Cyber Resilience Act (CRA) - SPA's Response to the EC Consultation - January 2023
Introducing cybersecurity by design and by default principles into digital products, the proposed EU Cyber Resilience Act (CRA) marks a clear commitment from the European Union to protect millions of businesses and consumers in an increasingly connected world.
The draft legislation covers any ‘product with digital elements’ and applies to manufacturers of hardware and software components and devices. It also imposes a duty of care on manufacturers for the life of their products – including essential requirements for the vulnerability handling processes.
Importantly, the CRA also considers the ability of users to make an informed choice by setting out a requirement for transparency in the security properties of a particular product through CE marking.
As the trade body of the cards and mobile payments industry – a sector that, for over four decades, has delivered the highest levels of protection for its payment instruments – Smart Payment Association (SPA) welcomes all initiatives seeking to eliminate security flaws, address fraud and tackle new risks.
Therefore, we believe it is important to recognise the presence of these kinds of pre-existing robust and stable security frameworks in established industries – including those utilized in the smart payment cards sector – despite not being directly under the prevue of existing European regulation. Mapping existing proven schemes under the CRA will identify compliant sectors and avoid standards fragmentation.
It is also important to note that while EU regulations apply in Europe, these are often endorsed in other regions of the world. In the smart payment card vertical, for example, market products are issued globally and certifications of global payment schemes (EMVCo and PCI) are internationally valid and recognized. It is therefore critical that regulation be developed with a view to the global context.
This SPA response to the proposed CRA outlines the key requirements for manufacturers, matching the criteria against existing industry frameworks to illustrate conformity. It also details key proposals to leverage current frameworks under the CRA to ensure ongoing compliance.
1. Summarizing the requirements for manufacturers
In order to achieve the stated objectives of the CRA, manufacturers of products with digital elements are obliged to:
- Design, develop and produce the product in such a way that they ensure a risk-adequate level of cybersecurity.
- Have appropriate technical documentation to evidence the above, including a cybersecurity risk assessment and conformity assessment.
- Ensure that there are no exploitable vulnerabilities present in products when introducing them to market – with security testing by a third party depending on the criticality of the product.
- Provide exploited vulnerability management in the field and communicate information to the authority and for public sharing.
- Provide full lifecycle follow-up, with ongoing maintenance and update management.
- Ensure CE marking on all conforming products.
- Ensure appropriate protections are in place for remote processing solutions for manufacturer products.
SPA notes that its membership (global payment card vendors) comply with such cybersecurity-by-design and product life-cycle monitoring principles. Members also apply proven standards and practices developed by the payment smart card industry that guarantee the security, cyber-resilience and interoperability of their products in the field.
2. The value of leveraging pre-existing industry frameworks
Some industries and digital products are declared as out of scope of the CRA. Not only do these sectors fall under pre-existing EU regulations with comparable requirements – including medical devices, motor vehicles and civil aviation – they have defined and stringent security protections laid down by stable existing industry frameworks.
SPA believes that when such a stable industry framework for the evaluation and certification of a family of products exists – as it does in the smart payment card sector – it should be possible to map and review the compliancy of this scheme with the requirements of the CRA.
Doing so will eliminate any unnecessary steps for payment card manufacturers and will simplify and accelerate conformity with the CRA – not least by eliminating multiple redundant certifications that are not necessary to evidence security assurance.
3. How existing payment security requirements conform with the CRA
The below illustrates how the security evaluation of banking products conforms with the proposed CRA requirements.
Documentation
- Product registration documentation covers a comprehensive set of all relevant data and product details which thoroughly describe the hard and software bill of materials including proper identification means of the configuration provided to the end-consumer. This includes production and development sites, hardware characteristics, software version, security guidance document, etc.
- Onsite audits of development, production and delivery infrastructures are carried out periodically by third-party recognized security evaluation laboratories.
- When the product fulfills the payment scheme requirement, the scheme provides a Letter of Approval (LoA) detailing the conformity of the product to specifications, and the brand of the scheme is to be put on the card.
Security Assessment
- Only chips certified according to Common Criteria (CC) EAL 4+ or higher can be used for payment smart cards.
- Clearly defined and well-structured composite models are used to build and certify the payment card software stack upon separately certified chip hardware.
- The scope of the security evaluation of the smart payment card is based on assets and threats clearly identified and updated based on state-of-the-art, evolving threats and vulnerabilities.
- Payment card security testing is carried out to a level equivalent to CC certification assurance level (EAL)4+.
- Testing and audits are performed by payment scheme (EMVCo) accredited security laboratories. Their accreditation processes ensure that laboratory premises, staff and processes comply with physical and logical security standards required for the payment industry.
- These laboratories are accredited to perform Common Criteria evaluations and leverage threat intelligence from JHAS experts group.
Vulnerability management
- A defined process of vulnerability management is present between manufacturer, scheme and (banking) customer.
- Clear mitigation plans for exploited vulnerabilities are in place.
- These reinforce additional checks on the transaction and the replacement of cards* and include (but are not limited to) communication to scheme and customer.
* In general use, smart payment cards are not connected devices. They also feature embedded software which cannot be effectively updated over-the-air. Cards therefore need to be replaced.
Lifecycle management
- Surveillance rules are in place with mandated testing renewed on a predefined timescale – more frequent than the five years listed in the CRA.
Remote processing for product manufacturing
- Payment card manufacturing processes comply with strong security requirements set out by the payments industry. Payment card vendors’ manufacturing and personalization facilities are extensively audited and certified. In particular, remote card data personalization processes must strictly comply with security controls prescribed by Payment Card Industry Production and Provisioning (PCI CPP) and Payment Card Industry Data Security Standard (PCI DSS) specifications. These specifications are regularly updated to minimize the risks associated to latest state-of-the-art cyberattack patterns.
Illustrating continual improvements
These existing stringent cybersecurity measures – from design and manufacturing to lifecycle support – have created an exceptionally resilient and stable framework. This is supported by the most recent European Central Bank (ECB) seventh report on card fraud. This independent report identifies very low levels of fraud of card based transactions at the point of sale against a growing volume of products in the field, and illustrates the levels of smart card fraud declining over time.
4. Supporting payment cybersecurity in the EU – a way ahead
SPA proposes
- that the existing global frameworks for payment card products certification, based on existing robust and harmonized specifications and processes, are recognized by the EU. And that this recognition of conformity with the CRA should authorize the use of CE marketing/labelling on these products.
- that the 637,7 million payment cards in circulation in Europe (ECB Payment Statistics 2021 published on 22nd July 2022) are recognized as being CE mark compliant – without the CE mark labelling printed – and that they remain in the field until the end of their validity period.
- that the preferred way to manage potentially exploited vulnerabilities of cards in the field remains leveraging pre-existing mitigation plans – from reinforcement of back-end control through to card replacement. The CRA allows for this. SPA believes this should be retained because the process of modifying the embedded software within these unconnected cards in the field is not operationally practical.
-
the establishment of set of defined metrics to classify vulnerabilities as well as a more specific definition, by adding a risk assessment. This will ensure that only ‘real world’ exploitable vulnerabilities are taken into account in the CRA – as all connected devices are subject to theoretical vulnerabilities.
- that European Cards Stakeholders Group (ECSG) labelling be considered in order to recognize scheme specifications and process at EU level.