Developed by Cartes Bancaires, a French group comprising 200 Banks and Financial institutions, MEPS (Methode d’Evaluation des Produits Securitaire “bancaires”) is an approval scheme used by the French banking industry. MEPS was created and is administered by Groupement des Cartes Bancaires. Cryptographic security equipment intended for use by the member banks on their payment dedicated networks must be certified as meeting the standards laid down under MEPS.

The originators of the first MEPS standard were inspired by the US Department of Defense publication entitled Trusted Computer System Evaluation Criteria (TCSEC). Since then the emergence of other worldwide security standards have been taken into account. These include ITSEC, Common Criteria, FIPS 140 and ISO 13491. The MEPS standards are now in their second iteration and frequently referred to as MEPS 2.

Products intended for use on the banking networks in France are submitted for evaluation by Groupement des Cartes Bancaires. This involves the submission of detailed design documentation and other information about the security mechanisms implemented. The evaluation does not examine every aspect of a product’s functionality but seeks to determine that the product as a whole provides sufficient security against external attacks.

Thales e-Security as a supplier of cryptographic products for use on banking networks recognizes the needs to have relevant products evaluated to the MEPS criteria. These products are:

• The HSM 8000 range of host security modules. These products are used worldwide to ensure the security of PINs and keys used in ATM, EFTPOS, and interbank settelement schemes. This product range has successfully achieved MEPS approval.
• P3™ Cryptographic Module (P3CM). This device is used to provide cryptographic security for the generation of data used in chip-based credit and debit cards adhering to the EMV standards. The P3CM has been submitted for MEPS evaluation, and approval is anticipated in early 2004.