTEMS gathers resources, knowledge and expertise in order to produce harmonised technical documentation supporting POI evaluation.

The outputs of this working group are integrated in the Joint Interpretation Library (JIL) for their application in the European CC certification scheme and they are foreseen to fully migrate into the new EU CC Scheme after the Implementing Act of the European Commission issued on 31 January 2024.

This documentation includes POI Protection Profiles, which can be found at https://www.common-secc.org/documents-links/.

Further documents not listed there, such as on Attack Potentials, should be requested via Common.SECC directly using common-secc@ukfinance.org.uk.

The main objectives of JTEMS are:

  • Establish and maintain POI Protection Profiles
  • Establish and maintain “state-of-the-art” and “best practices” for security evaluations of POI and related products
  • Standardise and harmonise the security rating of POI and related products undergoing a CC evaluation