This summary describes the standard process for Chip or Platform approval. The major steps can be summarized as follows:
Step 1: Register
The Product Provider must complete the IC or Platform registration questionnaire and submit it to the Security Evaluation Secretariat.
Product Registration Questionnaire: Chip Providers
Product Registration Questionnaire: Platform Providers
Step 2: Registration Review & Invoice
EMVCo reviews the registration questionnaire, and if properly completed, works with EMVCo’s financial team to generate and send an invoice to the Product Provider.
Step 3: Payment
The Product Provider must pay the invoice, then ask its security evaluation Laboratory to send the security evaluation report to the SEWG Secretariat.
See approved security evaluation laboratories.
Step 4: Report Review
EMVCo reviews the evaluation report.
If the report is found to be comprehensive (complete with product vulnerability analysis and penetration testing), EMVCo will approve the product and issue the Product Provider a product certificate, which will be either an ICCN (for an IC) or PCN (for a Platform). If the Product Provider requested that the certificate be published, EMVCo will add the certificate to the relevant list of approved IC Products or Platform Products.
If the report is not found satisfactory, EMVCo will work with the security evaluation Laboratory until the report meets the requirements.
Note that the policy applied by EMVCo for the initial security approval of products is described in the EMVCo Product Certification Policy. Additional information regarding the certificate issuance and life-cycle is provided in the Certificate Issuance, Renewal and Extension Process.
EMVCo has also issued Security Bulletins that are valid and complement the information provided in these documents.
Note that development and production sites also need to be considered in the context of an EMVCo product approval. Audits may need to be performed for these sites. EMVCo has derived specific guidelines for conducting such audits.