EMVCo has received ISO/IEC 17065 accreditation for its security evaluation processes. Through this system, it has issued more than 2,300 cybersecurity evaluation certificates via its network of recognised laboratories. But why is this needed? And what role does EMVCo play in protecting our payment network from cybersecurity threats? In this post, we speak to Alan Mushing, Chair of the EMVCo Security Evaluation Working Group to learn more on the role of EMVCo to enable safe and reliable payments globally.
Why is cybersecurity a focus for EMVCo?
We all recognise within the ecosystem that if a transaction does not work and security is compromised, there are consequences throughout the payment community. This has resulted in creating a shared responsibility across all stakeholders to ensure the security of a transaction.
As security risks are not static and the payment landscape continues to evolve, cross-industry efforts must constantly identify and bolster cybersecurity efforts to ensure products and services coming to market are fit for purpose.
As EMVCo is the global technical body which collaborates with industry stakeholders to develop the specifications and programmes required to promote seamless and secure EMV® payment products worldwide, we have been able to provide the guidance needed on the appropriate level of EMV security requirements. EMVCo has been undertaking this role for more than 20 years.
What part of the payment process does EMV technology secure?
EMV Chip technology secures the communication channel between the payment device (which could be a card, smartphone or wearable) and the payment terminal.
This process includes security features like card and transaction data authentication, localised card and terminal risk management, and may include security features like cardholder verification. The merchant terminal cryptographically authenticates the payment device and its data by verifying digital signatures that have been generated by the payment device, its issuer and the payment system. Within this context, EMV supports the use of RSA (Rivest, Shamir and Adleman) and Triple DES (Data Encryption Standard), as well as ECC (Elliptic Curve Cryptography) and AES (Advanced Encryption Standard).
What role does EMVCo play in promoting cybersecurity?
EMVCo is responsible for creating and maintaining the EMV Specifications. They define what is needed for a seamless and secure technical interaction between the point-of-sale and a payment product.
Keeping pace with known vulnerabilities and threats, and undertaking the necessary enhancements, is essential to ensuring the integrity of our specifications. EMVCo’s dedicated security group performs continuous monitoring of attacks and security developments. This includes, for example, analysing potential quantum advances to ensure adjustments can be implemented when/if relevant.
EMVCo Security Evaluations underpin this market knowledge. They confirm that a payment product or solution has been assessed against the EMVCo security evaluation methodology, with evaluations performed by a network of EMVCo recognised laboratories.
How does EMVCo manage its security evaluation process?
EMVCo provides the payment industry with a transparent process. In addition to its EMV Specifications being available royalty-free from its website, information and forms about the EMVCo approval process can be downloaded from the ‘Approved and Evaluated’ section of the website.
Independent laboratories are recognised by EMVCo to test products against its security evaluation methodology. Once the evaluation process is successfully completed, a solution or product provider receives a security evaluation certificate, which is published at www.emvco.com.
And as we are mindful that security risks are not static, through our maintenance and renewal process, EMVCo requires products to be reviewed regularly to ensure they meet the latest threats, before receiving extended certificates.
Our status as an ISO/IEC 17065 accredited certification body is an endorsement of our proven approach. It demonstrates the depth, quality and impartiality of our testing framework, and showcases the proven ability of EMV technology to address payment cybersecurity concerns in support of regulatory initiatives across the world.
Does EMVCo do this alone?
No. While we are a global body with the capability and framework to promote cybersecurity during a payment transaction, we cannot mitigate cyber threats in isolation.
Our dedicated security group supports the work of the Joint Hardware Attack Subgroup (JHAS), which is currently migrating to an Information Sharing Analysis Centre (ISAC). Through this collaboration, EMVCo not only integrates the latest advancements in attack methodologies into its own framework, but also plays a crucial role in reducing the fragmentation of cybersecurity requirements across the industry.
In addition to this, EMVCo works with researchers, academics and global technical bodies, including the Payment Card Industry Security Standards Council (PCI SSC), World Wide Web Consortium (W3C), Fast IDentity Online (FIDO) Alliance and GlobalPlatform.
This collaborative approach has resulted in EMVCo’s work being used by others to fight cyber threats, including local and global payment systems.
Interested in understanding more about EMV Security? Watch our Security Video.
by Oliver Manahan
by Soumya Chakrabarty