Visa Mobile Proximity Payment Testing & Compliance Requirements

Transcription

1 Visa Mobile Proximity Payment Testing & Compliance Requirements For Mobile Products Version 5.4 June 2016 Visa Public

2 DISCLAIMER Visa s testing services and polices are subject to change at any time in Visa s sole discretion, with or without notice. This document does not create any binding obligations on Visa regarding Visa testing services or product approval. Any such obligations, to the extent they exist at all, are pursuant to separate written agreements between Visa and the party submitting products for testing and approval. In the absence of a fully-executed written agreement under which Visa has agreed to perform testing services for you or your company you should not rely on this document, nor shall Visa be liable for any such reliance (detrimental or otherwise).

3 Contents 1 Preface Audience Purpose Scope and Assumptions Support and Contact Information Visa Business Requirements Vendor Registration and Licensing Specifications and Requirements Terms and Definitions Abbreviations and Terminology Mobile Testing Overview Products Accepted for Testing Mobile Component Overview Mobile Component Descriptions UICC or Embedded Secure Element Component Handsets MicroSD Mobile Accessory Component Specification and Compliance Security Testing Certification Process, Laboratories and Documentation Certification Process Overview Certification Areas By Organization EMVCo Mobile Product Level 1 Testing GlobalPlatform Qualification Testing Cross Testing Test Plans and Test Tools Test Laboratories Starting the Product Submission Process Submission of Testing Materials for Functional Testing June Visa. All Rights Reserved. Page 3 of 74Page

4 5.1 Requirements for Product Submission Over the Air (OTA) Testing Testing Over a Contact Interface Utilizing Test Results between Products Tested Combinations Policy Compliance Letters Legal Conditions and Restrictions Requesting a Compliance Letter Compliant Products List Changes to Products with a Compliance Letter Lifecycle Management and Renewal of Compliance Letters Secure Element Lifecycle Management Secure Element Renewals Mobile Handset and Accessory Renewals Secure Element Products Renewal Process General Conditions and Exceptions A Appendix A A.1 Revision History B Appendix B B.1 Testing Requirements for Changes to a Compliant Mobile Product B.2 Testing Requirements C Appendix C C.1 Submission Requirements June Visa. All Rights Reserved. Page 4 of 74Page

5

6 1 Preface 1.1 Audience This document is intended for vendors submitting the following mobile proximity payment product configurations to Visa for testing: Secure Element (UICC, microsd, embedded secure element) Handset (HCE, UICC and ese execution environments) Mobile Accessory Combinations of secure element, handset and accessory 1.2 Purpose This document provides detailed information related to the Visa testing submission process and the testing requirements for mobile proximity payment products. The intent of the document is to identify the forms and documents needed to correctly submit products for testing. The document also identifies testing requirements and process that are applied to specific mobile proximity payment products that a vendor may submit. 1.3 Scope and Assumptions The design of a mobile product with a payment application may vary significantly between vendors and products, so it is necessary to make certain assumptions regarding common functionality in order to perform testing on a mobile product while minimizing the effort and cost of testing. These assumptions include but are not limited to the following: The mobile product complies with all required EMVCo and Visa contactless specifications and Visa testing requirements. An approved mobile payment applet developed to Visa Mobile Contactless Payment Specification (hence forth referred to as VMPA applet ) will reside on a GlobalPlatform compliant secure element physically separated from the low level contactless analogue interface component. Based on the product configuration digital functionality may or may not be separated from the secure element. The secure element complies with GlobalPlatform (GP) specifications and may be directly connected to the proximity communication antenna (in this case, no separate contactless digital interface component). Products that are not developed GP specifications are outside the scope of this document. Testing for compliance does not include testing of the user interface application (commonly referred to as a wallet). The antenna and low level analogue interface components may be powered by the host product s battery or independently powered. A handset shall be in an operational state. It shall be able to perform a payment transaction without any remote activation of controls. However, it is not necessary for a June Visa. All Rights Reserved. Page 6 of 74Page

7 handset to have an active subscription enabled on a Mobile Network Operator ( MNO ) since testing is not performed when the handset is connected to the MNO. For testing purposes, it shall be possible to remotely activate the contact and the contactless interface via defined commands sent to a client application residing in the handset. Refer to VMPA Test Tool Interface Requirements (Book 6). For handsets with an Operating System that supports Host-based Card Emulation (HCE) Vendors must submit samples configured to support the secure element path for payment and HCE path for payment. This document does not address additional Visa regional business requirements that may be required prior to deployment. 1.4 Support and Contact Information Visa s goals are to provide a formal, standardized process for testing mobile payment products and to enhance communication between all participants in the product testing and compliance process. Approval Services provides a single point of contact for vendors, testing laboratories and Visa personnel. Approval Services Contact Information Contact Method address: Visa Technology Partner Website: Address (for sending legal agreements and samples for cross testing) Contact Information ApprovalServices@visa.com Visa Inc. Approval Services Mailstop M4-2D 900 Metro Center Blvd. Foster City, CA 94404, USA 1.5 Visa Business Requirements This document addresses Visa s testing requirements for mobile components; however, there are some additional business requirements that may be required prior to any deployment in the Visa system. Vendors should contact their regional Visa representative for details. June Visa. All Rights Reserved. Page 7 of 74Page

8 1.6 Vendor Registration and Licensing All mobile payment product manufacturers must register on the Visa Technology Partner website and have executed the appropriate testing agreement before they are eligible to submit a product for testing. A vendor that submits a product for Visa compliance testing is not required to license Visa mobile specifications or mobile software from Visa if; the product does not include a secure element, or the product includes a secure element, but the vendor does not and will not have the keys to access the security domain where the Visa-developed VMPA applet resides. An example would be a handset submission that only supports HCE - a submission in which the handset does not contain a built-in secure element or UICC that is to be included in the compliance recognition from Visa. Secure element suppliers and vendors who will be submitting products with a secure element and have the keys to the security domain where the Visa-developed VMPA applet resides must license the applicable Visa mobile specifications and software. Licensing is handled by the Visa Technology Partner website. A Visa-recognized laboratory (hereafter referred to in this document as laboratory ) may only accept mobile payment products for official compliance testing from vendors authorized by Visa. Vendors wishing to perform debug QA testing at a laboratory do not need prior authorization from Visa. June Visa. All Rights Reserved. Page 8 of 74Page

9 The definitions for seeking to become a Visa mobile payment product vendor are described below: Vendor Chip/OS Component Supplier Secure Element Supplier Mobile Product Supplier Definition The entity that supplies Chip/OS packages must have executed the necessary agreements with Visa to allow it to submit chip/os component packages (in an ID1 card format) directly to Visa for testing. The entity that provides the final Secure Element product and takes responsibility for the entire package: operating system, application, embedding of module and, when applies, the inlay/antenna. The entity that manufactures a mobile product capable of hosting the Secure Element and performing a Visa mobile contactless transaction. June Visa. All Rights Reserved. Page 9 of 74Page

10 1.7 Specifications and Requirements Vendors are responsible for licensing and developing their products to comply with the appropriate specifications and requirements. The major relevant documents are listed in the table below. This list is not exhaustive of all specifications and requirements that may be used in the development of a Visa-compliant mobile payment product. The vendor developing a mobile payment product is ultimately responsible for obtaining all specifications and requirements relevant to the mobile payment product it submits for testing and compliance. Documentation Acronyms Document Acronym [EMV_SEWG] [EMV-CCP] [ETSI-001] [MA] [SIM-PROF] [VCSP] [VMCPS] [VMG-IUF] [VMG-IUP] [VMG-SCF] [VMG-SCP] [VMPA_MFPR] [VMPA_TP] [VTKPM] Document Title EMVCo Security Evaluation Process EMV Contactless Communication Protocol Specification. Also known as Book D ETSI TS UICC - Contactless Front-end (CLF) Interface; part 1 physical and data link layer characteristics Multi-Access Specification for VMPA SIM Profile Requirements for Functional Testing Visa Chip Security Program Security Testing Process Visa Mobile Contactless Payment Specification Visa Mobile Gateway. Issuer Update Functional Specification Visa Mobile Gateway. Issuer Update Protocol Specification Visa Mobile Gateway. Secure Channel Functional Specification Visa Mobile Gateway. Secure Channel Protocol Specification Minimum Platform Functional Requirements for VMPA Implementations Visa Mobile Contactless Payment Specification Functional Testing Requirements Visa Toolkit & Process Message Specification June Visa. All Rights Reserved. Page 10 of 74Page

11 1.8 Terms and Definitions Term EMVCo Handset microsd Mobile Application Mobile Device Near Field Communications Secure Element SIM SWP UICC User Interface VMPA VMPA Applet VMPA Core VMPA UICC Definition EMVCo exists to facilitate worldwide interoperability and acceptance of secure payment transactions. It accomplishes this by managing and evolving the EMV Specifications and related testing processes. This includes, but is not limited to, card and terminal evaluation, security evaluation, and management of interoperability issues. Today there are EMV Specifications based on contact chip, contactless chip, common payment application (CPA), card personalisation, and tokenisation. This work is overseen by EMVCo s six member organisations American Express, Discover, JCB, MasterCard, UnionPay, and Visa. Another term for a mobile device, usually a mobile phone handset An extended and removable memory card which may integrate a Secure Element. A memory card integrating a Secure Element may be plugged into a mobile handset. The interface that manages the interactions between the handset user and the VMPA applet. Also referred to as Visa Mobile Application or wallet. A portable electronic device with contactless and wide area communication capabilities. Mobile devices include mobile phones and other consumer electronic devices A short range contactless proximity technology based on ISO/IEC 18092, which provides for ISO/IEC compatible communications A tamper resistant module, capable of hosting applications in a secure manner Subscriber Identity Module an application on a UICC for management of mobile telephony authentication and functionality. Single Wire Protocol the electrical and protocol interface for connecting a UICC to a contactless component. Defined by [ETSI-001] Universal Integrated Circuit Card the physical integrated circuit card which hosts the (U)SIM and other applications Input and output components on a mobile device, for example, display, keyboard and touch screen. Visa Mobile Payment Application Visa Mobile Contactless Payment application hosted in the Secure Element A software application developed to [VMCPS] and [MA] that resides on a Secure Element in a mobile device. A version of the VMPA applet that excludes functionality required by UICC form factors. A version of the VMPA applet that includes functionality required by UICC form factors. June Visa. All Rights Reserved. Page 11 of 74Page

12 1.9 Abbreviations and Terminology Abbreviation Terminology AID Application Identifier APDU Application Protocol Data Unit API Application Programming Interface AS Approval Services ATS Answer to Select CLF Contactless Front-end CPS Card Personalization Specification DES Data Encryption Standard ETSI European Telecommunication Standards Institute GP GlobalPlatform HCE Host-based Card Emulation HCI Host Controller Interface, defined by ETSI TS IC Integrated Circuit ICCN Integrated Circuit Certificate Number ICS Implementation Conformance Statement ISD Issuer Security Domain NFC Near Field Communications OS Operating System OTA Over the Air PCN Platform Certificate Number POS Point of Sale QA Quality Assurance RF Radio Frequency SE Secure Element SIM Subscriber Identification Module SWP Single Wire Protocol, defined by [ETSI-001] TTIA Test Tool Interface Application UAT User Acceptance Testing UI User Interface UICC Universal Integrated Circuit Card (U)SIM Universal Subscriber Identification Module VMPA Visa Mobile Payment Application VMCPS Visa Mobile Contactless Payment Specification VTKPM Visa Toolkit and Process Message June Visa. All Rights Reserved. Page 12 of 74Page

13 2 Mobile Testing Overview Visa oversees testing of mobile proximity payment products that will be used to conduct Visa paywave payment transactions to ensure that they comply with Visa, GlobalPlatform and EMVCo specifications and requirements. Mobile products subject to such testing include, but are not limited to: Secure Elements Mobile Handsets Combinations of Secure Elements and Mobile Handsets Mobile Accessories Depending on the configuration of the product submitted the testing process may involve: Analogue and Digital (EMVCo Contactless Level 1) Visa Cross Testing Visa Mobile Payment Application testing (VMPA) Secure Element Platform Functional testing (GP) Secure Element Platform Security testing (EMV PCN) Secure Element Visa Chip Security Program testing (VCSP) If the mobile product meets Visa s testing requirements, Visa issues a Compliance Letter to the vendor. Visa s compliance recognition applies worldwide unless geographic restrictions are specified in the Compliance Letter. Note: The process described in this document does not approve vendors; it only denotes that a tested mobile product is compliant to Visa specifications and requirements. Note: A Compliance Letter is not transferable from one vendor s product to another product or from one vendor to another vendor. June Visa. All Rights Reserved. Page 13 of 74Page

14 2.1 Products Accepted for Testing This document covers the following configurations of mobile products for compliance testing: UICC Embedded Secure Element Component (alone /on board) Handset (UICC Only) Handset (HCE Only) Handset (Secure Element and HCE) Handset with UICC Handset with Embedded Secure Element microsd with an Internal Antenna microsd without an Antenna Handset with a microsd (Antenna within the Handset) Mobile Accessory with embedded Secure Element (Antenna within the Mobile Accessory) Mobile Accessory with removable Secure Element (Antenna within the Mobile Accessory) Visa will decide in its sole discretion whether to accept alternative configurations of mobile products for testing. Vendors should contact their regional Visa representative to determine if Visa will accept their alternative mobile product configuration. The Vendor must provide a complete description of the alternative mobile product to aid Visa in its decision-making. 2.2 Mobile Component Overview To simplify the description of the testing program we have divided the mobile product into component zones. These component zones identify areas within a mobile product that perform different aspects of proximity Visa paywave mobile payment. The configurations and components within these zones are subject to this testing program. Five zones have been identified and are described in the following sections. Following the zone descriptions are diagrams showing some of the common mobile component configurations of zones, components, and the interfaces between these zones and components A: Secure Element Component This component known as a Secure Element (SE) could also be identified by various names for the different form factor/product such as UICC, embedded SE, or removable SE. This component hosts the VMPA applet B: Contactless Interface Component This component mainly performs the conversion of interfaces from an analogue signal to digital contact based link such as SWP and HCI. As a most common implementation, the contactless interface component is expected to be a Near Field Communication device. June Visa. All Rights Reserved. Page 14 of 74Page

15 This module may incorporate a router to direct the contactless communication to various Secure Elements on the handset and to the handset itself. In this case the functionality of the component extends beyond interface conversion. In some cases, the Secure Element component (A) may be capable of receiving analogue signals with an ability of analyzing them to the digital (contactless protocol) level. In such configurations, there is no component B C: Proximity Communication Antenna This component captures and transmits Radio Frequency (electromagnetic field) analogue signals with an external device such as a contactless-enabled POS terminal D: Handset Device This component incorporates the previously described components as well as others related to the mobile wireless network. It also hosts the handset part of the Visa Proximity Mobile Payment Application, such as the user interface application (referred to as the wallet) E: Mobile Application This component is the software application resident on the mobile device that consumers use to interact with their mobile device to access a product or a service. For Visa cloud-based payments, Mobile Applications typically include, but are not necessarily limited to, mobile banking applications or mobile wallet applications MA: Mobile Accessory This component is a peripheral unit to a mobile device. It may or may not be physically connected to the mobile device Interaction between Components Although the mobile product components must go through testing that is required for Visa, Visa testing focuses on the secure element (hosting the VMPA applet) and the contactless interface components. The tests that are performed and the tests that are out of scope are described in this document. The following diagrams represent possible arrangements of components in a mobile product. The diagrams indicate areas tested, areas not tested, and interfaces that may be exercised during testing. The following diagrams are shown in different colors, which signify the following: Green: indicates the Secure Element component and some of the technologies that may be implemented in that component Blue: indicates the Contactless Interface component and some of the technologies that may be implemented in that component Red: indicates the Proximity Communication Interface component and some of the technologies that may be implemented in that component Black: indicates the Handset component and some of the technologies that may be implemented in that component June Visa. All Rights Reserved. Page 15 of 74Page

16 Orange: indicates the mobile application component and some of the technologies that may be implemented in that component. The figures that follow show the component zones A, B, C, D, E, MA that are subjects of the testing and compliance process. These diagrams are simplified models used to represent what is usual and expected in today s mobile payment products. These diagrams are not based on any specific mobile payment product. 2.3 Mobile Component Descriptions Components with a Secure Element June Visa. All Rights Reserved. Page 16 of 74Page

17 2.3.2 Components with HCE Capability Components with a Secure Element and HCE Capability June Visa. All Rights Reserved. Page 17 of 74Page

18 2.3.4 Components without a Contactless Interface Component D - UI - Security Implementation - OTA Channel Phone Baseband T0 A - GP (contact) - GP (contactless) - OTA channel - Security Implementation - Digital - Etc Analog C Components with a Removable microsd with Internal Antenna D A C SD I/O June Visa. All Rights Reserved. Page 18 of 74Page

19 2.3.6 Components with a Removable microsd with Antenna in the Handset Components with a Mobile Accessory with a Secure Element Secure Element June Visa. All Rights Reserved. Page 19 of 74Page

20 2.4 UICC or Embedded Secure Element Component A vendor can submit a secure element for testing that is developed according to GP specifications. Prior to submitting the UICC or ese for testing the vendor must ensure that the chip is listed on EMVCo s Approved Chips List and the platform is listed on EMVCo s Approved Platforms List. See Section 3.0 regarding Security Testing. The Visa Compliance Letter will address the product s ability to host a VMPA applet and complete a Visa paywave payment transaction. At the very minimum, platforms must support the Visa Minimum Functional Platform Requirements for VMPA Implementations [VMPA_MFPR]. All other functionality (e.g. Single Wire Protocol (SWP) interface) is out of scope of Visa s compliance testing. It is the vendor s responsibility to ensure proper compliance to the respective standards issued by other organizations such as ETSI UICC or Embedded Secure Element Component This configuration is of a UICC or stand-alone embedded secure element. The following table describes the scope of the tests. Test Type Test Extent Zone Subject to Testing Supporting Specification(s) Cross-Testing UICC: Applicable ese: Not Applicable Visa Application Testing Applicable A [VMCPS] GP Platform Functional Testing Platform Certification Testing Applicable A Refer to GlobalPlatform Applicable A Refer to EMVCo Visa Security Testing Applicable A [VCSP] Note: If the configuration includes built-in contactless digital protocol technology, digital testing is required. June Visa. All Rights Reserved. Page 20 of 74Page

21 2.5 Handsets A vendor may submit a handset in the following product configuration: Handset (Secure Element Only) Handset (HCE Only) Handset (Secure Element and HCE) Combinations: o Handset with a UICC o Handset with an Embedded Secure Element o SE may be removable or embedded. Handsets with HCE Capability Visa has developed a Level 1 Test Application (hereafter referred to in this document as L1 Test Application ) to be used on HCE capable handsets for Contactless Level 1 testing. The L1 test application is modeled after the UICC profiles document available from EMVCo. The L1 test application has been developed to support an Android OS. For other OS implementations contact Approval Services. The L1 test application package is available to download on the Visa Technology Partner website through a click license. The package includes the application, ICS for HCE, and the test application product setup guidelines document. HCE testing is mandatory for all HCE capable handsets submitted for testing and compliance Handset (UICC Only) This configuration is of a handset that is NFC-enabled (supports a UICC). The Compliance Letter is for the handset only. The testing and compliance process cannot be performed in a handset that is not capable of supporting a UICC. The UICC used in the handset to perform testing will not be included in the Compliance Letter. The UICC is only used to facilitate testing of the handset and is not an evaluated component of the submitted handset. Contactless protocols tested include Type A and Type B. The following table describes the scope of the tests. Test Type Test Extent Zone Subject to Testing Supporting Specification(s) Analog Applicable B + C [EMV-CCP] Digital Applicable B + C [EMV-CCP] Cross-Testing Applicable June Visa. All Rights Reserved. Page 21 of 74Page

22 2.5.2 Handset (HCE Only) This configuration is of a handset that is NFC-enabled and the handset OS is HCE capable. For testing purposes, the vendor is required to provide the handset configured to use the HCE path for Contactless Level 1 testing. For cross testing, the handsets provided should be in such a state that Approval Services may be able to load a test application. Contactless protocols tested include Type A and Type B. The following table describes the scope of the tests. Test Type Test Extent Zone Subject to Testing Supporting Specification(s) Testing Path Analog Applicable B + C [EMV-CCP] HCE Digital Applicable B + C [EMV-CCP] HCE Cross-Testing Applicable HCE Handset (Secure Element and HCE) This configuration is of a handset that is NFC-enabled (supports a removable or an embedded SE) and the handset OS is HCE capable. For testing purposes, the vendor is required to provide an additional handset configured to use the HCE path for Level 1 Contactless testing. For cross testing, the handsets provided should be in such a state that Approval Services may be able to load a test application. For handsets that support a removable secure element, the secure element used in the handset to perform testing will not be included in the Compliance Letter. The secure element is only used to facilitate testing of the handset and is not an evaluated component of the submitted handset. Contactless protocols tested include Type A and Type B. The secure element is a compliant product. The following table describes the scope of the tests. Test Type Test Extent Zone Subject to Testing Supporting Specification(s) Testing Path Analog Applicable B + C [EMV-CCP] SE Digital Applicable B + C [EMV-CCP] SE and HCE Cross-Testing Applicable SE - Full and HCE - Selective June Visa. All Rights Reserved. Page 22 of 74Page

23 2.5.4 Combinations A vendor may submit the following combinations to obtain a Compliance Letter that covers both the mobile device and secure element: Handset with a UICC Handset with an embedded Secure Element Note: The handsets described in this section does not support HCE. Either of these combinations will be subjected to the combined Secure Element and handset requirements. The following table describes the scope of the tests. The following table describes the scope of the tests. Test Type Test Extent Zone Subject to Testing Supporting Specification(s) Analog Applicable B + C [EMV-CCP] Digital Applicable B + C [EMV-CCP] Cross-Testing Applicable Visa Application Testing Applicable A [VMCPS] GP Platform Functional Applicable A Refer to GlobalPlatform Platform Certificate Testing Applicable A Refer to EMVCo Visa Security Testing Applicable A [VCSP] 2.6 MicroSD A vendor can submit a microsd for testing that is developed according to GP specifications. Prior to submitting the microsd for testing the vendor must ensure that the embedded secure elements chip is listed on EMVCo s Approved Chips List and the platform is listed on EMVCo s Approved Platforms List. See Section 3.0 regarding Security Testing. The embedded secure element hosts the VMPA applet and Proximity Payment System Environment (PPSE) applications. The proximity communication antenna is used to transmit and receive radio frequency (electromagnetic field) analogue signals to and from an external payment device directly to and from the microsd. This allows resident payment applications in the secure element to exchange commands related to payment transactions with an external payment device via the contactless interface. Note: The contact interface between the handset and the microsd is beyond the scope of this document. For testing purposes only, a vendor shall be required to supply a handset with a TTIA in order to execute VMPA functionality. For more information refer to Book 6 - VMPA Test Tool Interface Requirements, available to download on the Visa Technology Partner website. June Visa. All Rights Reserved. Page 23 of 74Page

24 The Visa Compliance Letter will address the product s ability to host a VMPA applet and complete a Visa paywave payment transaction. At the very minimum, platforms must support the Visa Minimum Functional Platform Requirements for VMPA Implementations [VMPA_MFPR]. All other functionality (e.g. Single Wire Protocol (SWP) interface) is out of scope of Visa s compliance testing. It is the vendor s responsibility to ensure proper compliance to the respective standards issued by other organizations such as ETSI MicroSD with an Internal Antenna This configuration consists of a microsd and a proximity communication antenna in a single unit. Visa approves microsds with a secure element and internal antenna as a standalone component, independent of use in combination with any particular handset(s). However, because the testing necessarily requires use of a reference handset, the Compliance Letter shall state as tested with followed by the handset model name that was provided by the vendor for testing purposes. Visa does not issue Compliance Letters covering other potential combinations of the product with different handset models that were not used in testing, unless and until the vendor submits those specific combinations for testing by Visa and they are found to be compliant with Visa s applicable testing requirements. The following table describes the scope of the tests. Test Type Test Extent Zone Subject to Testing Supporting Specification(s) Analog Applicable A + C [EMV-CCP] Digital Applicable A + C [EMV-CCP] Cross-Testing Applicable Visa Application Testing Applicable A [VMCPS] GP Platform Functional Applicable A Refer to GlobalPlatform Platform Certificate Testing Applicable A Refer to EMVCo Visa Security Testing Applicable A [VCSP] MicroSD (No Antenna) This configuration consists of a microsd without the proximity communication antenna. Note: The Compliance Letter will state that the testing did not include timing tests as defined in Visa s specifications. The following table describes the scope of the tests. Test Type Test Extent Zone Subject to Testing Supporting Specification(s) Digital Applicable A [EMV-CCP] (No Transaction Timing) Cross-Testing Applicable Visa Application Testing Applicable A [VMCPS] GP Platform Functional Applicable A Refer to GlobalPlatform June Visa. All Rights Reserved. Page 24 of 74Page

25 Platform Certificate Testing Applicable A Refer to EMVCo Visa Security Testing Applicable A [VCSP] MicroSD with Handset (Antenna within the Handset) This configuration consists of a microsd with an embedded secure element submitted in combination with a handset containing a contactless communication antenna. The following table describes the scope of the tests. Test Type Test Extent Zone Subject to Testing Supporting Specification(s) Analog Applicable A + C [EMV-CCP] Digital Applicable A + C [EMV-CCP] Cross-Testing Applicable Visa Application Testing Applicable A [VMCPS] GP Platform Functional Applicable A Refer to GlobalPlatform Platform Certificate Testing Applicable A Refer to EMVCo Visa Security Testing Applicable A [VCSP] MicroSD with Handset (Antenna Within the Handset) June Visa. All Rights Reserved. Page 25 of 74Page

26 2.7 Mobile Accessory A mobile accessory is a unit attached to a mobile device via various proprietary methods. A vendor can submit a secure element for testing that is developed according to GP specifications. Prior to submitting the secure element for testing the vendor must ensure that the embedded secure element s chip is listed on EMVCo s Approved Chips List and the platform is listed on EMVCo s Approved Platforms List (see Security Testing). The embedded secure element hosts the approved VMPA applet and Proximity Payment System Environment (PPSE) applications. The proximity communication antenna is used to transmit and receive radio frequency (electromagnetic field) analogue signals to and from an external payment device directly to and from the secure element. This allows resident payment applications in the secure element to exchange commands related to payment transactions with an external payment device via the contactless interface. Note: The attachment interface between the handset and the accessory is beyond the scope of this document. The Compliance Letter will address the product s ability to host the VMPA applet and complete a Visa paywave payment transaction. At the very minimum, platforms must support the Visa Minimum Functional Platform Requirements for VMPA Implementations [VMPA_MFPR]. All other functionality (e.g. Single Wire Protocol (SWP) interface) is out of scope of Visa s compliance testing. It is the vendor s responsibility to ensure proper compliance to the respective standards issued by other organizations such as ETSI Mobile Accessory with a Secure Element (Antenna within the Accessory) This configuration consists of a mobile accessory with a secure element (either an embedded or removable) and a proximity communication antenna in a single unit. For testing purposes only, a vendor is required to supply a handset with a Test Tool Interface Application residing on the mobile device. For more information refer to Book 6 - VMPA Test Tool Interface Requirements, available to download on the Visa Technology Partner website. Visa approves the mobile accessory with a SE as a standalone component, independent of use in combination with any particular handset(s). However, because the testing necessarily requires use of a reference handset, the Compliance Letter shall state as tested with followed by the handset model name that was provided by the vendor for testing purposes. Visa does not issue Compliance Letters covering other potential combinations of the product with different handset models that were not used in testing, unless and until the vendor submits those specific combinations for testing by Visa and they are found to be compliant with Visa s applicable testing requirements. June Visa. All Rights Reserved. Page 26 of 74Page

27 The following table describes the scope of the tests. Test Type Test Extent Zone Subject to Testing Supporting Specification(s) Analog Applicable A + C [EMV-CCP] Digital Applicable A + C [EMV-CCP] Cross-Testing Applicable Visa Application Testing Applicable A [VMCPS] GP Platform Functional Applicable A Refer to GlobalPlatform Platform Certificate Testing Applicable A Refer to EMVCo Visa Security Testing Applicable A [VCSP] 2.8 Component Specification and Compliance The components described in this document are developed based on specifications defined by various standards bodies such as GlobalPlatform or EMVCo. Visa acknowledges that some of these organizations have developed a compliance program for their respective specification and Visa will incorporate those programs into Visa s compliance process. Among these various compliance programs, certain plans exist that grant testing laboratories the following: The right to perform the tests The authority to provide test results The authority to certify the component June Visa. All Rights Reserved. Page 27 of 74Page

28 3 Security Testing Security testing is required for the secure element hosting the VMPA applet. It is not currently applicable to other components of a mobile product, such as the NFC device containing the contactless interface components. Security testing goes beyond the functional testing to help determine whether the secure element is vulnerable to known attacks, whether or not these are explicitly cited in the specification. Security testing is not exhaustive and focuses on the most likely vulnerabilities as revealed by previously conducted testing, knowledge of the particular application(s), and past experience with similar products. The Visa Chip Security Program (VCSP) seeks to minimize the cost and time spent in performing evaluation work and, where possible, to avoid duplication of effort. A copy of the VCSP process document can be downloaded from the Visa Technology Partner website. The VMPA applet must only be loaded on an EMVCo approved platform. EMVCo issues a platform certificate with a Platform Certificate Number (PCN) for platform products that successfully complete the EMVCo security evaluation process [EMV-SEWG]. Visa will accept new mobile products only if the secure element has successfully completed the EMVCo testing and is posted on the EMVCo Approved Chip and Approved Platform Lists. The VMPA applet residing on the EMVCo approved platform must successfully complete a Visa composite security evaluation (e.g., platform with VMPA applet) with High as required level of assurance (see [VCSP]) by a Visa recognized security lab. The security testing laboratory must verify that the final composite product fulfills all the platform requirements as documented in the latest EMVCo Shared Evaluation Report (SER). This document defines what security mechanisms are implemented by the platform and the scope of previously performed security testing. It provides mandatory security requirements and highlights areas of potential concern. Any pre-loaded or future (post-issuance) application loaded on the secure element must not impact the security of the Visa payment application assets. Each application must pass the byte code verifier and must meet all requirements in the latest platform security guidance documents. If the mobile product is based on an open EMVCo platform product, composite security evaluations of basic applications should comply with the GP Composition Model principles. If the mobile product is a closed platform product and there is a change, then a VCSP delta security evaluation is required. Note: Visa composite security evaluation can be authorized once the EMVCo platform security evaluation has started. In this case, the vendor must acknowledge that starting the composite evaluation prior to EMVCo approval is at own risk and cost. June Visa. All Rights Reserved. Page 28 of 74Page

29 For More Information For detailed information on the EMVCo Platform Security Evaluation process, please see EMVCo Security Evaluation Process document [EMV-SEWG] available at or contact the EMVCo Security Evaluation Secretariat at with any questions about the process. For further information on the Visa chip security testing process [VCSP], please refer to the Visa Chip Security Program Security Testing Process document on the Visa Technology Partner website. June Visa. All Rights Reserved. Page 29 of 74Page

30 4 Certification Process, Laboratories and Documentation 4.1 Certification Process Overview PRODUCT SUBMISSION AND COMPLIANCE TESTING PROCESS INITIAL STAGE TESTING STAGE SUBMISSION STAGE REVIEW STAGE Complete Mobile Questionnaire Approval Services Reviews Questionnaire and Determines Testing Requirements Vendor and Laboratories Schedule Test Slot Laboratory Provides Test Results to Vendor Visa Reviews Test Results Vendor Notified of Testing Requirements Vendor Provides Visa Forms & Samples to Laboratories Vendor Authorizes Laboratories to Release Test Results to Visa Test Results Meet Visa s Requirements? No Failure Notification Issued Yes Chosen Laboratories Authorized for Visa Testing Laboratories Perform Authorized Testing Laboratories send Test Results to Visa Compliance Letter Issued June Visa. All Rights Reserved. Page 30 of 74Page

31 4.2 Certification Areas By Organization To reduce the duplication of testing for vendors, Visa s program utilizes testing and certification programs offered by EMVCo and GlobalPlatform. Depending on the configuration and technical specifications of the mobile product, Visa may require the product to have been certified by those organizations prior to submitting the product to Visa. Visa s program covers Secure Elements, Handsets, Accessories, and combinations thereof, with different testing requirements for each. See Appendix C for testing requirements by product configuration. EMVCo s certification programs cover chips and platforms used for Secure Elements, whether embedded or removable. In addition, they offer Contactless EMV Level 1 testing for mobile products. GlobalPlatform s certification program covers functional platform qualification for Secure Elements, whether embedded or removable. Furthermore, a product being tested by more than one organization may also be performed in parallel (e.g. Visa testing, GlobalPlatform testing), again at the request of the vendor and at their own risk. The following table shows which areas of testing each organization qualifies: June Visa. All Rights Reserved. Page 31 of 74Page

32 4.3 EMVCo Mobile Product Level 1 Testing Visa requires products to receive an EMVCo issued Test Assessment Summary or Letter of Approval in lieu of testing requirements managed by Visa, if EMVCo offers the testing. If the Test Assessment Summary or Letter of Approval is not available at the time of the product submission to Visa, the vendor is responsible for providing the Test Assessment Summary or letter before Visa will determine whether the product meets Visa s requirements and issue a Compliance Letter. Note: Visa does not issue a Compliance Letter for a product with an EMVCo Letter of Approval that does not require further testing required by Visa. Vendors are required to provide the EMVCo Level 1 ICS with the Test Assessment Summary or Letter of Approval. If Visa requires other testing on the submitted product this may be done in parallel with the EMVCo process. Visa will continue to accept EMVCo s process as they continue to expand the scope of products accepted. 4.4 GlobalPlatform Qualification Testing A vendor can submit a secure element for testing that is developed according to GlobalPlatform (GP) specifications. GlobalPlatform manages the platform functional testing for GP platforms. Visa only accepts official GP test results performed by a GP-qualified laboratory. Self-testing results are not accepted as proof of specification compliance. Vendors shall provide a SCO Form and Qualification Letter from GP to Visa in support of their Visa submission process. Visa requires Secure Elements to have a Qualification Letter issued by GlobalPlatform prior to the issuance of the Visa Compliance Letter. Vendors who are unable to receive a Letter of Qualification from GP because their product does not support all mandatory GP requirements may request a Compliance Assessment Report (CAR) from GP. Visa will only review a final GP CAR. As an exception process, vendors who provide a GP CAR to Visa where the product meets Visa s minimum functional platform requirements may be eligible to receive a Compliance Letter from Visa without a Letter of Qualification from GP. Refer to Visa Minimum Platform Functional Requirements for VMPA Implementations [VMPA_MFPR] for technical requirements. More information about the GlobalPlatform compliance testing process can be found on their website at June Visa. All Rights Reserved. Page 32 of 74Page

33 4.5 Cross Testing Visa performs cross testing (also referred to as interoperability testing). Cross testing is part of the official testing process and the performance during this testing will be part of the final compliance consideration. Products that fail to communicate with various devices may not be eligible for compliance. For more information refer to the Vendor Guide For Interoperability Testing on the Visa Technology Partner website. Note: Visa is not permitted to disclose information about the terminals used to obtain the cross testing results. EMVCo also offers cross testing, referred to as terminal interoperability testing, as part of its mobile product level 1 type approval process. Visa accepts an EMVCo Letter of Approval in lieu of cross testing. June Visa. All Rights Reserved. Page 33 of 74Page

34 4.6 Test Plans and Test Tools Test plans and commercial test tools with associated test scripts are available to assist vendors in quality assurance (QA) testing. These test tools are not intended as a replacement for Visa testing. Successful completion of all the test scripts by the vendor does not imply compliance, nor does it duplicate Visa s full testing process. Visa reserves the right to develop and run additional tests that are not defined as part of the current test plans or tools. Visa testing may include subjecting the product to additional physical and situation-specific tests as needed. Commercial test tools and test scripts are available from test tool suppliers. Vendors must have licensed the Visa mobile specification and software before acquiring the mobile test tools. Information about Visa test tools can be found at Information about EMVCo test tools can be found at Information about GlobalPlatform test tools can be found at The following Visa test plans are available on the Visa Technology Partner website to licensed users: Visa Mobile Payment Application (VMPA) Visa Toolkit and Process Message (VTKPM) Before requesting a test plan, the following agreements need to be executed with Visa: All applicable Visa Technology License Agreements. Technology licensing is handled on the Visa Technology Partner website. Approval Services Testing Agreement for Mobile Proximity Payment Products (ASTA) or Approval Services Documentation License Agreement Possession and use of these materials is subject in all respects to the terms of the ASTA or documentation license agreement. Test plans and test scripts are subject to enhancements and modifications at any time. Test plan revisions will be accumulated and made available to vendors with new releases as determined by Visa. It is the vendor s responsibility to ensure that they have the most current test plan available. Vendors should contact their tool supplier to obtain any test script updates. Test case updates are published in the query application on the Visa Technology Partner website, available to authorized users only. Visa grants permission to use the test plans solely for purposes of QA testing for use in connection with a Visa payment application. Visa may revoke its permission at any time for any or no reason. Possession and use of these materials is subject in all respects to the terms of the ASTA or documentation license agreement. Test plans and all intellectual property subsisting therein are the property of Visa. THESE MATERIALS ARE PROVIDED ON AN AS IS BASIS WITH ALL FAULTS. VISA DISCLAIMS ALL WARRANTIES PERTAINING TO THESE MATERIALS, EXPRESSED OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR PURPOSES, OR NON INFRINGEMENT. June Visa. All Rights Reserved. Page 34 of 74Page

35 4.7 Test Laboratories The list of Visa-Recognized Laboratory s is available on the Visa Technology Partner website. Testing will not begin until the laboratory has received all required items. If any required item is incorrect or non-functioning, the test slot may be delayed. Please contact the Laboratory for pricing and to arrange scheduling of testing. When testing is complete, the Laboratory will provide the vendor with a report outlining the test results. The vendor is required to grant authorization for the Laboratory to provide the test reports to Approval Services. Approval Services will evaluate the test results and provide the vendor with information about the usability of the product in Visa deployments. 4.8 Starting the Product Submission Process Before submitting any mobile product for testing, vendors must execute the current Approval Services Testing Agreement for Mobile Proximity Payments (ASTA) with Approval Services (see Section 1.7). Additionally, vendors will also need to execute any agreements required by the Laboratory that performs the testing. Once the legal agreements have been executed, vendors are eligible to submit the necessary paperwork to start the testing process. A questionnaire is required by Approval Services to start the product submission process. The following table lists the forms required for product testing. All the Visa forms are available on the Visa Technology Partner website. All information must be provided in English. Note: Some forms may be combined into a single document. Documentation Required for Testing and Evaluation Form Approval Services Mobile Product Questionnaire Exhibit A: Request for Testing Services or Request for Testing Review (addendum to ASTA) Implementation Conformance Statement (ICS) Request for Compliance Form Description Information regarding the submission of a mobile product for testing. Allows Visa to determine whether the mobile product is eligible for submission. Establishes Visa s right to review results submitted by the vendor, following testing at a laboratory. Handset-only submissions will use the Request for Testing Review form. All other submissions shall use the Request for Testing Services form. Detailed information regarding the Visa payment application, platform, or interface. A separate statement is required for each: Contactless Interface Analogue & Digital VMPA (including VTKPM) Official request for Visa to begin the compliance review for a mobile product tested at a laboratory. June Visa. All Rights Reserved. Page 35 of 74Page