Emv security guidelines_v4.0_dec10_20110215112806448

© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at

http://www.emvco.com/specifications.aspx Page 1

EMV Security Guidelines

EMVCo Security Evaluation Process

Version 4.0 Release

December 2010



Copyright The information contained in this manual is proprietary and

confidential to EMVCo, LLC.

This material may not be duplicated, published, or disclosed, in

whole or in part, without the prior written permission of EMVCo,

LLC.

Trademarks EMV™ is a trademark owned by EMVCo, LLC.

All third-party product and service names are trademarks or

registered trademarks of their respective owners.

Media This document is available on the EMVCo Web site at

www.emvco.com

http://www.emvco.com/



Legal Notice

This document summarizes EMVCo‟s present plans for IC, Platform and ICC Security

Evaluation services and related policies in the EMVCo Card Type Approval process and is

subject to change by EMVCo at any time without notice to any party.

Neither this document nor any other document or communication creates any binding

obligations upon EMVCo or any third party regarding testing services or EMVCo approval,

which obligations will exist, if at all, pursuant to separate written agreements executed by

EMVCo and such third parties.

In the absence of a written binding agreement pursuant to which EMVCo has agreed to perform

evaluation services for a product provider or to permit a third party to act as a test laboratory, no

product provider, test laboratory or any other third party should rely on this document, nor shall

EMVCo be liable for any such reliance.

No product provider, test laboratory nor other third party may refer to a product, service or

facility as EMVCo approved, in form or in substance, nor otherwise state or imply that EMVCo

(or any agent of EMVCo) has in whole or part approved a product provider, test laboratory or

other third party or its products, services, or facilities, except to the extent and subject to the

terms, conditions and restrictions expressly set forth in a written agreement with EMVCo, or in

an approval letter or certificate issued by EMVCo. All other references to EMVCo approval are

strictly prohibited by EMVCo.

Under no circumstances should EMVCo IC, Platform and ICC security evaluations, when

granted, be construed to imply any endorsement or warranty regarding the security,

functionality, quality, or performance of any particular product or service, and no party shall

state or imply anything to the contrary. EMVCo specifically disclaims any and all representations

and warranties with respect to products that have received security evaluations and to the Card

Type Approval process generally, including, without limitation, any implied warranties of

merchantability, fitness for purpose or noninfringement.

All warranties, rights and remedies relating to products and services that have received EMVCo

Card Type Approval are provided solely by the parties selling or otherwise providing such

products or services, and not by EMVCo, and EMVCo accepts no liability whatsoever in

connection with such products and services.

Unless otherwise agreed in writing by EMVCo, this document and matter contained herein,

including all products and services contemplated by this document are provided on an “as-is”

basis, “with all faults” and with no warranties whatsoever, and EMVCo specifically disclaims any

implied warranties of merchantability, fitness for purpose, or noninfringement.



Table of Contents:

Chapter 1 ~ About this Manual.

Purpose………………………………………………..………………………………. 1.1

Audience……………………………………………………………………………….. 1.2

Revisions………………………………………………………………………………. 1.3

Overview……………………………………………………………………………….. 1.4

Related information…………………………………………………………………… 1.5

Support………………………………………………………………………………… 1.6

Abbreviations…………………………………………………………………………. 1.7

Definitions……………………………………………………………………………… 1.8

Chapter 2 ~ Overview

Background……………………………………………………………………………… 2.1

Context within EMVCo Card Type Approval………………………………………… 2.2

EMVCo Security Evaluation…………………………………………………………… 2.3

The Role of EMVCo in the Security Evaluation Process…………………. 2.3.1

IC Security Evaluation………………………………………………………… 2.3.2

Platform Security Evaluation………………………………………………… 2.3.3

ICC Security Evaluation………………………………………………………. 2.3.4

Security Assurance…………………………………………………………………….. 2.4

Level of Assurance Requirement……………………………………………. 2.4.1

Risk Management………………………………………………………………………. 2.5

Changes to Previously Approved Products…………………………………………. 2.6

EMVCo Approval Renewal Date……………………………………………………..………. 2.7

Contact Details…………………………………………………………………………… 2.8



Chapter 3 ~ Security Evaluation Process

Introduction………………………………………………………………………………... 3.1

Security Evaluation Roles and Responsibilities………………………………………. 3.2

Maintain Security Guidelines……………………………………………………. 3.2.1

Design Product…………………………………………………………………… 3.2.2

Test and Certify Product………………………………………………………… 3.2.3

Security Monitoring……………………………………………………………… 3.2.4

Certificates………………………………………………………………………………… 3.3

Certifiable Products……………………………………………………………... 3.3.1

Types of Certificates…………………………………………………………….. 3.3.2

Security Evaluation Process…………………………………………………………….. 3.4

Sign EMVCo Agreement………………………………………………………… 3.4.1

Complete EMVCo Registration Form………………………………………….. 3.4.2

Initial Discussion…………………………………………………………………. 3.4.3

Product Design…………………………………………………………………… 3.4.4

Select Laboratory and Evaluation Details…………………………………….. 3.4.5

Assess Product and Product Provider Infrastructure………………………… 3.4.6

Submit Reports to EMVCo Secretariat………………………………………… 3.4.7

Validate Laboratory Evaluation Reports………………………………………. 3.4.8

Risk Analysis……………………………………………………………………… 3.4.9

Issue EMVCo Compliance Certificate…………………………………………. 3.4.10



Chapter 1 ~ About this Manual.

Purpose………………………………………………..………………………………. 1.1

Audience……………………………………………………………………………….. 1.2

Revisions………………………………………………………………………………. 1.3

Overview……………………………………………………………………………….. 1.4

Related information…………………………………………………………………… 1.5

Support………………………………………………………………………………… 1.6

Abbreviations…………………………………………………………………………. 1.7

Definitions……………………………………………………………………………… 1.8



1.1 Purpose

This manual describes the requirements and procedures of the EMVCo Security Evaluation

Process for Integrated Circuit (IC), Platform (IC+OS) and Integrated Circuit Card (IC+OS+App)

products.

The EMVCo Security Evaluation Process is a subset of EMVCo Card Type Approval, as defined

by the EMVCo Card Type Approval Administrative Process document. Product providers shall

follow the registration process described in the Card Type Approval document to register their

products and initiate IC, Platform and ICC security evaluations by EMVCo.

Product providers shall follow the process outlined in this document – after the product

registration mentioned above – in order to gain security evaluation certificates for their products.

Such certification will allow product providers to sell ICC products to issuers of ICCs bearing the

brand marks of American Express, JCB, MasterCard, or Visa.

1.2 Audience

This manual is intended for:

Product providers – to enable them to gain certification of their IC,

Platform and ICC products.

Issuers – to provide them with valuable and practical information relating

to the general security performance characteristics and the „suitability of

use‟ of IC, Platform and ICC products.

1.3 Revisions

This new release extends the EMVCo Security Evaluation Process to include Platform products.

It describes this new process which is supported by a separate Security Guidelines document

for JavaCard and Global Platform Implementations. Platform Products that successfully pass

are assigned a unique Platform Certificate Number (PCN).

This release also updates the renewal policy, product approval policy and defines the new

EMVCo Restricted Compliance Certificate Number (RCCN).

Periodically, EMVCo will issue revisions to this document as and when enhancements,

changes, or corrections are required.



1.4 Overview

The following table provides an overview of this manual:

Chapter Description

Table of Contents A list of the manual‟s chapters and sections. Each entry

references a chapter and page number.

Using this Manual A description of the manual‟s purpose and contents, and

a description of the terms used in this manual.

1 Overview Provides a high-level overview of the EMVCo Security

Evaluation Process, its rationale, and contact details.

2 Security Evaluation

Process

A description of the overall EMVCo Security Evaluation

Process, leading to the issue of an EMVCo Compliance

Certificate. This chapter details the process during

which a product is evaluated as part of the overall

EMVCo Security Evaluation Process.

1.5 Related Information

The following documents provide information related to the subjects discussed in this manual:

EMVCo Specifications

EMVCo Card Type Approval Administrative Process

EMVCo Requirements for Security Evaluation Laboratories

EMVCo Security Guidelines for Smart Card Integrated Circuits

EMVCo CPA Secure Implementation Guidelines

EMVCo Security Guidelines for JavaCard and Global Platform

Implementations including Mobile Payments

JIL Application of Attack Potential to Smart Cards (current version as

published)

1.6 Support

For help and support, contact the EMVCo Security Evaluation Secretariat.



1.7 Abbreviations

Abbreviation Meaning

API Application Programming Interface

CC Common Criteria

CCD Common Core Definition

CPA Common Payment Application

DPA Differential Power Analysis

EMR Electro-Magnetic Radiation

EMA Electro-Magnetic Analysis

FIB Focused Ion Beam

GP GlobalPlatform

IC Integrated Circuit

ICC Integrated Circuit Card

IPA Inferential Power Analysis

ISCI International Security Certification Initiative

JHAS JIL Hardware Attack Subgroup

JIL Joint Interpretation Library

OS Operating System

RMI Remote Method Invocation

SPA Simple Power Analysis



1.8 Definitions

The following terms are relevant to the testing process:

Term Definition

Application Application intended to be executed on top of a Platform.

Approved product A product that has been issued an EMVCo Compliance

Certificate.

Card A payment card as defined by a payment system. For

the purpose of this document a Card comprises an

Integrated Circuit, Operating System, Environment and

one (or more) EMV Application(s).

Card Certificate Number A unique four-digit reference number that identifies the

EMVCo Compliance Certificate of an ICC.

Card Type Approval Verification by EMVCo that the specified ICC product

has demonstrated sufficient conformance to the EMV

Specifications for its stated purpose.

Card Type Approval

process

The steps necessary for an ICC product to obtain an

EMVCo letter of approval

Conformance An ICC product meeting all EMVCo requirements

defined for type approval including implemented optional

requirements.

Chip Electronic component(s) designed to perform processing

and/or memory functions.

EMVCo A Limited Liability Company established to maintain the

EMV Specifications and administer type approval

against those specifications.

EMVCo Compliance

Certificate

A certificate issued by EMVCo when sufficient

assurance has been demonstrated for an IC, Platform or

ICC product.

EMVCo Restricted

Compliance Certificate

A certificate issued by EMVCo when an IC, Platform or

ICC product is found to have a vulnerability that is being

addressed by the product provider.

EMVCo Security

Evaluation Secretariat

EMVCo designated members who administer the

EMVCo Security Evaluation Process.

EMV CCD A subset of the EMV Specifications called Common

Core Definition (CCD) made available by EMVCo.

Environment Any software components and/or applications present on

the ICC other than the EMV application(s) being

submitted to testing for Card Type Approval.



Term Definition

Evaluation Any activity that aims at verifying the conformance of a

selected product or process to a given requirement

under a given set of conditions.

Evaluation report Document provided by a laboratory containing the test

results for an IC, Platform or ICC product, or report

pursuant to an evaluation of an IC or Platform product.

ICC Security Evaluation The steps necessary for an ICC product to obtain an

EMVCo Compliance Certificate.

IC Security Evaluation The steps necessary for an IC product to obtain an


Integrated Circuit Card

(ICC)

see Card

Integrated Circuit(s) (IC) see Chip

Integrated Circuit

Certificate Number

A unique four-digit reference number that identifies the

EMVCo compliance certificate of an IC.

International Organization

for Standardization (ISO)

An international body that provides standards for

financial transactions and telecommunication messages.

ISO works in conjunction with the International

Telecommunication Union (ITU) for standards that affect

telecommunications. ISO supports specific technical

committees and work groups to promulgate and maintain

financial service industry standards.

International Security

Certification Initiative

An international body that is establishing a global

framework for mutual recognition of security evaluation

procedures and certificates.

Laboratory A facility that performs security evaluation testing.

Letter of approval Written statement that documents the decision of

EMVCo that a specified ICC product has demonstrated

sufficient conformance to the EMV Specifications on the

date of it being tested.

Multi-application card An ICC that comprises more than one application, one of

which being an EMV application.

Operating System (OS) Set of software components allowing an EMV application

to be executed on a specific integrated circuit.

Payment System For the purpose of this document, the Payment System

is defined as JCB, MasterCard, or Visa.

Platform A platform product is the collective name for the

integrated circuit (IC) hardware with its dedicated

software, Operating System (OS), Run Time

Environment (RTE) and Platform environment on which

one or more applications (e.g., CPA) can be executed.



Term Definition

Platform Certificate

Number

A unique four-digit reference number that identifies the

EMVCo Compliance Certificate of Platform.

Platform Security

Evaluation

The steps necessary for a Platform product to obtain an


Product provider The entity that submits an IC, Platform or ICC product to

EMVCo for Card Type Approval.

Sample An ICC representative of a specific ICC product provided

to a laboratory for testing.



Chapter 2 ~ Overview

This chapter provides a high-level overview of the EMVCo Security Evaluation Process, its

rationale, and contact details.

Background……………………………………………………………………………… 2.1

Context within EMVCo Card Type Approval………………………………………… 2.2

EMVCo Security Evaluation…………………………………………………………… 2.3

The Role of EMVCo in the Security Evaluation Process…………………. 2.3.1

IC Security Evaluation………………………………………………………… 2.3.2

IC Product for IC Security Evaluation……………………………… 2.3.2

Platform Security Evaluation………………………………………………… 2.3.3

Platform Product for Platform Security Evaluation…………….… 2.3.3

ICC Security Evaluation……………………………………………………… 2.3.4

ICC Product for ICC Security Evaluation…………………………... 2.3.4

Security Assurance…………………………………………………………………….. 2.4

Level of Assurance Requirement……………………………………………. 2.4.1

Risk Management………………………………………………………………………. 2.5

Changes to Previously Approved Products…………………………………………. 2.6

EMVCo Approval Renewal Date……………………………………………………..………. 2.7

Contact Details…………………………………………………………………………… 2.8



2.1 Background

The main objective of the EMVCo Security Evaluation Process is to ensure that IC, Platform and

ICC products conform to EMVCo requirements and security guidelines. This document

describes the EMVCo Security Evaluation Process and explains how this process functions in

today‟s environment.

EMVCo acts as the security certification entity for all approvals relating to the security of IC,

Platform and ICC products and is responsible for overseeing the process and maintaining the

Security Evaluation Guidelines, such as:

Security Guidelines for Smart Card Integrated Circuits

Security Guidelines for JavaCard and Global Platform

Implementations including Mobile Payments

CPA Secure Implementation Guidelines These security guidelines support product providers when developing the product, and test

laboratory while performing security evaluations. The EMVCo Security Evaluation Secretariat is

responsible for administering the EMVCo Security Evaluation Process.

The EMVCo Security Evaluation Process evaluates the security features of the IC, Platform and

the ICC products. IC Security Evaluation includes the firmware and software routines required

to access the security functions of the IC. The Platform Security Evaluation includes the

integrated circuit (IC) hardware with its dedicated software, Operating System (OS), and

Platform environment on which one or more Java Card applications (e.g., CPA) can be

executed. The ICC Security Evaluation includes the IC, the operating system, and the payment

application(s) that resides on the ICC.

2.2 Context within EMVCo Card Type Approval

The EMVCo Security Evaluation Process is a subset of the EMVCo Card Type Approval

process. EMVCo identifies the following security and functional evaluations for IC, Platform and

ICC products:

Final Product EMVCO Testing

Integrated Circuit IC Security Evaluation

Platform Platform Security Evaluation



Integrated Circuit Card

Card Type Approval Level 1 evaluation

Card Type Approval Level 2 evaluation

CCD components functional evaluation

Non-CCD components functional evaluation

ICC Security Evaluation

When a product has been found to meet the EMVCo security requirements, it will be issued an

EMVCo Compliance Certificate. EMVCo issues compliance certificates for:

IC products when the product provider successfully completes the IC

Security Evaluation

Platform products, including a specific approved IC product, when the

product provider successfully completes the Platform Security Evaluation.

ICC products, including IC, platform and payment application, when the

product provider successfully completes the ICC Security Evaluation. For the final ICC product, the functional evaluation (Level 1 and Level 2) must be performed in

addition to ICC Security Evaluation for Card Type Approval. Please refer to EMVCo Card Type

Approval Administrative Process for further details on the functional evaluation (Level 1 and

Level 2).

An EMVCo Compliance Certificate for IC Security Evaluation or Platform Security Evaluation, if

appropriate, must be received prior to Card Type Approval and ICC Security Evaluation.

EMVCo will issue a Letter of Approval for an ICC product when the product provider

successfully completes all required security and functional evaluations.

2.3 EMVCo Security Evaluation

The EMVCo Security Evaluation Process is based on a complete set of published EMVCo

specifications, requirements and security guidelines which serve as the security requirements

for product providers.

In particular, the evaluation process reflects the structure of the ICC industry, taking into

account the relationships between the component suppliers of ICC products, their development

processes, and the fact that IC migrations are currently underway. It also reflects developments

in security evaluation methodology by the ICC industry, and combines independent evaluations

with internal security testing. This flexibility allows EMVCo to maintain high levels of security

assurance, while minimizing the financial burden on product providers.

The process establishes product providers as responsible for security evaluation and

demonstration of sufficiency within the EMVCo specifications, requirements and security

guidelines.



2.3.1 The Role of EMVCo in the Security Evaluation Process

EMVCo has established a common security evaluation process that is recognized by all

EMVCo participants. This process assists issuers in promoting the continuous

improvement of security standards for ICC implementations.

The methodology used in the evaluation process leverages a program of research

targeted at the leading edge of attack methodology. In addition, EMVCo has supported

the work of the JHAS group and will support ongoing security initiatives under proposed

JIL leadership, to maintain currency of a common set of threats and attacks.

This process benefits both issuers and product providers by defining a flexible, „state-of-

the-art‟, common security evaluation methodology that is recognized by all EMVCo

participants, thus saving time and avoiding the duplication of effort when evaluating IC,

Platform and ICC products. By making product providers responsible for the security

evaluation of their products, it allows EMVCo to focus on maintaining „state-of-the-art‟

threat assessment.

EMVCo does not, however, guarantee or provide any warranties for any product

provider‟s products, and the security evaluation process does not relieve issuers from

the need to make their own investigations to ensure the security or fitness for purpose of

any products. No ICC implementation can be 100% secure, but as explained later, the

EMVCo Security Evaluation Process provides issuers with additional information to

assist in their risk analysis with product providers.

Certificates will be issued through the EMVCo Security Evaluation Secretariat.

2.3.2 IC Security Evaluation

The EMVCo IC Security Evaluation considers the security of the IC product, and is

aimed at providing a high level of assurance in the security functions that are designed

to effectively deal with known attack methods.

Attack methods include threats such as reverse engineering, information leakage and

fault induction. The EMVCo Security Evaluation Process also takes into account the

security of the design, development, and delivery processes.

The IC security evaluation is performed by an EMVCo recognized, external security

evaluation laboratories and funded by the product provider. Security evaluation can take

advantage of evaluation work already performed by product providers; however, this

may need to be supplemented by additional work.

IC Security Evaluation must include the following:

Logical testing of the platform to verify that the implementation conforms

to specifications and contains no known weaknesses.



Physical penetration testing of the platform to ensure that the

implementation uses countermeasures against potential weaknesses.

IC Product for IC Security Evaluation

The IC product submitted for IC Security Evaluation is uniquely identified as:

A specific integrated circuit with an

Environment, including firmware or software routines that allow

access to the security functions of the IC.

2.3.3 Platform Security Evaluation

The EMVCo Platform Security Evaluation will consider the security of the product

providers who develop the Platform product and how this product follows the relevant

security guidelines. An important factor will be how the product providers build upon the

security of the IC to provide security for the complete platform product.

The EMVCo Platform Security Evaluation Process must include the following:

Critical assets are protected with countermeasures able to resist „state of

the art‟ attacks.

Runtime Environment must provide secure storage and execution space

for applications.

Platform services offered to the applications must be securely

implemented.

Application management must conform to specifications, and offer

defenses against known attacks.

The card content management (e.g., application downloading) must be

securely implemented.

o Security management (e.g., card locking)

o Security domains for multi-provider platforms

o Secure communication between the on-card representatives and off-

card systems

Platform security guidance document (similar to user guidance

documentation provided by chip hardware manufacturers).

Platform Product for Platform Security Evaluation

The Platform product submitted for Platform Security Evaluation is uniquely identified as:

A specific integrated circuit (IC) with its dedicated software

The Operating System (OS) software developed for a specific IC



The Run Time Environment (RTE) (e.g., Java Card)

The RTE API (or similar) that provides interface with the Application

Program

The Platform environment (e.g., GlobalPlatform) and in particular the

Security Domains with card content management privileges

Able to execute one or more applications (e.g., CPA).

2.3.4 ICC Security Evaluation

The ICC Security Evaluation will consider the security of the Operating Systems (OS)

and payment applications developed by the product providers, and how these

applications and operating systems follow the relevant security guidelines. An important

factor will be how the product providers build upon the security of the IC and the OS to

provide overall security for a payment application on the ICC.

The EMVCo ICC Security Evaluation Process must include the following:

OS testing will include secondary defenses against potential physical

vulnerabilities, and correctness of implementation.

Analysis of requirements specific to virtual machines such as MULTOS or

Java Card OS.

Implementation reviews will be conducted for financial applications, to

ensure a high level of assurance. This testing will include code reviews

and penetration testing.

When there is more than one application on an ICC with a proprietary

Operating System or a virtual machine, assurance will be sought to

demonstrate the firewalls between the applications, the lack of object

sharing, or both.

For some applications, a risk assessment may also be conducted. This

may also include the integration of off-card components if they perform an

important role in the security process.

The application loading mechanism (e.g., GlobalPlatform) will be tested to

verify conformance to specifications, and defenses against known

vulnerabilities.

ICC Product for ICC Security Evaluation The ICC product submitted for ICC Security Evaluation is uniquely identified as:

The complete EMV CCD/CPA application(s)

present on a

Specific integrated circuit

with a



Specific operating system and transmission protocol(s)

surrounded by a specific

Environment including other non-EMV CCD applications and/or software

components.

2.4 Security Assurance

The EMVCo Security Evaluation Process strives for a high level of assurance for IC, Platform

and ICC products at all stages of the development process. The evaluation methodology strives

to achieve a balance between „Black Box‟ and „White Box‟ testing. This is achieved by carrying

out a security analysis that considers all viable attacks on a product, and derives a set of

penetration tests based on individual product characteristics.

EMVCo recognized external evaluation laboratories perform security evaluations using the

relevant EMV Security Guidelines and externally developed testing tools. EMVCo may leverage

previous work performed by the product provider. EMVCo recognizes the methodology used in

some formal evaluation schemes (e.g. Common Criteria), but will only accept full evaluation

reports as evidence of such.

The EMVCo Security Evaluation Process reflects a partnership with product providers, and

seeks to minimize the cost and time spent in performing evaluation work and, where possible, to

avoid the duplication of effort. By leveraging on the modular evaluation methodology of

Common Criteria, evaluations that are based on a core family of devices can use delta

evaluations to manage product migration. Associated design and production processes are

evaluated once, and the paperwork overhead is reduced.

The EMVCo Security Evaluation Secretariat supports the process with an R&D program to seek

optimum awareness of threats and defenses whilst maintaining confidential relationships with

laboratories and product providers.

The output from the EMVCo Security Evaluation Process is an EMVCo Compliance Certificate

with:

A number that identifies a single approval path from product provider,

through manufacturer, to issuer.

A date that reflects the status of the EMVCo security guidelines at the

time of evaluation.

Product providers must present their EMVCo Compliance Certificate number to issuers, as

proof that their product has been evaluated via the EMVCo Security Evaluation Process.

Note Issuers should always check both the status and the date of any EMVCo Compliance Certificate.



In some cases where a potential vulnerability is found, an EMVCo Restricted Compliance

Certificate may be issued. If this happens, the product provider is made fully aware of the

details of any such problems, and EMVCo will work with the product provider to achieve two

things:

That the vulnerability is adequately communicated by the product provider

to issuers to enable them to assess their own risks

That a plan is put in place by the product provider with the assistance

from EMVCo to introduce a revised product that reduces the vulnerability

EMVCo also reserves the right to withdraw or not to issue an EMVCo

Compliance Certificate or EMVCo Restricted Compliance Certificate

when the product does not offer sufficient protection.

EMVCo Approved IC, Platform and ICC products are granted certificates or restricted

certificates with an issue date, and are placed on the EMVCo Approved Products list. Each

certificate has a unique ICCN (Integrated Circuit Certification Number), PCN (Platform

Certification Number), or CCN (Card Certification Number). Approved products are placed on

the EMVCo Approved Products List for three years, unless the certificate is withdrawn or the

product is superseded by newer products. After three years, products will remain on the list

subject to passing an annual security review. The older a product is, the greater the array of

attacks it may be subject to, therefore annual security assessments are carried out following the

initial 3 year assessment. Products that reach the 6 year limit on the EMVCo Approved

Products list will be removed.

Please refer to EMVCo Card Type Approval Administrative Process for further details on Card

Approval renewal.

2.4.1 Level of Assurance Requirement The level of Assurance Requirement is High as described in the JIL document

Application of Attack Potential to Smartcard (current version as published).

2.5 Risk Management

The finance industry is a risk management business that has to constantly monitor

vulnerabilities and threats. Fraud migrates to the lowest level of defenses in a system and the

security features of the payment application should provide a number of risk management

measures. The EMVCo Security Evaluation Process supplements this by making ICC Security

Evaluation a necessary part of the product provider‟s product design and development process.

When a product provider sells a product, that product provider should be able to explain the

testing that has been carried out in order to verify conformance with EMVCo security guidelines.

The level of testing is continuously increasing to reflect „state-of-the-art‟ attack potential.

Consequently, the introduction of new products should offer a higher level of protection against

the latest threats. However, no testing can anticipate all potential future attacks. Security, by



definition, is an ongoing process – as time progresses, attack and defense becomes a race.

EMVCo endeavors to be always one step ahead of the attacker.

Issuers should constantly bear in mind that there is no such thing as perfect security. The

primary assets on an ICC product are the secret keys and the PIN. There are also secondary

assets (i.e., assets that that can be used to compromise a primary asset) such as the security

counters (e.g., the Application Transaction Counter). An attack made with sufficient effort (in

terms of skills, equipment, and time) will always succeed in compromising those assets. The

EMVCo Security Evaluation Process aims to identify vulnerabilities in these terms to fit into a

formal Risk Analysis of a system.

A secure system must implement defenses at all levels, and issuers should develop separate

strategies for prevention, detection, and recovery. There are essentially two motivations for an

attacker: publicity, and reward. Incident management procedures should be planned for each,

and appropriate security measures should be taken to limit the likely rewards that an attacker

may achieve for their efforts.

In the event that an IC, Platform or ICC product only receives an EMVCo Restricted Compliance

Certificate, the product provider should be in a position to explain the reasons, and offer

guidance about the potential risks to an issuer‟s implementation plans. Issuers may mitigate

these risks – to a level that is acceptable to them – by using other security measures (such as

the use of online transactions, limited issuance, etc.).

2.6 Changes to Previously Approved Products The EMVCo Security Evaluation Process reflects a partnership with product providers, and

seeks to minimize the cost and time spent in performing evaluation work and, where possible, to

avoid the duplication of effort.

By leveraging on the modular evaluation methodology of Common Criteria, evaluations that are

based on a core family of devices can use delta evaluations to manage product migration. Any

change to a product will require a security impact analysis which must be provided to, and

approved by, the EMVCo Security Evaluation Secretariat.

Based on the security impact analysis, a delta evaluation may need to be performed before the

EMVCo Compliance Certificate can be issued for a changed product.

2.7 EMVCo Approval Renewal Date

The approval for an IC, Platform and/or ICC product applies as of the date of the certificate, but

the product will generally be placed on the EMVCo Approved Products list for three years.

Unless the certificate is previously withdrawn or the product is superseded by newer products

from a product provider, products with an EMVCo Compliance Certificate will be removed from



the EMVCo Approved Products list after three years. Products that reach the 6 year limit will be

removed from the list.

Please refer to EMVCo Card Type Approval Administrative Process for further details on Card

Approval renewal.

Products seeking renewal must comply with current security guidelines. For product approval

renewal, contact the EMVCo Security Evaluation Secretariat.

2.8 Contact Details

The EMVCo Security Evaluation Secretariat is the contact point for any discussions about

security evaluations.



Chapter 3 ~ Security Evaluation Process This chapter describes the EMVCo Security Evaluation Process, leading to the issue of an


Introduction………………………………………………………………………………... 3.1

Security Evaluation Roles and Responsibilities………………………………………. 3.2

Maintain Security Guidelines……………………………………………………. 3.2.1

Design Product…………………………………………………………………… 3.2.2

Test and Certify Product………………………………………………………… 3.2.3

Security Monitoring……………………………………………………………… 3.2.4

Certificates………………………………………………………………………………… 3.3

Certifiable Products……………………………………………………………... 3.3.1

Types of Certificates…………………………………………………………….. 3.3.2

EMVCo Compliance Certificate……………………………………….. 3.3.2

EMVCo Restricted Compliance Certificate………………………….. 3.3.2

Security Evaluation Process…………………………………………………………….. 3.4

Sign EMVCo Agreement………………………………………………………… 3.4.1

Complete EMVCo Registration Form………………………………………….. 3.4.2

Initial Discussion…………………………………………………………………. 3.4.3

Product Design…………………………………………………………………… 3.4.4

Select Laboratory and Evaluation Details…………………………………….. 3.4.5

Assess Product and Product Provider Infrastructure………………………… 3.4.6

Submit Reports to EMVCo Secretariat………………………………………… 3.4.7

Validate Laboratory Evaluation Reports………………………………………. 3.4.8

Risk Analysis……………………………………………………………………… 3.4.9

Issue EMVCo Compliance Certificate…………………………………………. 3.4.10



3.1 Introduction

The EMVCo Security Evaluation Process consists of a set of related sub-processes, which

together are designed to fulfill EMVCo objectives, namely:

To enable issuers to carry out knowledge-based risk assessments for

their chip card programs.

To facilitate coordinated continuous improvement in the security of

financial transactions. This chapter describes the various activities and sub-processes.

Figure 1 depicts an overview of EMVCo Security Evaluation.

Figure 1—EMVCo Security Evaluation Overview

Security

Guidelines

Security Guidelines EMVCo Compliance Certificate

(if sufficiently compliant)

EMVCo Restricted ComplianceCertificate

and Risk Analysis ReportProduct

samples

&

design

documentation

Product

samples

Information to manage

security incidents

New Threat

Sensitivity Report

(to Product Provider)

New threat reported from the field

New threats

discovered

Existing

evaluation

results

(optional)

New threat

information

to laboratories

Maintain

Security

Guidelines

EMVCo

Design

Product

Product Provider

Test and

Certify

Product

Product Provider

EMVCo Security Evaluation Secretariat

Laboratories

Security

Monitoring

(internal to members/issuers)

(if vulnerabilities determined)

EMVCo Security Evaluation Secretariat



3.2 Security Evaluation Roles and Responsibilities

The following sections describe the various EMVCo Security Evaluation sub-processes:

Maintain Security Guidelines

Design Product

Test and Certify Product

Security Monitoring

3.2.1 Maintain Security Guidelines EMVCo maintains a set of guidelines that provide security guidance for the design of ICC

products. These guidelines are available to product providers to assist in the development of

their IC, Platform, and ICC products and to laboratories to assist in evaluating IC, Platform, and

ICC products within the framework of the EMVCo Security Evaluation Process.

The most recent security guidelines are available from EMVCo.

3.2.2 Design Product The product provider designs its products in accordance with the applicable security guidelines.

3.2.3 Test and Certify Product The product provider‟s product, and where considered necessary, the related processes, are

assessed to determine if the product provider has sufficiently taken threats and attacks into

account.

Refer to the Security Evaluation Process section for further details of the „Test and Certify

Product‟ process.

3.2.4 Security Monitoring The EMVCo Security Evaluation Secretariat operates an ongoing process to check certified

products against newly identified attacks and risks for purpose of risk management.

The EMVCo Security Evaluation Secretariat continuously monitors threats and security

developments within the smart card market. The EMVCo Security Evaluation Secretariat

conducts research and development – both itself, and with security evaluation laboratories – to

identify new threats, attacks, and security evaluation methodologies.

Where it considers this necessary (and where it is able to do so given confidentiality restrictions)

the EMVCo Security Evaluation Secretariat may inform product providers about newly

discovered vulnerabilities of their certified products, thus enabling and supporting the product

provider to minimize consequent risks, and to support their customers‟ risk management. This

may also include the withdrawal of an EMVCo Compliance Certificate or an EMVCo Restricted

Compliance Certificate.



3.3 Certificates

Compliance certificates issued by EMVCo confirm that the product provider‟s product(s)

identified on the certificate have undergone the appropriate security evaluation, and that a risk

analysis on any significant residual vulnerability has been performed (where applicable).

3.3.1 Certifiable Products Following a successful IC Security Evaluation, EMVCo issues an EMVCo Compliance

Certificate for the integrated circuit component of an ICC.

Similar variations of the same product – such as an IC core, but with various memory

configurations – can be assessed as a single subject, and covered by a single certificate.

Following a successful Platform Security Evaluation, EMVCo issues an EMVCo Compliance

Certificate for the integrated circuit (IC) hardware with its dedicated software, Operating System

(OS), Platform environment on which one or more Applications (e.g., CPA) can be executed.

Following a successful ICC Security Evaluation, EMVCo issues an EMVCo Compliance

Certificate for the combined IC platform, the operating system, and the payment application(s)

components of an ICC.

3.3.2 Types of Certificate A certificate may be issued in one of two variants, depending on whether any significant residual

vulnerability was discovered during the evaluation process.

EMVCo Compliance Certificate

If any residual vulnerability discovered during the evaluation process is considered by the

EMVCo Security Evaluation Secretariat to be below the level that EMVCo regards as significant,

then EMVCo will issue an EMVCo Compliance Certificate for that product.

EMVCo Restricted Compliance Certificate

If significant residual vulnerabilities are discovered during the evaluation process but are

considered a manageable risk by the EMVCo Security Evaluation Secretariat, are sufficiently

explained in the Risk Analysis Report, and are being satisfactorily addressed by the product

provider, EMVCo will issue an EMVCo Restricted Compliance Certificate for that product.

EMVCo are entitled to publish non-security related details of restricted compliance certificates.

Consequently, the product provider will be required to inform the issuer (or other product

providers to whom that product provider intends to sell the product covered by an EMVCo

Restricted Compliance Certificate) of the product vulnerabilities so they may understand the risk

in using the restricted product. This is necessary so that the product provider‟s customers can

accommodate the remaining risks within their own risk assessments, and introduce appropriate

countermeasures against these remaining risks into their own systems.



3.4 Security Evaluation Process

The remaining sections of this chapter describe the individual actions within the EMVCo

Security Evaluation Process, as shown in Figure .2.

3.4.1 Sign EMVCo Agreement EMVCo and the product provider sign an EMVCo agreement covering the EMVCo Security

Evaluation Process, including confidentiality and other aspects.

This process step results in both the product provider and the EMVCo Security Evaluation

Secretariat receiving a signed version of the agreement.

3.4.2 Complete EMVCo Registration Form The product provider completes a form (provided by EMVCo) defining details of the product

intended for evaluation, and related administrative information.

This process step results in the product provider providing the EMVCo Security Evaluation

Secretariat with the necessary completed EMVCo Registration Form (For IC, the EMVCo

Product Registration Questionnaire for Chip Providers and for ICC, the EMVCo Common

Payment Application Level 1 & Level 2 Implementation Conformance Statement, as provided for

functional approval).

3.4.3 Initial Discussion Initial discussions between the product provider and the EMVCo Security Evaluation Secretariat

are conducted to develop a common understanding of the evaluation process and of the

underlying information required. If available, the product provider should submit evidence of

any security evaluations already carried out on the product in advance of the initial meeting.

This will enable the EMVCo Security Evaluation Secretariat‟s staff to prepare for an efficient

meeting and resolve any questions and concerns in advance.



Figure .2—EMVCo Security Evaluation Process

Complete EMVCo

Registration

Form

EMVCo

Registration

Form

EMVCo

Registration

Sign EMVCo

Agreement

EMVCo

Agreement Form

EMVCo

Agreement

Select Laboratory

and decide

Assessment

Details

Assess Product

Provider’s

Infrastructure

and Product

EMVCo

Evaluation

Report

Initial

Discussion

Security

Guidelines

Product Design

Purchase Order

to Lab

Submit report to

EMVCo SecurityEvaluation

Validate Lab

Assessment

Report

EMVCo Summary

Report

Residual

Vulnerability

Report

Issue EMVCo

Compliance

Certificate

EMVCo

Compliance

Certificate

Certificate

Template (e-mail)

Product

ProviderEvaluation

Laboratory

EMVCo /

Risk Analysis

(if considered

necessary)

Risk Analysis

Report

Registration

Details

Product Provider’s

Sample Products

Product Provider’s

Design

Documentation

Evaluation

Details

Input Output

(may be „Restricted‟)

Secretariat

SecurityEvaluation

Secretariat



3.4.4 Product Design If not already completed prior to the initiation of the EMVCo Evaluation Process, the product

provider finalizes the design of the product, or makes changes to the product as a response to

the requirements derived from the relevant security guidelines.

This phase may also include carrying out (or amending) a self- or third-party evaluation of the

security performance of the product and the underlying development and production processes.

This process step, results in the product provider producing design documentation and product

samples.

3.4.5 Select Laboratory and Evaluation Details Following a review by the EMVCo Security Evaluation Secretariat of any security evaluations of

the product performed by the product provider or a third party, the product provider and the

EMVCo Security Evaluation Secretariat agree on precise details of the EMVCo evaluation. This

includes a list of mandatory evaluations, and the selection of the laboratories to be used.

EMVCo recognizes a number of laboratories and these will be discussed with the product

provider. The product provider and the EMVCo Security Evaluation Secretariat agree on these

details during a dialogue. The EMVCo Security Evaluation Secretariat will take into account the

needs of the product provider, and any previous evaluation work, but reserves the final decision

about the minimum set of evaluations considered necessary within the EMVCo Security

Evaluation Process.

The product provider and the EMVCo Security Evaluation Secretariat will often reach this

agreement as part of the initial discussions, provided that the product provider and the EMVCo

Security Evaluation Secretariat agree that the product has already reached a sufficient maturity

to prepare the evaluation.

This process step results in:

The issue of Purchase Orders to the laboratories

The documentation of minimum evaluation details Where necessary, product providers can agree to appropriate Non-Disclosure Agreements

(NDAs) with the laboratories at this stage.

3.4.6 Assess Product and Product Provider Infrastructure The evaluation of the ICC, Platform or IC product includes a threat and vulnerability assessment

of identified security assets.

The EMVCo Security Evaluation Process considers security assets to be categorized as follows:

Primary assets:

PIN

Cryptographic keys



Secondary assets:

Application code, Operating System code

Application data (for example, cardholder-specific data and counter

values)

Transaction data (for example, log files)

Design information (for example, layout, process details, and test

code)

The vulnerability analysis should include currently known attacks (threats) as

described, at minimum, in JIL document Application of Attack Potential to

Smart Cards. At present, these include:

Power Analysis (e.g., SPA, DPA, IPA, etc.)

EMA

Timing Analysis

Probing (e.g., physical, active, passive, scanning, laser)

Reverse engineering (e.g. imaging, etching, staining)

Environmental manipulation (e.g. voltage, EMR, accelerated particle)

Device alteration (e.g., FIB, EMR)

Fault analysis (e.g., Single, Differential)

Cryptanalysis

Protocol attacks

The laboratories perform the required evaluation and provide evaluation reports documenting

the results.

Evaluation may include physical testing of product samples, assessment of the design

documentation, or auditing of the product provider‟s development and production processes to

assure that social engineering, coercion, and bribery threats are addressed.

Evaluation reports are to be constructed as follows:

The contents should include a complete vulnerability analysis against the

threats discussed in the JIL group.

The contents should detail any residual vulnerabilities.

The conclusions of the evaluation should be based on guidance provided

in the JIL document Application of Attack Potential to Smartcard (current

version as published).

There should be sufficient reporting of penetration testing to prove that

the tests were completed as appropriate in order to reach the conclusions

on the assurance level.



There should be demonstration of equivalence to EAL4+ (especially,

AVA_VLA.4) in the report (this allows product providers to re-use the

results of their CC evaluations if they choose).

3.4.7 Submit Reports to EMVCo Security Evaluation Secretariat The laboratory submits the EMVCo Evaluation Report to the EMVCo Security Evaluation

Secretariat.

3.4.8 Validate Laboratory Evaluation Reports The EMVCo Security Evaluation Secretariat reviews the EMVCo Evaluation Report from the

evaluation laboratory.

At this stage, the EMVCo Security Evaluation Secretariat may require further evaluation to be

performed, in which case the process continues from the „Select Laboratory and Evaluation

Details‟ step.

The EMVCo Security Evaluation Secretariat will use current JIL guidance upon which to base its

final judgments.

If the EMVCo Security Evaluation Secretariat considers that the evaluation provides sufficient

assurance, the EMVCo Security Evaluation Secretariat prepares an EMVCo Summary Report

and, if vulnerabilities have been discovered, a Residual Vulnerability Report as part of the

EMVCo Summary Report.

Note EMVCo will reserve final authority over the contents of the EMVCo Summary Report and any Risk Analysis Report.

3.4.9 Risk Analysis Based on the evaluation results, and the reports generated as a result of the previous process

step (Validate Lab Evaluation Report), the product provider and the EMVCo Security Evaluation

Secretariat together – typically during a meeting – perform an assessment of the risks resulting

from the vulnerabilities discovered.

The product provider may decide to remedy the vulnerabilities discovered and re-start the

EMVCo Evaluation Process at the „Select Laboratory and Evaluation Details‟ step.

If residual vulnerabilities are discovered that the EMVCo Security Evaluation Secretariat

considers significant enough to result in the issue of an EMVCo Restricted Compliance

Certificate, and the product provider decides not to remedy these vulnerabilities, the product

provider and the EMVCo Security Evaluation Secretariat jointly prepare a Risk Analysis Report

containing information for Issuing banks intending to use that product provider‟s product.



The EMVCo Security Evaluation Secretariat will attempt to understand – and take into account –

the product provider‟s wishes with respect to the content of the Risk Analysis Report. However,

EMVCo reserves its final authority over the content of this Risk Analysis Report to provide

issuers with reliable information for a valid risk assessment of their ICC projects.

3.4.10 Issue EMVCo Compliance Certificate If the EMVCo Security Evaluation Secretariat concludes that sufficient assurance has been

demonstrated, EMVCo will issue the product provider with an EMVCo Compliance Certificate for

that product.

If the EMVCo Security Evaluation Secretariat concludes that vulnerabilities discovered during

the evaluation process are being satisfactorily addressed by the Product Provider and are

sufficiently explained by the Risk Analysis Report, EMVCo may issue the product provider with

an EMVCo Restricted Compliance Certificate for that product. Each certificate will contain a

unique four-digit reference number using the following convention:

ICCNxxxx – Integrated Circuit Certificate Number – a unique number

identifying the integrated circuit that has been certified, and its related

devices.

PCNxxxx – Platform Certificate Number – a unique number identifying the

Platform that has been certified.

CCNxxxx – Card Certificate Number – a unique number identifying the

ICC platform and application that has been certified.

RCCNxxxx – Restricted Card Certificate Number – a unique number

identifying the ICC platform and application that has been certified. A list of all certificate numbers, and the product(s) to which they relate, is available from

EMVCo.

Note EMVCo also reserves the right to withdraw or not to issue an EMVCo Compliance Certificate or EMVCo Restricted Compliance Certificate where it is clear that the product does not offer sufficient protection against the threats identified in the relevant security guidelines.

Date post:	27-May-2015
Category:	Documents
Upload:	ashishkar2000
View:	1,171 times
Download:	0 times

Emv security guidelines_v4.0_dec10_20110215112806448

Documents