CECS MANUAL CONSUMER ELECTRONIC CLEARING SYSTEM

(1)

AUSTRALIAN PAYMENTS CLEARING ASSOCIATION

LIMITED

ABN 12 055 136 519

A Company limited by Guarantee

CECS MANUAL

for

CONSUMER ELECTRONIC CLEARING SYSTEM

(CS3)

Commenced 14 December 2000

Australian Payments Clearing Association Limited Level 6, 14 Martin Place, SYDNEY NSW 2000 Telephone: (02) 9216 4888 Facsimile: (02) 9221 8057

(2)

Table of Contents

Australian Payments Clearing Association Limited [ABN 12 055 136 519]

CECS MANUAL

for

CONSUMER ELECTRONIC CLEARING SYSTEM

(CS3)

PREFACE 1.1

PART 1 OVERVIEW, DEFINITIONS AND INTERPRETATION 1.1

1.1 Purpose of this Manual 1.1

1.2 Electronic Funds Transfer Background [deleted] 1.2

1.3 CECS Standards 1.2

1.4 Overview of Consumer Electronic Transactions 1.4

1.5 Definitions 1.6

PART 2 COMMON REQUIREMENTS AND CERTIFICATION 2.1

2.1 Certification 2.1

2.2 Network and Interchange Requirements 2.6

2.3 Interchange Technical Specifications 2.10

2.4 Cryptographic Key Management - General 2.11

2.5 Third Party Checks [deleted] 2.13

2.6 Device Approval Process 2.13

2.7 Evaluation Facility Recognition Process 2.15

2.8 Crisis Management Action Plans 2.18

2.9 Contingency Procedures 2.19

2.10 Key Injection Facility Assessment 2.19

Appendix A DEA3 Liability Shift [deleted] 2A.1

PART 3 ISSUER STANDARDS 3.1

3.1 Card-Related Standards 3.1

3.2 PIN Management and Security 3.2

3.3 Card Expiry 3.3

3.4 Supported Transactions 3.3

3.5 Sponsored Issuers 3.3

3.6 Issuer Interchange Operational Procedures 3.3

3.7 Production of Test Cards - BIN Changes 3.3

3.8 Statement Narrative - Refund Transactions [deleted] 3.3

3.9 Funds Availability - Refunds Transactions [deleted] 3.3

3.10 PIN Change and Delivery over Open Networks 3.3

PART 4 ISSUER INTERCHANGE OPERATIONS PROCEDURES 4.1

4.1 Reports 4.1

4.2 Fallback Operations [deleted] 4.2

4.3 Interchange Fees 4.2

4.4 Doubtful Transactions 4.3

4.5 Disputed Transactions 4.3

4.6 Enquiries 4.6

4.7 Compromised Terminals 4.7

PART 5 ACQUIRER STANDARDS 5.1

5.1 Secure Cryptographic Devices 5.1

5.2 References 5.1

5.3 PIN Security Audit Program 5.2

(3)

Table of Contents

5.5 Cardholder Data 5.3

5.6 Sensitive Authentication Data 5.3

5.7 Merchant Checks [deleted] 5.4

5.8 Device Running Multiple Applications 5.4

5.9 TCP/IP Terminal Connectivity 5.4

5.10 Good Design Principles 5.4

5.11 Record of Transaction 5.5

5.12 Acquirer Requirements 5.5

5.13 EFTPOS Operational Procedures [deleted] 5.6

5.14 ATM Acquirer Requirements [deleted] 5.6

5.15 ATM Operational Procedures 5.6

PART 6 ACQUIRER EFTPOS INTERCHANGE OPERATIONS PROCEDURES [deleted] 6.1

PART 7 ACQUIRER ATM INTERCHANGE OPERATIONS PROCEDURES 7.1

7.1 Reports 7.1 7.2 Operations 7.2 7.3 Interchange Fees 7.3 7.4 Doubtful Transactions 7.4 7.5 Disputed Transactions 7.5 7.6 Enquiries 7.10 7.7 Cards Retained 7.11

Appendix 7A Disputed Transaction Advice 7A.1

Appendix 7B Escalation Procedures 7B.1

PART 8 DEVICE SECURITY STANDARDS 8.1

8.1 Device Security Standards 8.1

8.2 Device Security Evaluation Criteria 8.1

8.3 Interpretation 8.3

8.4 Physical Characteristics and Key Management Protocols 8.4

8.5 Device Classification 8.5

8.6 Limitations on Functions (SCM) 8.5

8.7 Device Management 8.6

PART 9 STANDARD INTERCHANGE SPECIFICATION 9.1

9.1 Purpose 9.1

9.2 Scope 9.1

9.3 References 9.1

9.4 Supported Message Types 9.2

9.5 Supported Transaction Set 9.2

9.6 Network Management 9.7

9.7 Key Management 9.9

9.8 Time Out Parameters 9.12

9.9 Link Reconciliation 9.12

9.10 Link Settlement Times 9.13

9.11 Message Formats 9.13

9.12 Fields 9.35

(4)

Table of Contents

Appendix 9A KEK Establishment 9A.1

Appendix 9B Electronic Fallback [deleted] 9B.1

Appendix 9C Manual Key Entry on Faulty Magnetic-Stripe Card Reads [deleted] 9C.1

Appendix 9D Communications Philosophy 9D.1

Appendix 9E Interchange Bitmap 9E.1

Appendix 9F Manual Key Entry on Faulty ICC Card Readers [deleted] 9F.1

Appendix 9G Technology Fallback 9G.1

Appendix 9H Fallback of ICC Declined Transactions 9H.1

PART 10 SETTLEMENT 10.1

10.1 General Principles 10.1

10.2 Agreed Cut-off Time 10.1

10.3 Interchange Settlement Reports 10.1

10.4 Procedures 10.1

10.5 Disputed Amounts 10.4

10.6 RITS Low Value Settlement Service 10.6

Appendix 10A [Deleted] 10A.1

Appendix 10B Interchange Settlement Report 10B.1

PART 11 ATM DIRECT CHARGING RULES 11.1

11.1 General Principles 11.1

11.2 Amount and Variation of the ATM Operator Fee and Declines 11.1

11.3 When Cardholders may be charged an ATM Operator Fee 11.1

11.4 Disclosure Rules 11.2

11.5 Message flow 11.3

11.6 Settlement of ATM Operator Fees 11.6

11.7 Transition 11.6

PART 12 PREPAID CARDS 12.1

12.1 Card Characteristics 12.1 12.2 PIN Standards 12.2 12.3 Unique BINs 12.2 12.4 Supported Transactions 12.2 12.5 Test Cards 12.2 12.6 Interchange Settlement 12.2 12.7 Disputes 12.2 12.8 Fallback [deleted] 12.2 12.9 Refunds [deleted] 12.2 ANNEXURES

A Acquirer Certification Checklist AA.1

B Acquirer Certification – General Guidelines AB.1

C Issuer Certification Checklist AC.1

D Device and Interchange Certification Guidelines AD.1

E Acquirer Operational Certification Guidelines AE.1

F Settlement Certification Guidelines AF.1

G Issuer Certification Guidelines AG.1

H CECS Operational Broadcast Form AH.1

I PIN Security Audit Checklist AI.1

(5)

Table of Contents

K Exemption Request Form AK.1

L Contingency File Exchange Form AL.1

M Minimum Evaluation Criteria for IP Enabled Terminals AM.1

N PCI Plus Components AN.1

(6)

Part 1 - Overview, Definitions and Interpretation

Amendment No. E227 issued as CS3/r&p/002.12 AUSTRALIAN PAYMENTS CLEARING ASSOCIATION LIMITED

ABN 12 055 136 519 A Company limited by Guarantee

CECS MANUAL for

CONSUMER ELECTRONIC CLEARING SYSTEM (CS3)

PREFACE

This release of the CECS Manual is a transitional version, designed to reflect the creation of a separate body designed to regulate EFTPOS known as EFTPOS Payments Australia Limited (EPAL) and to move away from device specific rules (with the exception of Part 9 which sets out Standard Interchange Specifications) . This version will be fully revised at a later date.

It is not intended that this transitional version of the CECS Manual should significantly modify the operational procedures or security standards applicable to the EFTPOS and ATM systems in Australia immediately prior to 1 January 2011. To the extent that any of the amendments in this transitional version have the effect of modifying any such operational procedure or security standard, that modification will be regarded as an unintended consequence, irrespective of whether such consequence advantages or disadvantages any Member, or is perverse (“Unintended Consequence”). In the event of an Unintended Consequence, Members will co-operate with each other and APCA in good faith to reinstate the procedure or standard applicable immediately prior to 1 January 2011.

It includes those requirements commonly found in the formal Interchange Agreement that currently exist between participating Members, further reducing the need for those agreements.

This release includes all previous changes up to, and including E222 dated 31 May 2010.

Amended effective 1.12.10

PART 1 OVERVIEW, DEFINITIONS AND INTERPRETATION 1.1 Purpose of this Manual

For organisations that have an interest in joining CECS, this Manual sets out in Part 2 general standards to be adopted by all members.

For organisations which have an interest in joining CECS and an Interchange network as Acquirers, this Manual sets out in Part 5 the standards to be adopted by all prospective Acquirers. These standards also apply to existing Acquirers which joined CECS at its inception.

For organisations which have an interest in joining CECS and the relevant Interchange network as Issuers, this Manual sets out in Part 3 standards to be adopted by all prospective Issuers. These standards also apply to existing Issuers which joined CECS at its inception.

Compliance with these standards (as reviewed from time to time) on a uniform basis through CECS will contribute to the continued integrity interchanges in Australia. In particular, CECS standards seek to ensure that:

(7)

Amendment No. E227 issued as CS3/r&p/002.12  Current quality levels are not compromised by:

- Inferior operations;

- Lower quality Terminal devices and other equipment; or - Inadequate security;

 Customer service is maintained at the highest possible level; and

 the general public continues to have confidence in the ability of their financial institutions to protect the privacy and security of their funds.

The CECS Regulations permit any two CECS Members to agree to apply divergent standards and procedures to those set out in this Manual, provided they satisfy the CECS Management Committee that the integrity, security or efficiency of CECS as a whole will not be lessened in any material way as a result. However, no CECS Member may require any CECS Member or Non-Member to apply standards and procedures regarding Interchanges other than those in this Manual.

This Manual sets out the required process for CECS Members that are Acquirers to be certified as meeting CECS standards. A CECS Member cannot refuse on technical, operational or security grounds to engage in Interchange activities with another appropriately certified CECS Member.

Amended effective 14/08/06

Non-Member Issuers and Acquirers may elect to seek certification from APCA that they meet CECS standards applicable to Acquirers, without joining CECS. The CECS Regulations provide that a CECS Member is not to refuse, on technical, operational or security grounds to engage in Interchange activities with any such certified Non-Member. Responsibility for enforcing standards against the certified Non-Member at all times rests with the CECS Member that enters into a bilateral arrangement for interchange with it.

Amended effective 14/08/06 1.2 [deleted] 1.2.1 [deleted] 1.2.1.1 [deleted] 1.2.2 [deleted] 1.3 CECS Standards 1.3.1 APCA

Ensuring appropriate security and other technical standards is essential to the integrity of consumer payments clearing. APCA’s technical and security working groups which report to the CECS Management Committee develop standards to be implemented industry wide through CECS.

APCA administers certification procedures which are aimed at ensuring that Issuers and Acquirers meet prescribed technical, operational and security standards. For Issuers see Part 2 and Part 3 of this Manual. For Acquirers see Part 2 and Part 5 of this Manual).

(8)

Amendment No. E227 issued as CS3/r&p/002.12

1.3.3 Application of these Standards

1.3.3.1 Inclusions

CECS standards apply to any Transaction which results in the exchange of an Item across a bilateral link, regardless of the type of Card and/or account being used and/or accessed. This means that the CECS standards apply to:

 all domestically acquired Transactions initiated with a non-scheme debit card, including Transactions initiated with the debit functionality of a Card that also has scheme credit and/or debit functionality; and

 Transactions initiated with a scheme credit or debit card which result in the exchange of an Item across a bilateral link (such as nearly all ATM Transactions initiated with a domestic scheme credit card or debit card).

1.3.3.2 Exclusions

EFTPOS Transactions are governed by EPAL’s Operational Rules which for the most part replicate these standards. In relation to the applicable standards for EFTPOS Transactions reference should be made to the EPAL’s Operational Rules in the first instance.

Other than as described above, CECS standards do not apply directly to the electronic processing of credit card Transactions and other scheme Transactions. These are governed by the rules and regulations published by the various card schemes.

1.3.4 Relationship With Other Standards or Guidelines

This Manual cross-refers to a number of existing standards and guidelines promulgated by bodies other than APCA that apply to participants, in their various capacities, in consumer electronic Transactions and which may apply to CECS Members either independently of or by virtue of their incorporation by reference in this Manual. The requirements of these separate schemes, standards or guidelines have not been duplicated in this Manual and CECS Members are expected to have familiarised themselves with and adhere to their responsibilities under all such applicable requirements, as a separate matter from the specific standards and requirements which are detailed in this Manual. These existing schemes, standards and guidelines include:

Standard or Guideline Application Monitor

Card Schemes All Issuers party to particular

schemes

Various Electronic Funds Transfer

(EFT) Code of Conduct

All CECS Members Australian Securities and

Investments Commission

Guidelines for EFT Security All Acquirers Australian Securities and

Investments Commission

AS2805 All CECS Members Standards Australia

EPAL’s Operational Rules All EFTPOS Issuers and Acquirers

EFTPOS Payments Australia Limited

1.3.5 Inconsistencies

If a provision of the Regulations or this Manual is inconsistent with a provision of the Constitution, the provision of the Constitution prevails.

(9)

If a provision of this Manual is inconsistent with a provision of the Regulations, the provision of the Regulations prevails.

1.3.6 Governing Law

This Manual is to be interpreted in accordance with the same laws which govern the interpretation of the Constitution.

1.3.7 Interpretation

1.3.7.1 In this Manual

(a) words importing any one gender include the other gender;

(b) the word ‘person’ includes a firm, body corporate, an unincorporated association or an authority; (c) the singular includes the plural and vice versa;

(d) a reference to a statute, code or the Corporations Law (or to a provision of a statute, code or the Corporations Law) means the statute, the code, the Corporations Law or the provisions as modified or amended and in operation for the time being, or any statute, code or provision enacted in lieu thereof and includes any regulation or rule for the time being in force under the statute, the code, the Corporations Law or the provision;

(e) a reference to a specific time means that time in Sydney unless the context requires otherwise; (f) words defined in the Corporations Law have, unless the contrary intention appears, the same

meaning in this Manual;

(g) words defined in the Regulations have, unless the contrary intention appears, the same meaning in this Manual;

(h) this Manual has been determined by the Management Committee and takes effect on the date specified by the Chief Executive Officer pursuant to Regulation 1.5; and

(i) headings are inserted for convenience and do not affect the interpretation of this Manual.

1.4 Overview of Consumer Electronic Transactions

1.4.1 Consumer Electronic Transactions

Participants in Transactions have the following characteristics.

Interchange arrangements have been established as a co-operative effort to foster the use of Terminals for the use of each Issuer’s Cardholders as broadly as possible.

This arrangement allows the Issuer’s Cards to be accepted at the Acquirer’s Terminals.

Acquirer:

An Acquirer is a body corporate which acquires a Transaction from a Terminal on behalf of an Issuer. This is achieved by obtaining Issuers’ authorisation for Card Transactions accepted by Terminals and providing financial Transaction/data to Issuers for posting debits and credits to Cardholder accounts. Corresponding crediting/debiting of settlement value is made to the relevant accounts. In this way Acquirers provide facilities to enable Transactions.

(10)

An Acquirer may also be an Issuer. An Acquirer also:

(a) takes responsibility for ensuring the compliance of Terminals with all operational standards that have been developed for the system in the interests of Transaction integrity, security and Cardholder service;

(b) [deleted]

(c) [deleted]

(d) settles with Issuers for the Transactions of each issued Card; and

(e) takes responsibility for ensuring the compliance of any third parties engaged in delivering the service, with all operational standards that have been developed for the system in the interests of Transaction integrity, security and Cardholder service.

Issuer:

The role of the Issuer is to provide the customer with a payment instrument (Card or equivalent device) that complies with appropriate standards.

The Issuer’s responsibilities include:

(a) to negotiate with Acquirers for Card acceptance and appropriate Cardholder service;

(b) to settle for the value of the Cardholder’s Transaction with the relevant Acquirer and agree these settlement arrangements and guarantees with Acquirers;

(c) to be in a position to provide final settlement, either as a direct participant or through a representative;

(d) to fund balances on debit accounts and manage the risk of unauthorised debt; (e) to determine rules to operate the Cardholder account;

(f) [deleted]

(g) ensuring the compliance of any third parties engaged in delivering the service, with all operational standards that have been developed for the system in the interests of Transaction integrity, security and Cardholder service.

(h) ensuring that Transactions it receives are capable of being authorised, cleared and settled across multiple financial institutions.

Cardholder:

The Cardholder is the ultimate customer of the system. The Cardholder is also the customer of the Issuer.

Access to Cardholders’ cheque or savings accounts to initiate a Transaction is by use of a proprietary debit card, prepaid card or credit card that has debit functionality. The Cardholder agrees to use the Card under terms and conditions of use set by the Issuer.

(11)

Amendment No. E227 issued as CS3/r&p/002.12 Third Party Processor:

The role of Third Party Processors within the CECS system is to provide an outsourced facility for Transaction processing and support to other participants (most likely Acquirers, but potentially also Issuer participants).

Third Party Processors, when engaged by either an Acquirer or Issuer, shall be obliged to operate in accordance with these standards by the engaging party.

The Third Party Processor may, but need not, be owned outright by one or more participants, and provide smaller participants with a cost-effective means of participating as Issuers.

Third Party Processor roles can widely vary including but not limited to:

 receiving a Transaction stream from an Acquirer and remit to an Issuer (switch); and  processing Transaction authorisation requests on behalf of an Issuer (Card processor). 1.4.2 [deleted]

1.5 Definitions

In this Manual the following words have the following meanings unless the contrary intention appears.

“Acquirer” means a body corporate that in connection with a Transaction:

(a) under arrangement with and on behalf of an Issuer, discharges the obligations owed by that Issuer to the relevant Cardholder; and

(b) engages in Interchange with that Issuer as a result.

In relation only to those provisions of the CECS Manual marked with an asterisk and annotated accordingly, a reference to an Acquirer is deemed to include a Self Acquirer.

“Acquirer Reference Number” in relation to an Acquirer means a reference number which is unique to that Acquirer, allocated to it for identification purposes by the International Organisation for Standardization.

“Approved Evaluation Facility” means a testing laboratory that has been accredited by the Company to conduct SCD security compliance testing.

“AS” means Australian Standard as published by Standards Australia.

“ATM” means an approved electronic device capable of automatically dispensing Cash in response to a

Cash withdrawal Transaction initiated by a Cardholder. Other Transactions (initiated by a debit card) such as funds transfers, deposits and balance enquiries may also be supported. The device must accept either magnetic stripe Cards or smart (chip) Cards where Transactions are initiated by the Cardholder keying in a Personal Identification Number (PIN). Limited service devices (known as “Cash dispensers”) that only allow for Cash withdrawal are included.

Amended effective date 15.8.05

“ATM Direct Charging Date” means 3 March 2009 or such other date that the Management Committee shall determine.

Inserted effective 03/03/09

“ATM Operator Fee” means a fee paid by a Cardholder to the operator of an ATM to effect a Transaction through their Terminal.

(12)

Amendment No. E227 issued as CS3/r&p/002.12 “ATM Transaction” means a Cash deposit, a Cash withdrawal, or a balance enquiry effected by a Cardholder at an ATM.

“Audit Compliance Certificate”:

(a) in relation to a Certified Acquirer, means a certificate in the form of Annexure A; and (b) in relation to a Certified Issuer, means a certificate in the form of Annexure C.

(Note: A Non-Member may also seek Certification: see Parts 2, 3 and 5). Amended effective 14/08/06

“Australian IC Card” means an IC Card in respect of which the EMV Issuer Country Code data element (tag 5F28) equal to “036” (Australia).

“Authorisation” in relation to a Transaction, means confirmation given by an Issuer that funds will be made available for the benefit of an Acquirer, in accordance with the terms of the relevant Interchange Agreement, to the amount of that Transaction. Except in the circumstances specified in this Manual, Authorisation is effected online. ‘Authorised’ has a corresponding meaning.

“Authorised Device” means a Secure Cryptographic Device that has been evaluated in accordance with Part 2.6 and which has been approved for use within CECS by the Company.

“Bank Identification Number (BIN)” means the registered identification number allocated by Standards Australia Limited in accordance with AS 3523 (also known as an Issuer Identification Number (IIN)).

Inserted Effective 19/04/10

“Card” means any card capable of being read by a Terminal including a debit card, prepaid card and credit card.

Last Amended Effective 19/04/10

“Card-related Standards” means, in relation to Cards, the standards from time to time required by Part 3.1.

“Cardholder” means a customer of an Issuer who has been issued with a Card by that Issuer, enabling that customer to effect Transactions.

“Cash” means Australian legal tender. Inserted effective

date 15.8.05

“CECS” means the Consumer Electronic Clearing System (CS3).

Deleted Effective 19/04/10 “CECS Member” means a body corporate, which in accordance with the Regulations is a participant in CECS.

“CECS Operational Broadcast” means the form set out in Annexure H.

“Certification” has the meaning given in Part 2.1. Last Amended

Effective 19/04/10

“Certification Checklist” means in relation to an Acquirer, a checklist in the form of Annexure A and in relation to an Issuer, a checklist in the form of Annexure C.

“Collator” deleted effective 13.08.12 Deleted effective 13//08/12 “Commencement Date” means the date specified as such for CECS under Regulation 1.5.

(13)

Amendment No. E227 issued as CS3/r&p/002.12 “Compliance Certificate” means a certificate issued by the Company to a requesting party evidencing successful Certification.

“Company” means the Australian Payments Clearing Association Limited (A.C.N. 055 136 519).

“Compromised Terminal” means a Terminal that has been tampered with for fraudulent purposes. Inserted Effective 19/02/10

“Contingency File” means a file in the form specified in Appendix 9B.6. Inserted effective 2/10/06 “Contingency Procedures” means the procedures in Part 2.9. Inserted

effective 2/10/06

“Corporations Law” means the Corporations Act 2001 (Cth) and associated subordinate legislation as amended from time to time.

“Counterparty” means the CECS Member direct settler (for example, an Issuer) identified in a File Settlement Instruction submitted by an Originator (for example, an Acquirer or Lead Institution), in accordance with this Manual and the requirements of the RITS Low Value Settlement Service.

“Credit Items” includes all credit payment instructions, usually electronically transmitted, which give rise to Interchange, except as may be specifically excluded by the Regulations or this Manual.

“Crisis Management Action Plan” means the plan set out in the Guidelines for CECS Members.

“Debit Items” includes all debit payment instructions, usually electronically transmitted, which give rise to Interchange, except as may be specifically excluded by the Regulations or this Manual.

“Disputed Transaction”means a Transaction which the Cardholder denies having initiated or where the Transaction amount is claimed to be incorrect.

“Disruptive Event” means any processing, communications or other failure of a technical nature, which affects, or may affect, the ability of any CECS Member to Interchange.

(Note: examples of a Disruptive Event are described in Part 2.9 of the CECS Manual.)

“Double-length Key” means a key of length 128 bits including parity bits or 112 bits excluding parity bits.

“Doubtful Transactions” means those Transactions which may not have been successfully completed, although the Transaction may be recorded against a relevant account.

“EFT” means Electronic Funds Transfer.

“EFTPOS” means Electronic Funds Transfer at Point of Sale.

“Electronic Funds Transfer (EFT) Code of Conduct” means the EFT Code of Conduct as revised by the Australian Securities and Investments Commission’s EFT Working Group

“EMV” means the specifications as published by EMV Co. LLC. Inserted effective 9/02/07 “EMV Phase 1” means the current transition arrangements through which a Transaction is created

from the use of an EMV compliant Australia IC Card prior to the migration of CECS to full EMV functionality.

(Note: a date for the migration of CECS to full EMV functionality has not yet been determined).

(14)

Amendment No. E227 issued as CS3/r&p/002.12 “Encapsulating Security Payload” (ESP) is a member of the IPsec protocol suite providing origin authenticity, integrity, and confidentiality protection of packets in Tunnel Mode, where the entire original IP packet is encapsulated, with a new packet header added which remains unprotected.

“EPAL” means EFTPOS Payment Australia Limited.

“EPAL Operational Rules” means EPAL’s technical, operational and security rules adopted by EPAL to govern EFTPOS Transactions.

“Error of Magnitude” means an error (or a series of errors) of or exceeding $2 million or such other amount as may be determined from time to time by the Management Committee.

Last amended effective 20/4/09

“ESA” means Exchange Settlement Account.

“Evaluation Facility” in relation to the approval of a Secure Cryptographic Device for:

(a) an Acquirer, means an entity approved by the Management Committee in accordance with, and for purposes of, Part 2; and

(b) an Issuer, means an entity approved by the Management Committee in accordance with, and for purposes of Part 2.

“Exchange Settlement Account” (ESA) means an exchange settlement account, or similar account, maintained with the Reserve Bank of Australia.

“Exchange Summary” deleted effective 13/08/12 Deleted effective 13/08/12

“Exchange Summary Data File Transfer Facility” deleted effective 13/08/12 Deleted effective 13/08/12

“Failure to Match Rules”(FTM Rules) deleted effective 13/08/12 Deleted effective 13/08/12

“File Recall Instruction” means a file in the format prescribed by the Reserve Bank of Australia and complying with the specifications for the RITS Low Value Settlement Service which can be accessed via a link on the Company’s extranet.

“File Recall Response” means a response to a File Recall Instruction, generated by the RITS Low Value Settlement Service.

“File Settlement Advice” means an advice in relation to a File Settlement Instruction, generated by the RITS Low Value Settlement Service.

“File Settlement Instruction” means a file in the format prescribed by the Reserve Bank of Australia and complying with the specifications for the RITS Low Value Settlement Service which can be accessed via a link on the Company’s extranet.

“File Settlement Response” means a response to a File Settlement Instruction, generated by the RITS Low Value Settlement Service.

“FTM Rules” deleted effective 13/08/12 Deleted effective 13/08/12 “HMAC” (Hash-based Message Authentication Code) is a specific construction for calculating a

message authentication code (MAC) involving a cryptographic hash function in combination with a secret key. HMACs are formed in conformance with AS2805:4.2 Electronic funds transfer— Requirements for interfaces Information technology -- Security techniques -- Message Authentication Codes (MACs) - Mechanisms using a dedicated hash-function.

(15)

Amendment No. E227 issued as CS3/r&p/002.12 “Hot Card” means a Card which has been reported by the Cardholder as lost or stolen, or for which there is evidence of fraudulent use.

“IC Card” means a Card that contains an integrated circuit and that conforms to the EMV specifications.

“Interchange” means the exchange of Items for value between Acquirers and Issuers, via an Interchange Link, as a result of the use of an Issuer’s Card by a Cardholder to generate a Transaction. Interchange arrangements may, but need not, be reciprocal.

“Interchange Agreement” means an agreement between an Acquirer and an Issuer that regulates the arrangements relating to Interchange between them.

“Interchange Fee” means a fee charged to one party to an Interchange by the other party to the Interchange for access to its consumer electronic payments facilities.

“Interchange Line” means the physical communications infrastructure that provides the medium over which Interchange is supported. An Interchange Line contains, at a minimum, one Interchange Link.

“Interchange Line Encryption” means encryption of the entire message, with the exception of communication headers and trailers that is being passed across an Interchange Line using, as a minimum, double-length keys and a triple-DES process.

“Interchange Link” means the logical link between an Acquirer and an Issuer which facilitates Interchange between them. Interchange Links are supported physically by an Interchange Line, and are either direct between an Acquirer and Issuer or indirect via a third party intermediary.

“Interchange Link Message Authentication” means calculation and verification of the Message Authentication Code (MAC) that is being passed across an Interchange Link.

“Interchange Link PIN Encryption” means encryption of the PIN in accordance with AS 2805 part 3.1.

“Interchange Settlement Report” means a report substantially in the form of Appendix B to Part 10.

“Internet Key Exchange” (IKE) is the protocol used to set up a security association in the IPsec protocol suite.

“Issuer” means a body corporate which issues a Card to a Cardholder and, in connection with any Transaction effected using that Card:

(a) assumes obligations to the relevant Cardholder, which obligations are in the first instance discharged on its behalf by an Acquirer; and

(b) engages in Interchange with that Acquirer as a result.

“Issuer Sequence Number” means a one or two digit number used at the option of the Issuer to identify a Card which may have the same primary account number as another Card and possible different accessible linked accounts.

“Items” means Debit Items or Credit Items.

“Key Encrypting Key” means a key which is used to encipher other keys in transport and which can be used to exchange Session Keys between two systems.

(16)

Amendment No. E227 issued as CS3/r&p/002.12 “Lead Institution” means a financial institution responsible for direct settlement of scheme payment obligations.

“Letter of Approval” means a letter, issued by the Company, approving the use of a Secure Cryptographic Device within the CECS network.

“LVSS” means the RITS Low Value Settlement Service. Inserted effective 13/08/12 “LVSS BCP Arrangements” means the contingency plan and associated documents published by the

Reserve Bank of Australia for the purposes of the RITS Low Value Settlement Service, and which can be accessed via a link on the Company’s extranet.

“LVSS Contact” means the person nominated by a CECS Member as its primary contact for LVSS inquiries, as listed on the Company’s extranet.

“Management Committee” means the committee constituted under Part 6 of the Regulations.

“Merchant” means a person which delivers goods or services to a Cardholder at point of sale and which, in the normal course, is reimbursed by the Acquirer to which, from the Terminal that it operates, it electronically transmits that Transaction.

“Message Authentication Code (MAC)” A code, formed using a secret key, appended to a message to detect whether the message has been altered (data integrity) and to provide data origin authentication, MACs are formed in conformance with AS 2805 part 4 series.

“Nine AM (9am) Settlement” means the multilateral settlement of obligations arising from previous days’ clearings of low value payments which occurs in RITS at around 9am each business day that RITS is open.

“NODE” means a processing centre such as an Acquirer, an Issuer, or an intermediate network facility.

“Originator” means the party (for example an Acquirer direct settler or Lead Institution) which, as a result of either acquiring a Transaction or, in the case of a Lead Institution, by arrangement, is responsible for the submission of a File Settlement Instruction in accordance with this Manual and the requirements of the RITS Low Value Settlement Service.

“Partial Dispense” means a Transaction that results in an amount of Cash being dispensed from an ATM that is less than the amount requested by the Cardholder.

“PCI Evaluation Report” means an evaluation report, prepared by an Approved Evaluation Facility, which evidences the compliance of a device submitted for approval under clause 2.6.1(ii) with the requirements set out in PCI PTS version 3.x.

“PCI Plus Evaluation Report” means an evaluation report, prepared by an Approved Evaluation Facility, which evidences the compliance of a device submitted for approval under clause 2.6.1(ii) with the PCI Plus Requirements, and if applicable, includes any delta report prepared in respect of the device.

“PCI Plus Requirements” means the requirements set out in Annexure N of this Manual, being requirements for device approval in accordance with AS 2805 Annexes A, B and D, which are determined by the Company to be additional to the requirements of PCI PTS v 3.x.

“PCI Points” means the attack potential calculated in accordance with Appendix B of the Payments Card Industry (PCI) document “PCI PIN Transaction Security Point of Interaction Modular Derived Test Requirements”, version 3.0, 2011.

Amended effectve 13/08/12

(17)

Amendment No. E227 issued as CS3/r&p/002.12 “PED” means a PIN Entry Device.

“Physically Secure Device” means a device meeting the requirements specified in AS 2805 part 3.1 for a physically secure device. Such a device, when operated in its intended manner and environment, cannot be successfully penetrated or manipulated to disclose all or part of any cryptographic key, PIN, or other secret value resident within the device. Penetration of such a device shall cause the automatic and immediate erasure of all PINs, cryptographic keys and other secret values contained within the device.

“PIN” means a personal identification number which is either issued by an Issuer, or selected by a Cardholder for the purpose of authenticating the Cardholder by the Issuer of the Card.

“PIN Entry Device” (PED) means a component of a Terminal which provides for the secure entry and encryption of PINs in processing a Transaction.

“Prepaid Card” means a Card that: Inserted Effective

19/04/10

(a) enables the Prepaid Cardholder to initiate electronic funds transfers up to a specified amount (subject to any other conditions that may apply); and

(b) draws on funds held by the Prepaid Program Provider or third party by arrangement with the Program Provider (as opposed to funds held by the Prepaid Cardholder).

For the avoidance of doubt, the definition of a Prepaid Card extends to both single use and reloadable/multiple use Cards.

“Prepaid Cardholder” means a person that is in possession of a Prepaid Card. Inserted Effective 19/04/10

“Prepaid Program Provider” means either: Inserted Effective

19/04/10

(a) an Issuer that issues a Prepaid Card; or

(b) a person that issues a Prepaid Card in conjunction with a sponsoring Issuer.

“Record of Transaction” has the meaning given in the EFT Code of Conduct and Part 5.8.

“Regulations” means the regulations for CECS, as prescribed by the Company.

“Remote Management Solution” (RMS) for SCMs is a dedicated device which connects to an SCM over a network and provides access to the SCM while it is in a sensitive state.

“Retained Card” in relation to an ATM Transaction, has the meaning given in Part 7.7.

“RITS” means the Reserve Bank Information and Transfer System. Amended effective 13/08/12

“RITS Low Value Settlement Service” means the Reserve Bank’s settlement file transfer facility which must be used by:

(a) each Acquirer and Lead Institution to submit File Settlement Instructions and associated File Recall Instructions; and

(b) each Acquirer, Lead Institution and Issuer, if it so elects, to receive File Settlement Advices, File Settlement Responses and File Recall Responses.

“RITS Regulations” means the regulations for RITS published by the Reserve Bank of Australia. Inserted effective 13/08/12

(18)

Amendment No. E227 issued as CS3/r&p/002.12 “Secure Cryptographic Device” (SCD) means a physically and logically protected hardware device that provides a set of secure cryptographic services. PIN Entry Devices (PED) and Security Control Modules (SCM) are two specific instances of Secure Cryptographic Devices.

“SCD Security Standards” in relation to an SCD, means the standards from time to time published in Part 8.

“SCM” means a Security Control Module.

“Secretary” means the person appointed under Regulation 6.27 to perform the duties of secretary of the Management Committee.

“Security Control Module”(SCM) means a physically and logically protected hardware device that provides a set of secure cryptographic services.

“Self Acquirer” means a Merchant that: Amended effective

14/08/06

(a) electronically transmits or receives payment instructions for value to or from one or more Issuers (excluding for this purpose any Acquirer that receives payment instructions from that Merchant in the capacity of an Issuer) as a result of Transactions which are initiated at Terminals operated by that Merchant or any of the Merchant’s Related Bodies Corporate; and

(b) bears risk as principal in relation to the payment obligations of each such Issuer arising out of such exchanges, and to that extent only.

“Session Key” is a generic reference to any one of a group of keys used to protect Transaction level data. Session keys exist between two discrete points within a network (e.g.. Host-to-host and host-to-Terminal).

“Sponsor” means the Acquirer which, as among all Acquirers for a Terminal, is taken to be the lead Acquirer for that Terminal, with ultimate responsibility for the integrity and security of PED software and encryption keys for Transactions involving that Terminal.

“Sponsored Issuer” means an Issuer that is the registered owner of an Issuer Identification Number, as referred to in Part 3.1.1, but is not a CECS Member.

“Statistically Unique” means an acceptably low statistical probability of an entity being duplicated by either chance or intent. Technically, statistically unique is defined as follows;

For the generation of n-bit quantities, the probability of two values repeating is less than or equal to the probability of two n-bit random quantities repeating. Thus, an element chosen from a finite set of 2n elements is said to be statistically unique if the process that governs the selection of this element provides a guarantee that for any integer L  2n the probability that all of the first L selected elements are different is no smaller than the probability of this happening when the elements are drawn uniformly at random from the set.

“Tamper-responsive SCM” means a Security Control Module that when operated in its intended manner and environment, will cause the immediate and automatic erasure of all keys and other secret data and all useful residues of such data when subjected to any feasible attack. A Tamper-responsive SCM must comply with the requirements of Part 8 of this CECS Manual.

“Terminal” means an electronic device containing a PED which can be used to complete a Transaction.

“Terminal Identification Number” means the unique identification number assigned by an Acquirer to identify a particular Terminal.

(19)

Amendment No. E227 issued as CS3/r&p/002.12 “Terminal Sequence Number” means a number allocated sequentially to each Transaction by the relevant Terminal.

“Third Party Processors” means a body corporate which provides an outsourced facility for Transaction processing and support to other participants in the CECS System.

“Transaction” means a Transaction initiated by a Cardholder which allows for the accessing of available funds held in an account, or account information.

“Track Two Equivalent Data” means the contents of the EMV data element tag 57. This data element contains the data elements of track two according to AS 3524-2008, excluding start sentinel, end sentinel and Longitudinal Redundancy Check.

“Triple-DES” means the encryption and decryption of data using a defined compound operation of the DEA-1 encryption and decryption operations. Triple-DES is described in AS2805 Part 5.4.

“Unattended Device” has the meaning given in clause 8.5.1. Inserted effective 13/08/12

(20)

Part 2 - Common Requirements and Certification

Amendment Number E229 issued as CS3/r&p/001.14 PART 2 COMMON REQUIREMENTS AND CERTIFICATION

This Part 2 sets out the common standards and certification requirements required to be met by all CECS Members when engaged in Interchange with other CECS members.

2.1 Certification

Constant developments in new equipment and Interchange processes require Interchange standards and guidelines to be reviewed to maintain a high standard of security and operational procedures in the CECS environment. At any one time there will be current and draft future standards. Current industry standards will be subject to an ongoing process of review and the Management Committee will upgrade and re-issue applicable standards on a rolling triennial basis: see 2.1.6.

2.1.1 Requirement for Certification

Each CECS Member who wishes to participate in Interchange must arrange for Certification before it commences processing Interchange Transactions.

A Non-Member may, subject to the Regulations, arrange for Certification at any time. 2.1.2 Certification

Certification means that a person (being an existing or a prospective Issuer or Acquirer) confirms subject to Regulation 4.1(b), by completing and submitting to the Company a Certification Checklist (satisfactory to the Company) that when it operates in CECS Interchange with other Members, it is able to, and does, meet the CECS requirements in force at that time pursuant to this Part 2, including that: When Operating as an Acquirer:

(a) the PEDs it uses satisfy applicable SCD Security Standards and have been approved by the Company (see Part 8);

(b) the SCMs it uses satisfy applicable SCD Security Standards and have been approved by the Company (see Part 8);

(c) the Key Loading and Transfer devices it uses satisfy applicable SCD Security Standards and have been approved by the Company (see Part 8);

(d) its Interchange satisfies applicable AS2805 standards (see 2.3 and Part 9); (e) its operating procedures satisfies applicable standards (see Part 5); (f) its settlement procedures comply with Part 10;

(g) it complies with Part 11 with respect to the imposition of ATM Operator Fees (if applicable); and Last amended effective 03/03/09

(h) any services provided by third parties engaged in the provision of the Interchange are provided in conformance with the relevant standards and requirements specified in this Manual.

When operating as an Issuer:

(a) the Cards it uses satisfy applicable Card-related Standards (see Part 3.1); (b) PIN management satisfies security requirements (see Part 3.2);

(21)

Amendment Number E229 issued as CS3/r&p/001.14

(c) the SCMs it uses satisfy applicable SCD Security Standards and have been approved by the Company (see Part 8);

(d) its Interchange satisfies applicable AS2805 standards (see 2.3 and Part 9); (e) its operating procedures satisfies applicable standards (see Part 3);

(f) its settlement procedures comply with Part 10; Last amended effective 03/03/09

(g) it complies with Part 11 with respect to the imposition of ATM Operator Fees (if applicable); and Last amended effective 03/03/09

(h) any services provided by third parties engaged in the provision of the Interchange are provided in conformance with the relevant standards and requirements specified in this Manual.

A CECS Member is taken to give such confirmation for the benefit of each other CECS Member and the Company.

A Certification Checklist (and the associated confirmation given to the Company) may be given in respect only of one or more of the matters listed above (for example, pursuant to 2.1.10).

2.1.3 Certification Checklist

A completed Certification Checklist must be used for Certification under 2.1.2 and for Certification of individual devices etc. as required by 2.1.10. It must be signed by the existing Member, prospective Member or Non-Member (as the case may be) and countersigned by its internal auditor.

Annexure A provides an Acquirer Certification Checklist and Annexure C a Certification Checklist for Issuers.

A prospective Acquirer or Non-Member Acquirer seeking Certification must also complete a PIN Security Compliance Checklist. (See 5.3.3.)

Inserted effective date 27.04.06

Any further evidence of compliance which is reasonably requested by the Secretary or the Management Committee must be promptly produced to the Secretary following the request.

2.1.3A Report from Independent Auditor for prospective Members and Non-Members seeking Certification Inserted effective date 27.04.06

Where Certification is sought by a prospective Member or a Non-Member, the Certification Checklist(s) must be accompanied by a report of an agreed upon procedures engagement (refer accounting standard AUS 904) from an independent auditor in respect of certain requirements in the CECS Manual.

The independent auditor engaged by the prospective Member or Non-Member and the audit procedures to be performed during the engagement must be acceptable to the Company. The Company maintains a set of Guidance Procedures for Acquirers and/or Issuers, which contains a proposed set of acceptable audit procedures. Once an acceptable independent auditor has been selected by the prospective Member or Non-Member the independent auditor may obtain the Guidance Procedures from the Company. The Company will provide a reliance letter if required by the independent auditor. However the form of the reliance letter should be agreed with the Company prior to commencement of the engagement. The Company will not provide indemnities or general open ended covenants in a reliance letter.

(22)

2.1.4 Process

The Company will review the Certification Checklist, and accompanying documentation and provide a report of its review to the applicant. Subject to Regulation 11.2, if all requirements appear to have been met, or otherwise that any proposed remedial action/compensating controls with respect to areas of non-compliance are satisfactory to the Company having regard to the integrity and efficiency of CECS, details of the application will be provided to the Management Committee for its acceptance.

On acceptance of the Certification Checklist by the Management Committee, the Secretary will issue a Compliance Certificate to the applicant and will promptly notify all CECS Members of the successful Certification.

For the avoidance of doubt, the reporting and notification processes set out in 2.1.4, and 2.1.5, will extend to Certification Checklists received from Non-Members.

2.1.5 Failure to Pass Certification

If the Certification process fails in part, the Secretary will provide the applicant with details of the deficiency as part of its report, and request either a partial or complete re-run of the certification process, depending upon the nature of the problem.

The applicant will be required to rectify all deficiencies and submit supporting evidence as required by the Company. Upon receipt the Company will re-evaluate such further evidentiary material in accordance with 2.1.4.

2.1.6 Triennial Audit Compliance

The Management Committee will re-issue the standards applicable to Acquirers and Issuers under this Part 2 triennially, commencing from 1 July 2004.

Each existing Certified Member that is a CECS Member at that date must submit to the Company an Audit Compliance Certificate within 60 days of the effective date set by the Management Committee for the implementation of those upgraded standards as re-issued or on such other date as may be determined by the Management Committee.

If a Certified Non-Member wishes to renew its Certification in relation to this Part 2 it will also be required to lodge an Audit Compliance Certificate with the Company within that period. A Certified Non-Member is not obliged to lodge an Audit Compliance Certificate, but if it does not do so within the required time, or having done so is unable to demonstrate to the Company’s satisfaction that it meets the standards as re-issued, its Certification will be taken to have expired at midnight on the day immediately before the effective date set by the Management Committee for implementation of the re-issued standards. CECS Members who deal with a Certified Non-Member are advised to make their own enquiries as to the currency of its Certification.

The Audit Compliance Certificate is to be signed by the Member. It must be countersigned by the Member’s internal auditor.

An Audit Compliance Certificate operates as a confirmation from the relevant member that it continues to meet all applicable CECS requirements, including any upgraded standards, in force under this Part 2. A CECS Member is taken to give such confirmation for the benefit of each other CECS Member and the Company.

Any other evidence of compliance which is reasonably requested by the Secretary or the Management Committee must be promptly produced to the Secretary following that request.

(23)

2.1.7 Failure to Meet Technical Requirements

If an Audit Compliance Certificate given by a Member reveals, or the Company is otherwise notified that the Member has failed to meet any applicable technical requirements, the Company will notify the Member of the deficiency, in writing, requesting rectification of the deficiency as determined by the Management Committee.

If, in the opinion of the Chief Executive Officer, the deficiency notified is such that it poses a risk to the efficiency or security of CECS, the deficiency will be reported directly to the Management Committee. The Management Committee may then take such remedial action which it considers necessary or desirable, including (without limitation) in the case of a CECS Member, its suspension from participation in CECS or, in the case of a Certified Non-Member, revocation of its Certification.

2.1.8 Timing

The time required to complete initial Certification, certification of additional devices or triennial re-certification by the Company (but excluding for this purpose processes under the control of an Evaluation Facility or auditor, whether internal or external) is estimated as follows:

 initial certification: eight weeks;

 re-certification: four weeks;

 certification of additional devices etc: four weeks; and  certification of new/modified interchanges: four weeks.

Note that these time scales are estimates only and are given to assist applicants in their planning.

Re-certification of a new Acquirer will be scheduled to coincide with the next re-certification date for existing Acquirers.

2.1.9 Approved Devices

All devices involved in the production, distribution, selection, entering and transmission of plaintext Cardholder PINs, or associated cryptographic keys used to protect Cardholder PINs, in the Interchange environment shall be approved for use, using the process described in 2.6.

An Acquirer or Issuer which wishes to implement a new Secure Cryptographic Device for which a Letter of Approval, issued by the Company, is not held must arrange for that device to be evaluated for conformity with the current applicable SCD security standards, using the device approval process in 2.6. In accordance with 2.1.2, only approved devices can be attached to the Interchange networks.

2.1.10 Approval of New or Modified Secure Cryptographic Devices and Interchanges

Any certified Issuer or Acquirer, which proposes to:  implement any new Interchange; or

 substantially modify or upgrade any existing Interchange; or  implement a new SCD,

will in each case be taken to be required to apply for certification of the interchange or device in accordance with Rule 2.1.3 and comply with this Rule 2.1.10.

(24)

Notwithstanding any express or implied provision to the contrary set out in the Manual, any proposal to modify or upgrade an existing Interchange that also involves changes by the other party, must be advised by the applicant to the CECS Member/s affected no less than 180 days (unless otherwise bilaterally agreed) prior to the date upon which the proposal is to be implemented (“Implementation Date”).

Each CECS Member must use reasonable endeavours to make such changes to its own Interchanges by the Implementation Date, or a date otherwise bilaterally agreed, as may be necessary to give effect to a proposal notified to it under this Rule 2.1.10.

Any certified Issuer or Acquirer, which proposes to:

 implement any new SCD (not currently covered by an existing Letter of Approval see 2.1.9); or  continue to employ a SCD which has reached or is about to reach its ‘Letter of Approval’ sunset

date, unless the Company has renewed the device’s Approval Period pursuant to clause 2.6.1; or  implement any changes to an existing SCD’s cryptographic devices, PIN or cryptographic key

handling and management processing, will in each case be required to apply for approval of the device as required by 2.1.9 as if each device is a new device for the purposes of that section.

2.1.10A _Transitional Deleted Effective

19/04/10

2.1.11 Exemption Requests

All Members must at all times comply with the Standards and Requirements specified in the CECS Manual unless specifically exempted by the Company.

In cases where the introduction of a new service, a new device or the significant modification to an existing device or service will cause the Member to be out of compliance with the requirements of the Manual, the Member may not proceed with the introduction of the new device or service, unless appropriate exemptions have been duly granted.

2.1.12 Applying for an Exemption

Each Member requiring an exemption from certain Requirements or Standards shall make an application to the Company. The application must include the following information:

 The name of the Member requiring the Exemption;  Date of the Request;

 Date the out-of-compliance situation occurred;

 Date of original request (if seeking an extension to an existing exemption);  The section(s) of the Manual which the Member is not in compliance;  Description of the Requirement with which the Member is not in compliance;

(25)

Amendment Number E229 issued as CS3/r&p/001.14  A statement on the reason for non-compliance;

 A risk rating;

 A full description of any compensating controls that are offered as justification for the authorisation of the request; and

 Exact details of the Member’s action plan to comply with the Requirements and an indication as to the likely date of achieving compliance.

A suitable template is provided as Annexure K. 2.1.13 Exemption Process

The Company will review the Exemption Request and accompanying documentation and provide a report of its review to the applicant. Subject to Regulation 11.2, if it is determined that any proposed remedial action/compensating controls with respect to areas of non-compliance are satisfactory to the Company having regard to the integrity and efficiency of CECS, details of the application will be provided to the Management Committee for its acceptance.

On acceptance of the Exemption Request by the Management Committee, the Secretary will advise the applicant and will promptly notify all CECS Members of the exemption granted.

2.1.14 Exemption Duration

Exemptions shall only be granted for a defined period of time. The Company may grant a duration different than the one requested by the Member. All issues of non-compliance, regardless of when they expire, must be reviewed and renewed annually.

2.1.15 Certification upon Remediation

Once the subject of the Exemption Request has been remediated, a Certification Checklist covering the subject of the Exemption Request shall be submitted on or before the expiration of any granted Exemption Request.

2.2 Network and Interchange Requirements *

Note: Any direct or indirect application of, or reference in, this clause 2.2 to an Acquirer is deemed to include a Self Acquirer.

The Acquirer has responsibility for the network downstream to the Terminal. This may include third party switches. The CECS network can be illustrated as follows:

(26)

An Acquirer switch should not add more than a maximum of three seconds elapsed time through the components of its network to the total processing time of a Transaction (as a Transaction consists of both a request and a reply, message transit times for both Acquirers and any intermediate network nodes should not exceed 1.5 seconds). The three-second target is taken to be the average Transaction time within a peak load hour.

Where Third Party Processors are engaged in the delivery of Interchange e.g., Switches, it is incumbent upon the engaging party to ensure that the third party is in conformance with the standards and procedures given herein.

Interchange Links shall be supported 24 hours per day, every day including weekends and holidays. The availability of the Issuer’s and Acquirer’s EFT Systems shall meet or exceed 98% when averaged over one calendar month excluding telecommunications outages.

The Issuer host should respond to a request for Authorisation within a period not exceeding 15 seconds. The fifteen-second target is taken to be the average Transaction time within a peak load hour.

The maximum time-out values in the table below are indicative and are provided for guidance only.

Component Time-out Maximum Delay Introduced

ATM Terminal 60 seconds

Intermediate Node 3 seconds total

(1.5 seconds per transit)

Acquirer 23 seconds 3 seconds

(1.5 seconds per transit)

(27)

2.2.1 Interchanges

For the avoidance of doubt, Interchange Link is the term used to refer to the logical communication path between two communicating Nodes. Interchange Line refers to the physical communication path between those Nodes. A single Interchange Line can support multiple Interchange Links.

Links wholly internal to an Issuer, an Issuer’s exclusive environment, or those not carrying personal identification numbers are not Interchange Links for the purposes of these requirements.

Terminal concentrator lines are not subject to the requirements of Interchange Lines and Interchange Links.

Interchange Links shall be so constructed and managed such that each link will form a separate, distinct, cryptographic zone.

Distinct security requirements apply to both Interchange Links and Interchange Lines. 2.2.2 Suspension of Interchange

Where in the reasonable opinion of the Acquirer, Issuer or other intermediate network entity, excessive Transaction response times from the other party are causing a downgrading of the service level in the Interchange system the first affected party may temporarily suspend its services for such period or periods as it shall think fit to restore the service level of the Interchange system to normal level.

The first affected party shall notify the other party and the Company prior to suspending the service if practical, or at the earliest opportunity after suspending the service.

2.2.3 Unauthorised Access Prevention

All parties to the Interchange, including Acquirers, Issuers, Third Party Processors and any intermediate network entities shall maintain procedures for avoiding any unauthorised access to or use of, the Interchange system through its own hardware, software, Interchange Lines and operational procedures which enable the exchange of authorisation and reconciliation of financial Transactions.

2.2.4 Interchange Cryptographic Keys

Interchange keys are used to protect financial Transactions initiated at Acquirer Terminals while in transit to the Issuer institution. Interchange keys may be either;

 PIN encrypting keys – used to protect the customer PIN from the point of origin to the point of authorisation. PIN encrypting keys are a specific instance of session keys;

 Session keys – used to secure, validate and protect the financial message. Session keys can be further qualified into those used in the Terminal to Acquirer environment (Terminal session keys) or on node to node links (interchange session keys);

 Key Encrypting Keys (KEK) – used to protect other keys (e.g. session keys) during exchange; or  Transport Keys – used to protect keys (e.g. KEKs) during transport to the partner institution. 2.2.5 Cryptographic Algorithms

DEA3 and DEA2 are the only approved algorithms for the protection of interchange information (full details of these algorithms may be found in the Australian standards AS 2805 part 5.4 and AS 2805 part 5.3 respectively).