Obtain a security evaluation certificate for an Integrated Circuit (IC) or a Platform product.
Search existing approved IC and Platform Product certificates (ICCNs/PCNs)
This summary describes the standard process for Chip or Platform approval. The major steps can be summarized as follows:
The Product Provider must complete the IC or Platform registration questionnaire and submit it to the Security Evaluation Secretariat.
Product Registration Questionnaire: Chip Providers
Product Registration Questionnaire: Platform Providers
EMVCo reviews the registration questionnaire, and if properly completed, works with EMVCo’s financial team to generate and send an invoice to the Product Provider.
The Product Provider must pay the invoice, then ask its security evaluation Laboratory to send the security evaluation report to the SEWG Secretariat.
See approved security evaluation laboratories.
EMVCo reviews the evaluation report.
If the report is found to be comprehensive (complete with product vulnerability analysis and penetration testing), EMVCo will approve the product and issue the Product Provider a product certificate, which will be either an ICCN (for an IC) or PCN (for a Platform). If the Product Provider requested that the certificate be published, EMVCo will add the certificate to the relevant list of approved IC Products or Platform Products.
If the report is not found satisfactory, EMVCo will work with the security evaluation Laboratory until the report meets the requirements.
Note that the policy applied by EMVCo for the initial security approval of products is described in the EMVCo Product Certification Policy. Additional information regarding the certificate issuance and life-cycle is provided in the Certificate Issuance, Renewal and Extension Process.
EMVCo has also issued Security Bulletins that are valid and complement the information provided in these documents.
Note that development and production sites also need to be considered in the context of an EMVCo product approval. Audits may need to be performed for these sites. EMVCo has derived specific guidelines for conducting such audits.
Prior to being allowed to submit a product for security certification, the following must be completed:
For each submission of a product for approval, either for a new product, a certificate renewal or update or an extension of expired certificate, specific registration fees shall be paid to EMVCo, as detailed in SEWG Bulletin #3.
Q: Who is the primary contact for EMVCo Security Evaluations?
A: The Security Evaluation secretariat can be reached at securityevaluation@emvco.com.
Q: I want to register for the EMVCo Security Evaluation Process. Are there any pre-requisites?
A: If there is no candidate product in development or available, a product provider will have to demonstrate that it intends developing a product (Integrated Circuit, Platform or Integrated Circuit Card for an existing customer.
Q: Where can I get more information on the EMVCo Security Evaluation Process?
A: The EMVCo Security Evaluation Process document is available at the EMVCo website.