29 November 2022 – Global technical body EMVCo has issued its 100th Security Evaluation Certificate for Software-Based Mobile Payments (SBMP) solutions. This milestone reflects significant industry uptake from leading device manufacturers and product vendors to demonstrate the security of their solutions through a globally recognised programme, promoting trust and confidence across the payments ecosystem and simplifying the deployment of safe and secure mobile wallet solutions.
The continued growth of mobile payments has increased the number of solutions deployed that use software applications to enable consumers to pay in-store. As these software-based solutions operate in the more vulnerable consumer device environment, mobile wallet providers use a layered security approach comprising various software and device components to combat threats.
To support this layered security approach while ensuring flexibility and efficiencies, EMVCo introduced a dedicated Security Evaluation Process for SBMP in 2018 to assess the different security components that can be integrated into a SBMP solution. Specific components evaluated by EMVCo include software development kits (SDK), trusted execution environments (TEE), consumer device cardholder verification methods (CDCVM) such as biometrics / authenticators, attestation mechanisms and software protection tools. Full mobile payment applications comprising various individual components can also be evaluated.
“Advancing testing and evaluation processes is integral to enabling more consistent, convenient and secure payment experiences,” comments Alisa Ellis, EMVCo Executive Committee Chair. “Issuing 100 Security Evaluation Certificates for SBMP Solutions is testament to increasing demand for secure mobile payments worldwide, and this is enabling mobile wallet providers to realise significant efficiencies and accelerate deployment by easily identifying the products that have been evaluated.”
EMVCo Security Evaluations ensure that a payment product or solution has been assessed against the common EMVCo evaluation methodology and includes mechanisms and protections to withstand known attacks. SBMP Security Evaluations are conducted by a global network of 9 accredited laboratories, with EMVCo acting as a trusted authority. Approved products are listed on the EMVCo website.
– ENDS –
 Attestation mechanisms are used to verify that a device is in a secure state, before undertaking any sensitive operations.