Ensuring the reliability and security of payment transactions is a shared responsibility. When payments don’t work and security is compromised, everyone within the payments community is impacted.
Banks, technology providers and merchants globally trust EMV® Technology as a foundation for safe and reliable payments. In this post, Chair of the EMVCo Security Evaluation Working Group, Alan Mushing, explains the role of EMVCo to support payment stakeholders in creating products and solutions to withstand known attacks. He also introduces the latest EMV security framework, which defines the security expectations of multi-factor authentication solutions used in payments.
Q: What does EMVCo do to support payment security?
EMV produces specifications, requirements and guidelines that define what is needed by all stakeholders within the EMV payment community to facilitate a seamless and secure technical interaction between the consumer and merchant.
The EMVCo Security Evaluations is a suite of industry requirements and tests that builds on this market knowledge. They work to confirm that a payment product or solution has been assessed against a common EMVCo security evaluation methodology, and leads to an EMVCo listing of the product.
Our dedicated security group also supports the work of the JIL Hardware Attack Subgroup (JHAS) and related initiatives, as well as performs continuous monitoring of known attacks and security developments to keep up to date with currently known vulnerabilities and threats.
Q: There are lists of approved and evaluated EMV products and solutions on the EMVCo website. What is the process to approve products and solutions?
EMVCo audits and recognises laboratories as following the EMVCo process to deliver security evaluation services.
Once tests have been undertaken by a recognised laboratory, EMVCo reviews the report and – if the requirements have been met – issues an evaluation or security certificate.
Q: Is EMVCo the only body responsible for payment security?
No, more than one approach to security is required to fight fraud effectively. Our focus is on payment transactions that are using EMV Technology, i.e. payment solutions that are built using EMV Specifications.
Beyond this, EMVCo works closely with regional and global technical bodies and industry associations such as PCI SSC, W3C and FIDO Alliance, which have complementary activity to meet other security aspects that are required to ensure payments are protected.
Individual payment networks also use EMV Specifications and technical requirements as a baseline, before adding further requirements and publishing their own EMV technology compliance and implementation rules.
This collaboration ultimately aims to ensure that the payment landscape is trusted and has the mechanisms in place to protect consumers and merchants, without causing unnecessary friction in the payment experience.
Q: What is the latest security evaluation focus of EMVCo?
As remote payments continue to grow in popularity, it is paramount for consumers to be able to securely prove their identity and authenticate their transactions. Using our payments knowledge and security expertise, we recently defined an EMVCo framework to assess the security of multi-factor authentication (MFA) solutions that are used in payment transactions.
As a quick recap, MFA is an authentication method that requires the payee to provide two or more factors to confirm their identity. There are three types of authentication factors: ’knowledge’ (things you know), such as a PIN or password; ’possession’ (things you have), such as a smartphone; and ‘inherence’ (things you are) such as biometrics.
EMVCo recognises that MFA has a crucial role in today’s payments landscape as it gives industry flexibility in how it wants to authenticate consumers using different credential combinations in different payment scenarios.
Q: Does EMVCo also provide the testing for MFA payment solutions?
Yes. EMVCo MFA Security Requirements details the security level that products and solutions need to achieve to be used as a payment authenticator in a variety of consumer devices, including smartphones, laptops, vehicles and IoT devices.
This is then supported by a security evaluation process, undertaken at EMVCo accredited laboratories, that tests software and hardware components involved in the collection, processing, storage, transmission, and verification of data used for authentication during payment use cases.
Approved products and solutions are listed on the EMVCo website.
Q: Who will use and benefit from these latest guidelines?
The key audience is developers of MFA solutions for payments, as the guidelines enable them to gain security evaluation certificates for their product components and solutions. It is also great to give testing laboratories a clear evaluation process.
More widely, the guidelines will be valuable to merchants, acquirers and payment service providers, to share valuable and practical information on security performance characteristics and the ‘suitability’ of MFA products.
It is important to note that while other security guidelines address MFA products and solutions, EMVCo’s solely relate to the use of MFA in payments.
Q: What is next for the EMVCo’s security work?
In line with payment innovations, our work is continually evolving to improve security and payment experiences globally. We will continue to support the payment community by monitoring and assessing long-term security requirements, and creating awareness of the level of security required in payment products and solutions.