Security Evaluation Process
  1. Who is the primary contact for EMVCo Security Evaluations?
  2. Who is the primary contact for the EMVCo Card Approval Process?
  3. I want to register for the EMVCo Security Evaluation Process. Are there any pre-requisites?
  4. Where can I get more information on the EMVCo Card Approval Process?
  5. Where can I get more information on the EMVCo Security Evaluation Process?
  6. Where can I download forms to register as an IC provider in the EMVCo Security Evaluation Process?
  7. Where can I download forms to register an IC product in the EMVCo Security Evaluation Process?
  8. Where can I download forms to register a Platform product in the EMVCo Security Evaluation Process?
  9. I want to submit an ICC product for card approval. Where can I download registration forms for:
  10. What products are in scope of an EMVCo Security Evaluation?
  11. What products are out of scope of an EMVCo Security Evaluation?
  12. Can I submit an ICC product for EMVCo Security Evaluation that uses a non-EMVCo approved IC?
  13. I have not adopted all the guidelines in the EMVCo Security Guidelines in my current product as they are out of scope for the intended application. Is this an automatic fail?
  14. I don’t want to add my approved product to the EMVCo Approved Product list at the moment. Is this acceptable?
  15. My product has just failed certification. What do I do now?
  16. Is there a charge for the EMVCo Security Evaluation?
  17. How do I pay for the evaluation?
  18. What other conditions must be met for issuance of an EMVCo compliance certificate once a product has been approved?
  19. How long does it take to issue the EMVCo compliance certificate once the product has been approved?
  20. How do I obtain a copy of the Approved Product List?
  21. How do I obtain a list of EMVCo recognised laboratories?
  22. Is it possible to extend product certification on the EMVCo Approved Product List beyond the initial approval period?
  23. What is the maximum possible extension on the EMVCo Approved Product list?
  24. Is it possible to reapply for an extension on the EMVCo Approved Product list after the current extension has expired?
  25. I just had a product delta-evaluated against the current EMVCo Security Guidelines. Why can’t I have an additional three years on the Approved Product List?
  26. How do I apply for a product waiver?
  27. My product took a year to be evaluated using a number of laboratories. What will be the date of the EMVCo certificate?
  28. I am currently shipping an EMVCo approved ICC product (valid Card Certificate Number), but the IC certificate (ICCN) is about to expire. Can I continue shipping this product?
  29. My CCN (Card Certificate Number) or PCN (Platform Certificate Number) is due to expire, and it is based on an ICCN (IC Certificate Number) that has already expired. How does this impact my renewal?
  30. I have an EMVCo approved ICC product that is about to expire. Can I continue to ship this product?
  31. I have a large stock of ICC that are on the EMVCo Approved Product list that are about to expire. Can I still issue this product?
  32. I have deployed a software patch for an existing product. In the opinion of my security experts it doesn’t affect the product security. Do I need to evaluate the patched product?
  33. I have developed a software patch for an existing product that improves the product security. Do I need to evaluate the patched product?
  34. I have developed a new product that is similar to an existing EMVCo approved product. Can I re-use the evaluation evidence?
  35. I have developed a new product that is similar to an existing product that was approved under another certification scheme. Can I re-use the evaluation evidence?
  36. I use a particular independent laboratory that is not a recognised EMVCo Security Evaluation laboratory for all my evaluations. Can I use results from this laboratory as part of the evaluation evidence?
  37. I do all security evaluation work in-house. Can I use results from my own laboratory as evaluation evidence?
  38. Can flash memory be used as ROM in a Chip Card product?
  39. In order to expedite the invoicing and payment process, can I submit a draft version of the registration questionnaire and receive the invoice in advance?
  40. As regards the User guidance details that are required for platform certification, would you let me know what sort of information should be in the document?
  41. For platforms, I heard that there are two types: Open platform and Closed platform. What is the difference between them?
  42. The security guidance version of my certified product has changed. Are there any specific steps to be followed with EMVCo?
  43. I am planning to use multiple fabrication sites for my IC. Does this have any impact on its security evaluation?
  44. Can I include several versions of my platform product under the same PCN reference?
  45. I am performing a composite evaluation on an IC for which the most recent evidence is a CC evaluation report. Can I reuse the evaluation evidence?
  46. From SEWG Bulletin 7, I interpret that as of January 1st, 2013 a SAR (Site Audit Report) must be created and submitted if a site audit is to be used within an EMVCo product evaluation. Is this correct?
  47. Does this also apply when the site audit has been performed as part of an EMVCo or CC evaluation performed before 2013? In other words, if I have performed a CC site audit (and possibly used the result in an EMVCo evaluation before 2013) and now perform an EMVCo evaluation do I need to create a SAR (from the CC site audit report) and submit this as well?
  48. The site audit requirements document mentions that if a developer site has changed since the last audit the developer must attest to these changes? Must the laboratory assess the impact and create an updated SAR?
  49. Must the SAR also be updated (and submitted) when the developer attests no changes have been made to the development site?
  50. What is the consequence of a guidance change of the underlying layer of a composite product previously certified, and who should be informed about the change?
  51. Does a fast approval process exist for minor changes to an already certified EMVCo product?
  1. Who is the primary contact for EMVCo Security Evaluations?

    The Security Evaluation secretariat can be reached at securityevaluation@emvco.com

  2. Who is the primary contact for the EMVCo Card Approval Process?

    The Card Approval secretariat can be reached at card-approval@emvco.com

  3. I want to register for the EMVCo Security Evaluation Process. Are there any pre-requisites?

    If there is no candidate product in development or available, a product provider will have to demonstrate that it intends developing a product (Integrated Circuit, Platform or Integrated Circuit Card for an existing customer.

  4. Where can I get more information on the EMVCo Card Approval Process?

    The EMVCo Card Approval Process document is available at the EMVCo website for relevant forms and specifications at the Card Type Approval webpage.

  5. Where can I get more information on the EMVCo Security Evaluation Process?

    The EMVCo Security Evaluation Process document is available at the EMVCo website.

  6. Where can I download forms to register as an IC provider in the EMVCo Security Evaluation Process?

    If you wish to register as an IC provider you must fill out the Business Review: Chip Provider and the Request for Registration: Chip Provider form.

  7. Where can I download forms to register an IC product in the EMVCo Security Evaluation Process?

    If you wish to submit an IC product, please fill out the Product Registration Questionnaire: Chip Provider form.

  8. Where can I download forms to register a Platform product in the EMVCo Security Evaluation Process?

    If you wish to submit a Platform product, please fill out the Product Registration Questionnaire: Platform Provider form.

  9. I want to submit an ICC product for card approval. Where can I download registration forms for:
    • an ICC product provider and
    • an ICC product

    EMVCo accepts only CCD (Common Core Definition) or CPA (Common Payment Application) ICCs for card approval. To submit a CCD or CPA ICC product you need to register as an ICC provider. Once registered as an ICC provider, submit a CCD or CPA ICC for registration.

  10. What products are in scope of an EMVCo Security Evaluation?

    The EMVCo Security Evaluation Process evaluates the security features of the IC, Platform and ICC products. IC Security Evaluation includes the firmware and software routines required to access the security functions of the IC. The Platform Security Evaluation includes the integrated circuit (IC) hardware with its dedicated software, Operating System (OS), and Platform environment on which one or more applications (e.g., CCD, CPA) can be executed. The ICC Security Evaluation includes the IC, the Operating System, and the CCD/CPA payment application(s) that reside(s) on the ICC. Please also refer to the EMVCo process document for additional information.

  11. What products are out of scope of an EMVCo Security Evaluation?
    • Can I certify an OS alone?
    • Can I certify an application alone?
    • Can I certify a dedicated Payment System application?

    The answer is no to all three questions. Only those products/combinations specified in the answer to FAQ question 10 are in scope for EMVCo..

  12. Can I submit an ICC or Platform product for EMVCo Security Evaluation that uses a non-EMVCo approved IC?

    Yes. In this case the IC product must be evaluated and approved before the final ICC or Platform composite product can be approved.

  13. I have not adopted all the guidelines in the EMVCo Security Guidelines in my current product as they are out of scope for the intended application. Is this an automatic fail?

    The guidelines are not mandatory. If the security omissions are mitigated by other factors there may not be an issue. This should be discussed with the evaluation laboratory prior to and during the security evaluation.

  14. I don’t want to add my approved product to the EMVCo Approved Product list at the moment. Is this acceptable?

    There is no obligation to place your product on the EMVCo Approved Product list. You should simply indicate your choice in the Publishing approval section of the IC or Platform registration questionnaire.

  15. My product has just failed certification. What do I do now?

    It will depend upon the reasons why the product failed. You should contact the Security Evaluation Secretariat to discuss the next steps.

  16. Is there a charge for the EMVCo Security Evaluation?

    Please refer to EMVCo SEWG Bulletin 3 for information on the fees applicable to each type of EMVCo security evaluation.

  17. How do I pay for the evaluation?

    Once the registration process has been completed, the EMVCo Financial Secretariat will send you an invoice. Please note that the invoice amount is US dollars and that EMVCo only accepts wire transfer payments (no checks).

  18. What other conditions must be met for issuance of an EMVCo compliance certificate once a product has been approved?

    Receipt of payment, as well as completion of the requisite forms, is all that is required.

  19. How long does it take to issue the EMVCo compliance certificate once the product has been approved?

    If all the necessary paperwork is in place and payment has been received, the compliance certificate can be issued in less than one week.

  20. How do I obtain a copy of the Approved Product List?

    The list of approved EMVCo products is available on the EMVCo website.

  21. How do I obtain a list of EMVCo recognised laboratories?

    The list of EMVCo recognized laboratories is available on the EMVCo website.

  22. Is it possible to extend product certification on the EMVCo Approved Product List beyond the initial approval period?

    After an approved product has been on the EMVCo Approved Product list for its initial approval period (one year for IC and Platform products, three years for ICC products) it is automatically removed unless it undergoes a renewal evaluation using the current EMVCo Security Guidelines.

  23. What is the maximum possible extension on the EMVCo Approved Product list?

    A successful EMVCo renewal review will result in a further 1 year extension to the product certificate. The maximum lifespan of an approval is 6 years per product. See also EMVCo SEWG Bulletins 2 & 6.

  24. Is it possible to reapply for an extension on the EMVCo Approved Product list after the current extension has expired?

    Yes. The decision for an extension will be based upon a further renewal evaluation by the lab.

  25. We just had a product delta-evaluated against the current EMVCo Security Guidelines. Why can’t I have an additional three years on the Approved Product List?

    This is a risk management issue. The older the product, the more likely it is to be compromised. EMVCo uses an annual maintenance process for extending products to facilitate risk management of older products.

  26. How do we apply for a product waiver?

    EMVCo does not issue waivers.

  27. My product took a year to be evaluated using a number of laboratories. What will be the date of the EMVCo certificate?

    The EMVCo certificate is dated from the oldest report reflecting the date when the relevant testing was done. See also EMVCo SEWG Bulletin 2.

  28. I am currently shipping an EMVCo approved ICC product (valid Card Certificate Number), but the IC certificate (ICCN) is about to expire. Can I continue to ship this product?

    The ICC product may continue to be issued as long as the CCN (Card Certificate Number) remains valid. The status of the underlying IC (IC Certificate Number)) does not have any impact for ICC products that have already received their approval. The rule is such that a CCN can only be granted for a product that has a valid ICCN. After the CCN has been issued, the status of the ICCN is no longer relevant.

  29. My CCN (Card Certificate Number) or PCN (Platform Certificate Number) is due to expire, and it is based on an ICCN (IC Certificate Number) that has already expired. How does this impact my renewal?

    As long as an ICC product was developed on an approved Platform and/or IC, then ICCN or PCN removal has no impact on the CCN. If you want to renew your CCN, then the renewal work effort will increase if the PCN and/or ICCN have expired. As regards PCNs, renewal is allowed only while the underlying ICCN is still valid. Please also refer to EMVCo SEWG Bulletin 6 or the EMVCo process document for additional information.

  30. I have an EMVCo approved ICC product certificate that is about to expire. Can I continue to ship this product?

    If you wish to continue shipping this product you will need to perform a renewal evaluation to extend its availability on the Approved Product list. See FAQ questions 23 to 25.

  31. I have a large stock of ICC that are on the EMVCo Approved Product list that are about to expire. Can I still issue this product?

    This is not a matter for EMVCo. Please refer to each individual Payment System for guidance.

  32. I have developed a software patch for an existing product. In the opinion of my security experts it doesn’t affect the product security. Do I need to evaluate the patched product?

    You will need to apply for a product update and submit a statement (or Security Impact Analysis report) from a recognised EMVCo laboratory confirming there is no security impact resulting from the implementation of this patch.

  33. I have developed a software patch for an existing product that improves the product security. Do I need to evaluate the patched product?

    You will need to apply for a product update and submit a statement (or Security Impact Analysis report) from a recognised EMVCo laboratory that accurately describes the security impact of the software patch.

  34. I have developed a new product that is similar to an existing EMVCo approved product. Can I re-use the evaluation evidence?

    The EMVCo recognised laboratory will consider existing evaluation evidence within a delta evaluation if it is relevant.

  35. I have developed a new product that is similar to an existing product that was approved under another certification scheme. Can I re-use the evaluation evidence?

    The EMVCo recognised laboratory will consider existing evaluation evidence within a delta evaluation if it is relevant.

  36. I use a particular independent laboratory that is not a recognised EMVCo Security Evaluation laboratory for all my evaluations. Can I use results from this laboratory as part of the evaluation evidence?

    Only EMVCo recognised laboratories can complete and submit evaluations to EMVCo. However, as part of this process, the EMVCo labs may recognise other evaluation work, provided they can review this work and reach the conclusion that it is valid and still relevant.

  37. I do all the security evaluation work in-house. Can I use results from my own laboratory as evaluation evidence?

    Only EMVCo recognised laboratories can complete and submit evaluations to EMVCo. However, as part of this process, the EMVCo labs may recognise other evaluation work, provided they can review this work and reach a conclusion that it is valid and still relevant.

  38. Can flash memory be used as ROM in a Chip Card product?

    Flash memory can be used as ROM as long as sensitive data and code are "locked down" securely and loaded in a secure and controlled environment. The lock down mechanism must be evaluated during the EMVCo IC security evaluation. In case of a flash memory product, the facility at which the product will be programmed must be audited under the EMVCo development site audit process, which a Recognized Security Evaluation Laboratory must use to audit a product provider's site.

  39. In order to expedite the invoicing and payment process, can I submit a draft version of the registration questionnaire and receive the invoice in advance?

    Yes, this is acceptable. You just need to confirm with your evaluation laboratory that the EMVCo secretariat receives a final version of the registration questionnaire together with the security evaluation report submission.

  40. As regards the User guidance details that are required for platform certification, would you let me know what sort of information should be in the document?

    The guidance document should include the characteristics and best practices for using the product, but also any findings from the security evaluation. It is likely that the guidance document will require updating over the period of the security evaluation. This is expected but you must make sure the secretariat receives the final version that must also be referenced in the security evaluation report and the final registration questionnaire.

  41. For platforms, I heard that there are two types: Open platform and Closed platform. What is the difference between them?

    As regards to platform security evaluations, whatever the development technology, platforms can be configured as Open or Closed, meaning the following:

    • Open configuration: the platform is configured to enable application loading and installation in the field, i.e. in its usage phase. This is generally performed through the GlobalPlatform loading and installation process.
    • Closed configuration: loading and installation functionalities are deactivated during platform personalization, so that no change in the card content can be performed in the field in terms of applications. The platform can then be considered as a final product. This configuration is more restrictive.

  42. The security guidance version of my certified product has changed. Are there any specific steps to be followed with EMVCo?

    You should ask your evaluation laboratory to review the changes, update the Shared Evaluation Report (SER) and send both the updated SER and a confirmation email to securityevaluation@emvco.com stating that the changes have been reviewed and validated, and that this new version should be used. You will need to submit the updated guidance document to EMVCo, but you do not need to submit an updated registration form or pay fees.


  43. I am planning to use multiple fabrication sites for my IC. Does this have any impact on its security evaluation?

    Yes: the evaluation laboratory must be provided with samples from each site that must hold a unique identification. The laboratory is responsible for enforcing appropriate controls to ensure that ICs from different origins have the same security behaviour. Laboratories are aware of this and can provide you with more details.

  44. Can I include several versions of my platform product under the same PCN reference?

    No, one PCN must be associated with one version number only, due to potential functional incompatibilities between different versions. Please also refer to EMVCo process document for additional information and EMVCo SEWG Bulletin 11.

  45. I am performing a composite evaluation on an IC for which the most recent evidence is a Common Criteria (CC) evaluation report. Can I apply reuse of evaluation evidence?

    Reuse of evaluation evidence is possible in this context (See SEWG Bulletin 2 and the SEWG re-use matrix). However, as for any EMVCo security evaluation reports, no automatic reuse can be applied. The composite evaluation laboratory must check the evidence and the date and scope of the performed testing so as to adapt its own testing strategy accordingly.

  46. From SEWG Bulletin 7, I interpret that as of January 1st, 2013 a Shared Audit Report (SAR) must be created and submitted if a site audit is to be used within an EMVCo product evaluation?

    This holds true for new site audit reviews only (since January 1st, 2013), and remains optional for audits completed prior to that date. Existing site audit reports would remain valid. If a delta audit is performed on the site, this would then require the generation of the Shared Audit Report and the detailed report shall both be sent to the Security Evaluation Secretariat.

  47. Does this also apply when the site audit has been performed as part of an EMVCo or CC evaluation performed before 2013? In other words if we have performed a CC site audit (and possibly used the result in an EMVCo evaluation before 2013) and now perform an EMVCo evaluation do I need to create a SAR (from the CC site audit report) and submit this as well?

    If no changes occurred at the site, then a SAR is not required for audit prior to January 1st, 2013.

  48. The site audit requirements document mentions that if a developer site has changed since the last audit the developer must attest to these changes? Must the laboratory assess the impact and create an updated SAR?

    The laboratory must assess the impact of the changes and update the SAR. Depending on the changes a delta site audit might be required.

  49. Must the SAR also be updated (and submitted) when the developer attests no changes have been made to the development site?

    If the developer site has NOT changed, no update is required.

  50. What is the consequence of a guidance change of the underlying layer of a composite product previously certified, and who should be informed about the change?

    It is the vendor’s responsibility to inform its customers (e.g., developers of composite products) that his product guidance has changed and that they should check the impact on their product.

  51. Does a fast approval process exist for minor changes to an already certified EMVCo product?

    Yes, this process is called Fast Track Review Process, it prioritizes the review process of EMVCo certified products with minor changes having no security impact. Please refer to EMVCo SEWG Bulletin 10 for detailed information on the conditions of this process.