Developed by Cartes Bancaires, a French group comprising 130 Banks and Financial Institutions, MEPS (Methode d’Evaluation des Produits Securitaire “bancaires”) is an approval scheme used by the French banking industry. MEPS was created and is administered by Groupement des Cartes Bancaires. Cryptographic security equipment intended for use by the member banks on their payment dedicated networks must be certified as meeting the standards laid down under MEPS.
The originators of the first MEPS standard were inspired by the US Department of Defense publication entitled Trusted Computer System Evaluation Criteria (TCSEC). Since then the emergence of other worldwide security standards have been taken into account. These include ITSEC, Common Criteria, FIPS 140, PCI HSM and ISO 13491. The MEPS standards are now in their second iteration and frequently referred to as MEPS 2.
Products intended for use on the banking networks in France are submitted for evaluation by Groupement des Cartes Bancaires. This involves the submission of detailed design documentation and other information about the security mechanisms implemented. The evaluation does not examine every aspect of a product’s functionality but seeks to determine that the product as a whole provides sufficient security against external attacks.
Thales e-Security as a supplier of cryptographic products for use on banking networks recognizes the need to have relevant products evaluated to the MEPS criteria. These products are:
- P3™ Cryptographic Module (P3CM). This device is used to provide cryptographic security for the generation of data used in chip-based credit and debit cards adhering to the EMV standards.
- payShield 9000 and legacy HSM 8000 payment host security modules. These products are in use worldwide to ensure the security of PINs and keys used in ATM, EFTPOS, and interbank settlement schemes.