Date post: | 27-May-2015 |
Category: |
Documents |
Upload: | ashishkar2000 |
View: | 1,171 times |
Download: | 0 times |
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 1
EMV Security Guidelines
EMVCo Security Evaluation Process
Version 4.0 Release
December 2010
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 2
Copyright The information contained in this manual is proprietary and
confidential to EMVCo, LLC.
This material may not be duplicated, published, or disclosed, in
whole or in part, without the prior written permission of EMVCo,
LLC.
Trademarks EMV™ is a trademark owned by EMVCo, LLC.
All third-party product and service names are trademarks or
registered trademarks of their respective owners.
Media This document is available on the EMVCo Web site at
www.emvco.com
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 3
Legal Notice
This document summarizes EMVCo‟s present plans for IC, Platform and ICC Security
Evaluation services and related policies in the EMVCo Card Type Approval process and is
subject to change by EMVCo at any time without notice to any party.
Neither this document nor any other document or communication creates any binding
obligations upon EMVCo or any third party regarding testing services or EMVCo approval,
which obligations will exist, if at all, pursuant to separate written agreements executed by
EMVCo and such third parties.
In the absence of a written binding agreement pursuant to which EMVCo has agreed to perform
evaluation services for a product provider or to permit a third party to act as a test laboratory, no
product provider, test laboratory or any other third party should rely on this document, nor shall
EMVCo be liable for any such reliance.
No product provider, test laboratory nor other third party may refer to a product, service or
facility as EMVCo approved, in form or in substance, nor otherwise state or imply that EMVCo
(or any agent of EMVCo) has in whole or part approved a product provider, test laboratory or
other third party or its products, services, or facilities, except to the extent and subject to the
terms, conditions and restrictions expressly set forth in a written agreement with EMVCo, or in
an approval letter or certificate issued by EMVCo. All other references to EMVCo approval are
strictly prohibited by EMVCo.
Under no circumstances should EMVCo IC, Platform and ICC security evaluations, when
granted, be construed to imply any endorsement or warranty regarding the security,
functionality, quality, or performance of any particular product or service, and no party shall
state or imply anything to the contrary. EMVCo specifically disclaims any and all representations
and warranties with respect to products that have received security evaluations and to the Card
Type Approval process generally, including, without limitation, any implied warranties of
merchantability, fitness for purpose or noninfringement.
All warranties, rights and remedies relating to products and services that have received EMVCo
Card Type Approval are provided solely by the parties selling or otherwise providing such
products or services, and not by EMVCo, and EMVCo accepts no liability whatsoever in
connection with such products and services.
Unless otherwise agreed in writing by EMVCo, this document and matter contained herein,
including all products and services contemplated by this document are provided on an “as-is”
basis, “with all faults” and with no warranties whatsoever, and EMVCo specifically disclaims any
implied warranties of merchantability, fitness for purpose, or noninfringement.
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 4
Table of Contents:
Chapter 1 ~ About this Manual.
Purpose………………………………………………..………………………………. 1.1
Audience……………………………………………………………………………….. 1.2
Revisions………………………………………………………………………………. 1.3
Overview……………………………………………………………………………….. 1.4
Related information…………………………………………………………………… 1.5
Support………………………………………………………………………………… 1.6
Abbreviations…………………………………………………………………………. 1.7
Definitions……………………………………………………………………………… 1.8
Chapter 2 ~ Overview
Background……………………………………………………………………………… 2.1
Context within EMVCo Card Type Approval………………………………………… 2.2
EMVCo Security Evaluation…………………………………………………………… 2.3
The Role of EMVCo in the Security Evaluation Process…………………. 2.3.1
IC Security Evaluation………………………………………………………… 2.3.2
Platform Security Evaluation………………………………………………… 2.3.3
ICC Security Evaluation………………………………………………………. 2.3.4
Security Assurance…………………………………………………………………….. 2.4
Level of Assurance Requirement……………………………………………. 2.4.1
Risk Management………………………………………………………………………. 2.5
Changes to Previously Approved Products…………………………………………. 2.6
EMVCo Approval Renewal Date……………………………………………………..………. 2.7
Contact Details…………………………………………………………………………… 2.8
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 5
Chapter 3 ~ Security Evaluation Process
Introduction………………………………………………………………………………... 3.1
Security Evaluation Roles and Responsibilities………………………………………. 3.2
Maintain Security Guidelines……………………………………………………. 3.2.1
Design Product…………………………………………………………………… 3.2.2
Test and Certify Product………………………………………………………… 3.2.3
Security Monitoring……………………………………………………………… 3.2.4
Certificates………………………………………………………………………………… 3.3
Certifiable Products……………………………………………………………... 3.3.1
Types of Certificates…………………………………………………………….. 3.3.2
Security Evaluation Process…………………………………………………………….. 3.4
Sign EMVCo Agreement………………………………………………………… 3.4.1
Complete EMVCo Registration Form………………………………………….. 3.4.2
Initial Discussion…………………………………………………………………. 3.4.3
Product Design…………………………………………………………………… 3.4.4
Select Laboratory and Evaluation Details…………………………………….. 3.4.5
Assess Product and Product Provider Infrastructure………………………… 3.4.6
Submit Reports to EMVCo Secretariat………………………………………… 3.4.7
Validate Laboratory Evaluation Reports………………………………………. 3.4.8
Risk Analysis……………………………………………………………………… 3.4.9
Issue EMVCo Compliance Certificate…………………………………………. 3.4.10
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 6
Chapter 1 ~ About this Manual.
Purpose………………………………………………..………………………………. 1.1
Audience……………………………………………………………………………….. 1.2
Revisions………………………………………………………………………………. 1.3
Overview……………………………………………………………………………….. 1.4
Related information…………………………………………………………………… 1.5
Support………………………………………………………………………………… 1.6
Abbreviations…………………………………………………………………………. 1.7
Definitions……………………………………………………………………………… 1.8
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 7
1.1 Purpose
This manual describes the requirements and procedures of the EMVCo Security Evaluation
Process for Integrated Circuit (IC), Platform (IC+OS) and Integrated Circuit Card (IC+OS+App)
products.
The EMVCo Security Evaluation Process is a subset of EMVCo Card Type Approval, as defined
by the EMVCo Card Type Approval Administrative Process document. Product providers shall
follow the registration process described in the Card Type Approval document to register their
products and initiate IC, Platform and ICC security evaluations by EMVCo.
Product providers shall follow the process outlined in this document – after the product
registration mentioned above – in order to gain security evaluation certificates for their products.
Such certification will allow product providers to sell ICC products to issuers of ICCs bearing the
brand marks of American Express, JCB, MasterCard, or Visa.
1.2 Audience
This manual is intended for:
Product providers – to enable them to gain certification of their IC,
Platform and ICC products.
Issuers – to provide them with valuable and practical information relating
to the general security performance characteristics and the „suitability of
use‟ of IC, Platform and ICC products.
1.3 Revisions
This new release extends the EMVCo Security Evaluation Process to include Platform products.
It describes this new process which is supported by a separate Security Guidelines document
for JavaCard and Global Platform Implementations. Platform Products that successfully pass
are assigned a unique Platform Certificate Number (PCN).
This release also updates the renewal policy, product approval policy and defines the new
EMVCo Restricted Compliance Certificate Number (RCCN).
Periodically, EMVCo will issue revisions to this document as and when enhancements,
changes, or corrections are required.
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 8
1.4 Overview
The following table provides an overview of this manual:
Chapter Description
Table of Contents A list of the manual‟s chapters and sections. Each entry
references a chapter and page number.
Using this Manual A description of the manual‟s purpose and contents, and
a description of the terms used in this manual.
1 Overview Provides a high-level overview of the EMVCo Security
Evaluation Process, its rationale, and contact details.
2 Security Evaluation
Process
A description of the overall EMVCo Security Evaluation
Process, leading to the issue of an EMVCo Compliance
Certificate. This chapter details the process during
which a product is evaluated as part of the overall
EMVCo Security Evaluation Process.
1.5 Related Information
The following documents provide information related to the subjects discussed in this manual:
EMVCo Specifications
EMVCo Card Type Approval Administrative Process
EMVCo Requirements for Security Evaluation Laboratories
EMVCo Security Guidelines for Smart Card Integrated Circuits
EMVCo CPA Secure Implementation Guidelines
EMVCo Security Guidelines for JavaCard and Global Platform
Implementations including Mobile Payments
JIL Application of Attack Potential to Smart Cards (current version as
published)
1.6 Support
For help and support, contact the EMVCo Security Evaluation Secretariat.
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 9
1.7 Abbreviations
Abbreviation Meaning
API Application Programming Interface
CC Common Criteria
CCD Common Core Definition
CPA Common Payment Application
DPA Differential Power Analysis
EMR Electro-Magnetic Radiation
EMA Electro-Magnetic Analysis
FIB Focused Ion Beam
GP GlobalPlatform
IC Integrated Circuit
ICC Integrated Circuit Card
IPA Inferential Power Analysis
ISCI International Security Certification Initiative
JHAS JIL Hardware Attack Subgroup
JIL Joint Interpretation Library
OS Operating System
RMI Remote Method Invocation
SPA Simple Power Analysis
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 10
1.8 Definitions
The following terms are relevant to the testing process:
Term Definition
Application Application intended to be executed on top of a Platform.
Approved product A product that has been issued an EMVCo Compliance
Certificate.
Card A payment card as defined by a payment system. For
the purpose of this document a Card comprises an
Integrated Circuit, Operating System, Environment and
one (or more) EMV Application(s).
Card Certificate Number A unique four-digit reference number that identifies the
EMVCo Compliance Certificate of an ICC.
Card Type Approval Verification by EMVCo that the specified ICC product
has demonstrated sufficient conformance to the EMV
Specifications for its stated purpose.
Card Type Approval
process
The steps necessary for an ICC product to obtain an
EMVCo letter of approval
Conformance An ICC product meeting all EMVCo requirements
defined for type approval including implemented optional
requirements.
Chip Electronic component(s) designed to perform processing
and/or memory functions.
EMVCo A Limited Liability Company established to maintain the
EMV Specifications and administer type approval
against those specifications.
EMVCo Compliance
Certificate
A certificate issued by EMVCo when sufficient
assurance has been demonstrated for an IC, Platform or
ICC product.
EMVCo Restricted
Compliance Certificate
A certificate issued by EMVCo when an IC, Platform or
ICC product is found to have a vulnerability that is being
addressed by the product provider.
EMVCo Security
Evaluation Secretariat
EMVCo designated members who administer the
EMVCo Security Evaluation Process.
EMV CCD A subset of the EMV Specifications called Common
Core Definition (CCD) made available by EMVCo.
Environment Any software components and/or applications present on
the ICC other than the EMV application(s) being
submitted to testing for Card Type Approval.
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 11
Term Definition
Evaluation Any activity that aims at verifying the conformance of a
selected product or process to a given requirement
under a given set of conditions.
Evaluation report Document provided by a laboratory containing the test
results for an IC, Platform or ICC product, or report
pursuant to an evaluation of an IC or Platform product.
ICC Security Evaluation The steps necessary for an ICC product to obtain an
EMVCo Compliance Certificate.
IC Security Evaluation The steps necessary for an IC product to obtain an
EMVCo Compliance Certificate.
Integrated Circuit Card
(ICC)
see Card
Integrated Circuit(s) (IC) see Chip
Integrated Circuit
Certificate Number
A unique four-digit reference number that identifies the
EMVCo compliance certificate of an IC.
International Organization
for Standardization (ISO)
An international body that provides standards for
financial transactions and telecommunication messages.
ISO works in conjunction with the International
Telecommunication Union (ITU) for standards that affect
telecommunications. ISO supports specific technical
committees and work groups to promulgate and maintain
financial service industry standards.
International Security
Certification Initiative
An international body that is establishing a global
framework for mutual recognition of security evaluation
procedures and certificates.
Laboratory A facility that performs security evaluation testing.
Letter of approval Written statement that documents the decision of
EMVCo that a specified ICC product has demonstrated
sufficient conformance to the EMV Specifications on the
date of it being tested.
Multi-application card An ICC that comprises more than one application, one of
which being an EMV application.
Operating System (OS) Set of software components allowing an EMV application
to be executed on a specific integrated circuit.
Payment System For the purpose of this document, the Payment System
is defined as JCB, MasterCard, or Visa.
Platform A platform product is the collective name for the
integrated circuit (IC) hardware with its dedicated
software, Operating System (OS), Run Time
Environment (RTE) and Platform environment on which
one or more applications (e.g., CPA) can be executed.
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 12
Term Definition
Platform Certificate
Number
A unique four-digit reference number that identifies the
EMVCo Compliance Certificate of Platform.
Platform Security
Evaluation
The steps necessary for a Platform product to obtain an
EMVCo Compliance Certificate.
Product provider The entity that submits an IC, Platform or ICC product to
EMVCo for Card Type Approval.
Sample An ICC representative of a specific ICC product provided
to a laboratory for testing.
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 13
Chapter 2 ~ Overview
This chapter provides a high-level overview of the EMVCo Security Evaluation Process, its
rationale, and contact details.
Background……………………………………………………………………………… 2.1
Context within EMVCo Card Type Approval………………………………………… 2.2
EMVCo Security Evaluation…………………………………………………………… 2.3
The Role of EMVCo in the Security Evaluation Process…………………. 2.3.1
IC Security Evaluation………………………………………………………… 2.3.2
IC Product for IC Security Evaluation……………………………… 2.3.2
Platform Security Evaluation………………………………………………… 2.3.3
Platform Product for Platform Security Evaluation…………….… 2.3.3
ICC Security Evaluation……………………………………………………… 2.3.4
ICC Product for ICC Security Evaluation…………………………... 2.3.4
Security Assurance…………………………………………………………………….. 2.4
Level of Assurance Requirement……………………………………………. 2.4.1
Risk Management………………………………………………………………………. 2.5
Changes to Previously Approved Products…………………………………………. 2.6
EMVCo Approval Renewal Date……………………………………………………..………. 2.7
Contact Details…………………………………………………………………………… 2.8
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 14
2.1 Background
The main objective of the EMVCo Security Evaluation Process is to ensure that IC, Platform and
ICC products conform to EMVCo requirements and security guidelines. This document
describes the EMVCo Security Evaluation Process and explains how this process functions in
today‟s environment.
EMVCo acts as the security certification entity for all approvals relating to the security of IC,
Platform and ICC products and is responsible for overseeing the process and maintaining the
Security Evaluation Guidelines, such as:
Security Guidelines for Smart Card Integrated Circuits
Security Guidelines for JavaCard and Global Platform
Implementations including Mobile Payments
CPA Secure Implementation Guidelines These security guidelines support product providers when developing the product, and test
laboratory while performing security evaluations. The EMVCo Security Evaluation Secretariat is
responsible for administering the EMVCo Security Evaluation Process.
The EMVCo Security Evaluation Process evaluates the security features of the IC, Platform and
the ICC products. IC Security Evaluation includes the firmware and software routines required
to access the security functions of the IC. The Platform Security Evaluation includes the
integrated circuit (IC) hardware with its dedicated software, Operating System (OS), and
Platform environment on which one or more Java Card applications (e.g., CPA) can be
executed. The ICC Security Evaluation includes the IC, the operating system, and the payment
application(s) that resides on the ICC.
2.2 Context within EMVCo Card Type Approval
The EMVCo Security Evaluation Process is a subset of the EMVCo Card Type Approval
process. EMVCo identifies the following security and functional evaluations for IC, Platform and
ICC products:
Final Product EMVCO Testing
Integrated Circuit IC Security Evaluation
Platform Platform Security Evaluation
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 15
Integrated Circuit Card
Card Type Approval Level 1 evaluation
Card Type Approval Level 2 evaluation
CCD components functional evaluation
Non-CCD components functional evaluation
ICC Security Evaluation
When a product has been found to meet the EMVCo security requirements, it will be issued an
EMVCo Compliance Certificate. EMVCo issues compliance certificates for:
IC products when the product provider successfully completes the IC
Security Evaluation
Platform products, including a specific approved IC product, when the
product provider successfully completes the Platform Security Evaluation.
ICC products, including IC, platform and payment application, when the
product provider successfully completes the ICC Security Evaluation. For the final ICC product, the functional evaluation (Level 1 and Level 2) must be performed in
addition to ICC Security Evaluation for Card Type Approval. Please refer to EMVCo Card Type
Approval Administrative Process for further details on the functional evaluation (Level 1 and
Level 2).
An EMVCo Compliance Certificate for IC Security Evaluation or Platform Security Evaluation, if
appropriate, must be received prior to Card Type Approval and ICC Security Evaluation.
EMVCo will issue a Letter of Approval for an ICC product when the product provider
successfully completes all required security and functional evaluations.
2.3 EMVCo Security Evaluation
The EMVCo Security Evaluation Process is based on a complete set of published EMVCo
specifications, requirements and security guidelines which serve as the security requirements
for product providers.
In particular, the evaluation process reflects the structure of the ICC industry, taking into
account the relationships between the component suppliers of ICC products, their development
processes, and the fact that IC migrations are currently underway. It also reflects developments
in security evaluation methodology by the ICC industry, and combines independent evaluations
with internal security testing. This flexibility allows EMVCo to maintain high levels of security
assurance, while minimizing the financial burden on product providers.
The process establishes product providers as responsible for security evaluation and
demonstration of sufficiency within the EMVCo specifications, requirements and security
guidelines.
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 16
2.3.1 The Role of EMVCo in the Security Evaluation Process
EMVCo has established a common security evaluation process that is recognized by all
EMVCo participants. This process assists issuers in promoting the continuous
improvement of security standards for ICC implementations.
The methodology used in the evaluation process leverages a program of research
targeted at the leading edge of attack methodology. In addition, EMVCo has supported
the work of the JHAS group and will support ongoing security initiatives under proposed
JIL leadership, to maintain currency of a common set of threats and attacks.
This process benefits both issuers and product providers by defining a flexible, „state-of-
the-art‟, common security evaluation methodology that is recognized by all EMVCo
participants, thus saving time and avoiding the duplication of effort when evaluating IC,
Platform and ICC products. By making product providers responsible for the security
evaluation of their products, it allows EMVCo to focus on maintaining „state-of-the-art‟
threat assessment.
EMVCo does not, however, guarantee or provide any warranties for any product
provider‟s products, and the security evaluation process does not relieve issuers from
the need to make their own investigations to ensure the security or fitness for purpose of
any products. No ICC implementation can be 100% secure, but as explained later, the
EMVCo Security Evaluation Process provides issuers with additional information to
assist in their risk analysis with product providers.
Certificates will be issued through the EMVCo Security Evaluation Secretariat.
2.3.2 IC Security Evaluation
The EMVCo IC Security Evaluation considers the security of the IC product, and is
aimed at providing a high level of assurance in the security functions that are designed
to effectively deal with known attack methods.
Attack methods include threats such as reverse engineering, information leakage and
fault induction. The EMVCo Security Evaluation Process also takes into account the
security of the design, development, and delivery processes.
The IC security evaluation is performed by an EMVCo recognized, external security
evaluation laboratories and funded by the product provider. Security evaluation can take
advantage of evaluation work already performed by product providers; however, this
may need to be supplemented by additional work.
IC Security Evaluation must include the following:
Logical testing of the platform to verify that the implementation conforms
to specifications and contains no known weaknesses.
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 17
Physical penetration testing of the platform to ensure that the
implementation uses countermeasures against potential weaknesses.
IC Product for IC Security Evaluation
The IC product submitted for IC Security Evaluation is uniquely identified as:
A specific integrated circuit with an
Environment, including firmware or software routines that allow
access to the security functions of the IC.
2.3.3 Platform Security Evaluation
The EMVCo Platform Security Evaluation will consider the security of the product
providers who develop the Platform product and how this product follows the relevant
security guidelines. An important factor will be how the product providers build upon the
security of the IC to provide security for the complete platform product.
The EMVCo Platform Security Evaluation Process must include the following:
Critical assets are protected with countermeasures able to resist „state of
the art‟ attacks.
Runtime Environment must provide secure storage and execution space
for applications.
Platform services offered to the applications must be securely
implemented.
Application management must conform to specifications, and offer
defenses against known attacks.
The card content management (e.g., application downloading) must be
securely implemented.
o Security management (e.g., card locking)
o Security domains for multi-provider platforms
o Secure communication between the on-card representatives and off-
card systems
Platform security guidance document (similar to user guidance
documentation provided by chip hardware manufacturers).
Platform Product for Platform Security Evaluation
The Platform product submitted for Platform Security Evaluation is uniquely identified as:
A specific integrated circuit (IC) with its dedicated software
The Operating System (OS) software developed for a specific IC
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 18
The Run Time Environment (RTE) (e.g., Java Card)
The RTE API (or similar) that provides interface with the Application
Program
The Platform environment (e.g., GlobalPlatform) and in particular the
Security Domains with card content management privileges
Able to execute one or more applications (e.g., CPA).
2.3.4 ICC Security Evaluation
The ICC Security Evaluation will consider the security of the Operating Systems (OS)
and payment applications developed by the product providers, and how these
applications and operating systems follow the relevant security guidelines. An important
factor will be how the product providers build upon the security of the IC and the OS to
provide overall security for a payment application on the ICC.
The EMVCo ICC Security Evaluation Process must include the following:
OS testing will include secondary defenses against potential physical
vulnerabilities, and correctness of implementation.
Analysis of requirements specific to virtual machines such as MULTOS or
Java Card OS.
Implementation reviews will be conducted for financial applications, to
ensure a high level of assurance. This testing will include code reviews
and penetration testing.
When there is more than one application on an ICC with a proprietary
Operating System or a virtual machine, assurance will be sought to
demonstrate the firewalls between the applications, the lack of object
sharing, or both.
For some applications, a risk assessment may also be conducted. This
may also include the integration of off-card components if they perform an
important role in the security process.
The application loading mechanism (e.g., GlobalPlatform) will be tested to
verify conformance to specifications, and defenses against known
vulnerabilities.
ICC Product for ICC Security Evaluation The ICC product submitted for ICC Security Evaluation is uniquely identified as:
The complete EMV CCD/CPA application(s)
present on a
Specific integrated circuit
with a
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 19
Specific operating system and transmission protocol(s)
surrounded by a specific
Environment including other non-EMV CCD applications and/or software
components.
2.4 Security Assurance
The EMVCo Security Evaluation Process strives for a high level of assurance for IC, Platform
and ICC products at all stages of the development process. The evaluation methodology strives
to achieve a balance between „Black Box‟ and „White Box‟ testing. This is achieved by carrying
out a security analysis that considers all viable attacks on a product, and derives a set of
penetration tests based on individual product characteristics.
EMVCo recognized external evaluation laboratories perform security evaluations using the
relevant EMV Security Guidelines and externally developed testing tools. EMVCo may leverage
previous work performed by the product provider. EMVCo recognizes the methodology used in
some formal evaluation schemes (e.g. Common Criteria), but will only accept full evaluation
reports as evidence of such.
The EMVCo Security Evaluation Process reflects a partnership with product providers, and
seeks to minimize the cost and time spent in performing evaluation work and, where possible, to
avoid the duplication of effort. By leveraging on the modular evaluation methodology of
Common Criteria, evaluations that are based on a core family of devices can use delta
evaluations to manage product migration. Associated design and production processes are
evaluated once, and the paperwork overhead is reduced.
The EMVCo Security Evaluation Secretariat supports the process with an R&D program to seek
optimum awareness of threats and defenses whilst maintaining confidential relationships with
laboratories and product providers.
The output from the EMVCo Security Evaluation Process is an EMVCo Compliance Certificate
with:
A number that identifies a single approval path from product provider,
through manufacturer, to issuer.
A date that reflects the status of the EMVCo security guidelines at the
time of evaluation.
Product providers must present their EMVCo Compliance Certificate number to issuers, as
proof that their product has been evaluated via the EMVCo Security Evaluation Process.
Note Issuers should always check both the status and the date of any EMVCo Compliance Certificate.
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 20
In some cases where a potential vulnerability is found, an EMVCo Restricted Compliance
Certificate may be issued. If this happens, the product provider is made fully aware of the
details of any such problems, and EMVCo will work with the product provider to achieve two
things:
That the vulnerability is adequately communicated by the product provider
to issuers to enable them to assess their own risks
That a plan is put in place by the product provider with the assistance
from EMVCo to introduce a revised product that reduces the vulnerability
EMVCo also reserves the right to withdraw or not to issue an EMVCo
Compliance Certificate or EMVCo Restricted Compliance Certificate
when the product does not offer sufficient protection.
EMVCo Approved IC, Platform and ICC products are granted certificates or restricted
certificates with an issue date, and are placed on the EMVCo Approved Products list. Each
certificate has a unique ICCN (Integrated Circuit Certification Number), PCN (Platform
Certification Number), or CCN (Card Certification Number). Approved products are placed on
the EMVCo Approved Products List for three years, unless the certificate is withdrawn or the
product is superseded by newer products. After three years, products will remain on the list
subject to passing an annual security review. The older a product is, the greater the array of
attacks it may be subject to, therefore annual security assessments are carried out following the
initial 3 year assessment. Products that reach the 6 year limit on the EMVCo Approved
Products list will be removed.
Please refer to EMVCo Card Type Approval Administrative Process for further details on Card
Approval renewal.
2.4.1 Level of Assurance Requirement The level of Assurance Requirement is High as described in the JIL document
Application of Attack Potential to Smartcard (current version as published).
2.5 Risk Management
The finance industry is a risk management business that has to constantly monitor
vulnerabilities and threats. Fraud migrates to the lowest level of defenses in a system and the
security features of the payment application should provide a number of risk management
measures. The EMVCo Security Evaluation Process supplements this by making ICC Security
Evaluation a necessary part of the product provider‟s product design and development process.
When a product provider sells a product, that product provider should be able to explain the
testing that has been carried out in order to verify conformance with EMVCo security guidelines.
The level of testing is continuously increasing to reflect „state-of-the-art‟ attack potential.
Consequently, the introduction of new products should offer a higher level of protection against
the latest threats. However, no testing can anticipate all potential future attacks. Security, by
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 21
definition, is an ongoing process – as time progresses, attack and defense becomes a race.
EMVCo endeavors to be always one step ahead of the attacker.
Issuers should constantly bear in mind that there is no such thing as perfect security. The
primary assets on an ICC product are the secret keys and the PIN. There are also secondary
assets (i.e., assets that that can be used to compromise a primary asset) such as the security
counters (e.g., the Application Transaction Counter). An attack made with sufficient effort (in
terms of skills, equipment, and time) will always succeed in compromising those assets. The
EMVCo Security Evaluation Process aims to identify vulnerabilities in these terms to fit into a
formal Risk Analysis of a system.
A secure system must implement defenses at all levels, and issuers should develop separate
strategies for prevention, detection, and recovery. There are essentially two motivations for an
attacker: publicity, and reward. Incident management procedures should be planned for each,
and appropriate security measures should be taken to limit the likely rewards that an attacker
may achieve for their efforts.
In the event that an IC, Platform or ICC product only receives an EMVCo Restricted Compliance
Certificate, the product provider should be in a position to explain the reasons, and offer
guidance about the potential risks to an issuer‟s implementation plans. Issuers may mitigate
these risks – to a level that is acceptable to them – by using other security measures (such as
the use of online transactions, limited issuance, etc.).
2.6 Changes to Previously Approved Products The EMVCo Security Evaluation Process reflects a partnership with product providers, and
seeks to minimize the cost and time spent in performing evaluation work and, where possible, to
avoid the duplication of effort.
By leveraging on the modular evaluation methodology of Common Criteria, evaluations that are
based on a core family of devices can use delta evaluations to manage product migration. Any
change to a product will require a security impact analysis which must be provided to, and
approved by, the EMVCo Security Evaluation Secretariat.
Based on the security impact analysis, a delta evaluation may need to be performed before the
EMVCo Compliance Certificate can be issued for a changed product.
2.7 EMVCo Approval Renewal Date
The approval for an IC, Platform and/or ICC product applies as of the date of the certificate, but
the product will generally be placed on the EMVCo Approved Products list for three years.
Unless the certificate is previously withdrawn or the product is superseded by newer products
from a product provider, products with an EMVCo Compliance Certificate will be removed from
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 22
the EMVCo Approved Products list after three years. Products that reach the 6 year limit will be
removed from the list.
Please refer to EMVCo Card Type Approval Administrative Process for further details on Card
Approval renewal.
Products seeking renewal must comply with current security guidelines. For product approval
renewal, contact the EMVCo Security Evaluation Secretariat.
2.8 Contact Details
The EMVCo Security Evaluation Secretariat is the contact point for any discussions about
security evaluations.
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 23
Chapter 3 ~ Security Evaluation Process This chapter describes the EMVCo Security Evaluation Process, leading to the issue of an
EMVCo Compliance Certificate.
Introduction………………………………………………………………………………... 3.1
Security Evaluation Roles and Responsibilities………………………………………. 3.2
Maintain Security Guidelines……………………………………………………. 3.2.1
Design Product…………………………………………………………………… 3.2.2
Test and Certify Product………………………………………………………… 3.2.3
Security Monitoring……………………………………………………………… 3.2.4
Certificates………………………………………………………………………………… 3.3
Certifiable Products……………………………………………………………... 3.3.1
Types of Certificates…………………………………………………………….. 3.3.2
EMVCo Compliance Certificate……………………………………….. 3.3.2
EMVCo Restricted Compliance Certificate………………………….. 3.3.2
Security Evaluation Process…………………………………………………………….. 3.4
Sign EMVCo Agreement………………………………………………………… 3.4.1
Complete EMVCo Registration Form………………………………………….. 3.4.2
Initial Discussion…………………………………………………………………. 3.4.3
Product Design…………………………………………………………………… 3.4.4
Select Laboratory and Evaluation Details…………………………………….. 3.4.5
Assess Product and Product Provider Infrastructure………………………… 3.4.6
Submit Reports to EMVCo Secretariat………………………………………… 3.4.7
Validate Laboratory Evaluation Reports………………………………………. 3.4.8
Risk Analysis……………………………………………………………………… 3.4.9
Issue EMVCo Compliance Certificate…………………………………………. 3.4.10
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 24
3.1 Introduction
The EMVCo Security Evaluation Process consists of a set of related sub-processes, which
together are designed to fulfill EMVCo objectives, namely:
To enable issuers to carry out knowledge-based risk assessments for
their chip card programs.
To facilitate coordinated continuous improvement in the security of
financial transactions. This chapter describes the various activities and sub-processes.
Figure 1 depicts an overview of EMVCo Security Evaluation.
Figure 1—EMVCo Security Evaluation Overview
Security
Guidelines
Security Guidelines EMVCo Compliance Certificate
(if sufficiently compliant)
EMVCo Restricted ComplianceCertificate
and Risk Analysis ReportProduct
samples
&
design
documentation
Product
samples
Information to manage
security incidents
New Threat
Sensitivity Report
(to Product Provider)
New threat reported from the field
New threats
discovered
Existing
evaluation
results
(optional)
New threat
information
to laboratories
Maintain
Security
Guidelines
EMVCo
Design
Product
Product Provider
Test and
Certify
Product
Product Provider
EMVCo Security Evaluation Secretariat
Laboratories
Security
Monitoring
(internal to members/issuers)
(if vulnerabilities determined)
EMVCo Security Evaluation Secretariat
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 25
3.2 Security Evaluation Roles and Responsibilities
The following sections describe the various EMVCo Security Evaluation sub-processes:
Maintain Security Guidelines
Design Product
Test and Certify Product
Security Monitoring
3.2.1 Maintain Security Guidelines EMVCo maintains a set of guidelines that provide security guidance for the design of ICC
products. These guidelines are available to product providers to assist in the development of
their IC, Platform, and ICC products and to laboratories to assist in evaluating IC, Platform, and
ICC products within the framework of the EMVCo Security Evaluation Process.
The most recent security guidelines are available from EMVCo.
3.2.2 Design Product The product provider designs its products in accordance with the applicable security guidelines.
3.2.3 Test and Certify Product The product provider‟s product, and where considered necessary, the related processes, are
assessed to determine if the product provider has sufficiently taken threats and attacks into
account.
Refer to the Security Evaluation Process section for further details of the „Test and Certify
Product‟ process.
3.2.4 Security Monitoring The EMVCo Security Evaluation Secretariat operates an ongoing process to check certified
products against newly identified attacks and risks for purpose of risk management.
The EMVCo Security Evaluation Secretariat continuously monitors threats and security
developments within the smart card market. The EMVCo Security Evaluation Secretariat
conducts research and development – both itself, and with security evaluation laboratories – to
identify new threats, attacks, and security evaluation methodologies.
Where it considers this necessary (and where it is able to do so given confidentiality restrictions)
the EMVCo Security Evaluation Secretariat may inform product providers about newly
discovered vulnerabilities of their certified products, thus enabling and supporting the product
provider to minimize consequent risks, and to support their customers‟ risk management. This
may also include the withdrawal of an EMVCo Compliance Certificate or an EMVCo Restricted
Compliance Certificate.
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 26
3.3 Certificates
Compliance certificates issued by EMVCo confirm that the product provider‟s product(s)
identified on the certificate have undergone the appropriate security evaluation, and that a risk
analysis on any significant residual vulnerability has been performed (where applicable).
3.3.1 Certifiable Products Following a successful IC Security Evaluation, EMVCo issues an EMVCo Compliance
Certificate for the integrated circuit component of an ICC.
Similar variations of the same product – such as an IC core, but with various memory
configurations – can be assessed as a single subject, and covered by a single certificate.
Following a successful Platform Security Evaluation, EMVCo issues an EMVCo Compliance
Certificate for the integrated circuit (IC) hardware with its dedicated software, Operating System
(OS), Platform environment on which one or more Applications (e.g., CPA) can be executed.
Following a successful ICC Security Evaluation, EMVCo issues an EMVCo Compliance
Certificate for the combined IC platform, the operating system, and the payment application(s)
components of an ICC.
3.3.2 Types of Certificate A certificate may be issued in one of two variants, depending on whether any significant residual
vulnerability was discovered during the evaluation process.
EMVCo Compliance Certificate
If any residual vulnerability discovered during the evaluation process is considered by the
EMVCo Security Evaluation Secretariat to be below the level that EMVCo regards as significant,
then EMVCo will issue an EMVCo Compliance Certificate for that product.
EMVCo Restricted Compliance Certificate
If significant residual vulnerabilities are discovered during the evaluation process but are
considered a manageable risk by the EMVCo Security Evaluation Secretariat, are sufficiently
explained in the Risk Analysis Report, and are being satisfactorily addressed by the product
provider, EMVCo will issue an EMVCo Restricted Compliance Certificate for that product.
EMVCo are entitled to publish non-security related details of restricted compliance certificates.
Consequently, the product provider will be required to inform the issuer (or other product
providers to whom that product provider intends to sell the product covered by an EMVCo
Restricted Compliance Certificate) of the product vulnerabilities so they may understand the risk
in using the restricted product. This is necessary so that the product provider‟s customers can
accommodate the remaining risks within their own risk assessments, and introduce appropriate
countermeasures against these remaining risks into their own systems.
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 27
3.4 Security Evaluation Process
The remaining sections of this chapter describe the individual actions within the EMVCo
Security Evaluation Process, as shown in Figure .2.
3.4.1 Sign EMVCo Agreement EMVCo and the product provider sign an EMVCo agreement covering the EMVCo Security
Evaluation Process, including confidentiality and other aspects.
This process step results in both the product provider and the EMVCo Security Evaluation
Secretariat receiving a signed version of the agreement.
3.4.2 Complete EMVCo Registration Form The product provider completes a form (provided by EMVCo) defining details of the product
intended for evaluation, and related administrative information.
This process step results in the product provider providing the EMVCo Security Evaluation
Secretariat with the necessary completed EMVCo Registration Form (For IC, the EMVCo
Product Registration Questionnaire for Chip Providers and for ICC, the EMVCo Common
Payment Application Level 1 & Level 2 Implementation Conformance Statement, as provided for
functional approval).
3.4.3 Initial Discussion Initial discussions between the product provider and the EMVCo Security Evaluation Secretariat
are conducted to develop a common understanding of the evaluation process and of the
underlying information required. If available, the product provider should submit evidence of
any security evaluations already carried out on the product in advance of the initial meeting.
This will enable the EMVCo Security Evaluation Secretariat‟s staff to prepare for an efficient
meeting and resolve any questions and concerns in advance.
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 28
Figure .2—EMVCo Security Evaluation Process
Complete EMVCo
Registration
Form
EMVCo
Registration
Form
EMVCo
Registration
Sign EMVCo
Agreement
EMVCo
Agreement Form
EMVCo
Agreement
Select Laboratory
and decide
Assessment
Details
Assess Product
Provider’s
Infrastructure
and Product
EMVCo
Evaluation
Report
Initial
Discussion
Security
Guidelines
Product Design
Purchase Order
to Lab
Submit report to
EMVCo SecurityEvaluation
Validate Lab
Assessment
Report
EMVCo Summary
Report
Residual
Vulnerability
Report
Issue EMVCo
Compliance
Certificate
EMVCo
Compliance
Certificate
Certificate
Template (e-mail)
Product
ProviderEvaluation
Laboratory
EMVCo /
Risk Analysis
(if considered
necessary)
Risk Analysis
Report
Registration
Details
Product Provider’s
Sample Products
Product Provider’s
Design
Documentation
Evaluation
Details
Input Output
(may be „Restricted‟)
Secretariat
SecurityEvaluation
Secretariat
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 29
3.4.4 Product Design If not already completed prior to the initiation of the EMVCo Evaluation Process, the product
provider finalizes the design of the product, or makes changes to the product as a response to
the requirements derived from the relevant security guidelines.
This phase may also include carrying out (or amending) a self- or third-party evaluation of the
security performance of the product and the underlying development and production processes.
This process step, results in the product provider producing design documentation and product
samples.
3.4.5 Select Laboratory and Evaluation Details Following a review by the EMVCo Security Evaluation Secretariat of any security evaluations of
the product performed by the product provider or a third party, the product provider and the
EMVCo Security Evaluation Secretariat agree on precise details of the EMVCo evaluation. This
includes a list of mandatory evaluations, and the selection of the laboratories to be used.
EMVCo recognizes a number of laboratories and these will be discussed with the product
provider. The product provider and the EMVCo Security Evaluation Secretariat agree on these
details during a dialogue. The EMVCo Security Evaluation Secretariat will take into account the
needs of the product provider, and any previous evaluation work, but reserves the final decision
about the minimum set of evaluations considered necessary within the EMVCo Security
Evaluation Process.
The product provider and the EMVCo Security Evaluation Secretariat will often reach this
agreement as part of the initial discussions, provided that the product provider and the EMVCo
Security Evaluation Secretariat agree that the product has already reached a sufficient maturity
to prepare the evaluation.
This process step results in:
The issue of Purchase Orders to the laboratories
The documentation of minimum evaluation details Where necessary, product providers can agree to appropriate Non-Disclosure Agreements
(NDAs) with the laboratories at this stage.
3.4.6 Assess Product and Product Provider Infrastructure The evaluation of the ICC, Platform or IC product includes a threat and vulnerability assessment
of identified security assets.
The EMVCo Security Evaluation Process considers security assets to be categorized as follows:
Primary assets:
PIN
Cryptographic keys
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 30
Secondary assets:
Application code, Operating System code
Application data (for example, cardholder-specific data and counter
values)
Transaction data (for example, log files)
Design information (for example, layout, process details, and test
code)
The vulnerability analysis should include currently known attacks (threats) as
described, at minimum, in JIL document Application of Attack Potential to
Smart Cards. At present, these include:
Power Analysis (e.g., SPA, DPA, IPA, etc.)
EMA
Timing Analysis
Probing (e.g., physical, active, passive, scanning, laser)
Reverse engineering (e.g. imaging, etching, staining)
Environmental manipulation (e.g. voltage, EMR, accelerated particle)
Device alteration (e.g., FIB, EMR)
Fault analysis (e.g., Single, Differential)
Cryptanalysis
Protocol attacks
The laboratories perform the required evaluation and provide evaluation reports documenting
the results.
Evaluation may include physical testing of product samples, assessment of the design
documentation, or auditing of the product provider‟s development and production processes to
assure that social engineering, coercion, and bribery threats are addressed.
Evaluation reports are to be constructed as follows:
The contents should include a complete vulnerability analysis against the
threats discussed in the JIL group.
The contents should detail any residual vulnerabilities.
The conclusions of the evaluation should be based on guidance provided
in the JIL document Application of Attack Potential to Smartcard (current
version as published).
There should be sufficient reporting of penetration testing to prove that
the tests were completed as appropriate in order to reach the conclusions
on the assurance level.
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 31
There should be demonstration of equivalence to EAL4+ (especially,
AVA_VLA.4) in the report (this allows product providers to re-use the
results of their CC evaluations if they choose).
3.4.7 Submit Reports to EMVCo Security Evaluation Secretariat The laboratory submits the EMVCo Evaluation Report to the EMVCo Security Evaluation
Secretariat.
3.4.8 Validate Laboratory Evaluation Reports The EMVCo Security Evaluation Secretariat reviews the EMVCo Evaluation Report from the
evaluation laboratory.
At this stage, the EMVCo Security Evaluation Secretariat may require further evaluation to be
performed, in which case the process continues from the „Select Laboratory and Evaluation
Details‟ step.
The EMVCo Security Evaluation Secretariat will use current JIL guidance upon which to base its
final judgments.
If the EMVCo Security Evaluation Secretariat considers that the evaluation provides sufficient
assurance, the EMVCo Security Evaluation Secretariat prepares an EMVCo Summary Report
and, if vulnerabilities have been discovered, a Residual Vulnerability Report as part of the
EMVCo Summary Report.
Note EMVCo will reserve final authority over the contents of the EMVCo Summary Report and any Risk Analysis Report.
3.4.9 Risk Analysis Based on the evaluation results, and the reports generated as a result of the previous process
step (Validate Lab Evaluation Report), the product provider and the EMVCo Security Evaluation
Secretariat together – typically during a meeting – perform an assessment of the risks resulting
from the vulnerabilities discovered.
The product provider may decide to remedy the vulnerabilities discovered and re-start the
EMVCo Evaluation Process at the „Select Laboratory and Evaluation Details‟ step.
If residual vulnerabilities are discovered that the EMVCo Security Evaluation Secretariat
considers significant enough to result in the issue of an EMVCo Restricted Compliance
Certificate, and the product provider decides not to remedy these vulnerabilities, the product
provider and the EMVCo Security Evaluation Secretariat jointly prepare a Risk Analysis Report
containing information for Issuing banks intending to use that product provider‟s product.
© 2011 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx Page 32
The EMVCo Security Evaluation Secretariat will attempt to understand – and take into account –
the product provider‟s wishes with respect to the content of the Risk Analysis Report. However,
EMVCo reserves its final authority over the content of this Risk Analysis Report to provide
issuers with reliable information for a valid risk assessment of their ICC projects.
3.4.10 Issue EMVCo Compliance Certificate If the EMVCo Security Evaluation Secretariat concludes that sufficient assurance has been
demonstrated, EMVCo will issue the product provider with an EMVCo Compliance Certificate for
that product.
If the EMVCo Security Evaluation Secretariat concludes that vulnerabilities discovered during
the evaluation process are being satisfactorily addressed by the Product Provider and are
sufficiently explained by the Risk Analysis Report, EMVCo may issue the product provider with
an EMVCo Restricted Compliance Certificate for that product. Each certificate will contain a
unique four-digit reference number using the following convention:
ICCNxxxx – Integrated Circuit Certificate Number – a unique number
identifying the integrated circuit that has been certified, and its related
devices.
PCNxxxx – Platform Certificate Number – a unique number identifying the
Platform that has been certified.
CCNxxxx – Card Certificate Number – a unique number identifying the
ICC platform and application that has been certified.
RCCNxxxx – Restricted Card Certificate Number – a unique number
identifying the ICC platform and application that has been certified. A list of all certificate numbers, and the product(s) to which they relate, is available from
EMVCo.
Note EMVCo also reserves the right to withdraw or not to issue an EMVCo Compliance Certificate or EMVCo Restricted Compliance Certificate where it is clear that the product does not offer sufficient protection against the threats identified in the relevant security guidelines.