Chip & Platform Approval Process

This summary describes the standard process for Chip or Platform approval. The major steps can be summarized as follows:

Step 1: Register

The Product Provider must complete the IC or Platform registration questionnaire and submit it to the Security Evaluation Secretariat.

Product Registration Questionnaire: Chip Providers

Product Registration Questionnaire: Platform Providers

Step 2: Registration Review & Invoice

EMVCo reviews the registration questionnaire, and if properly completed, works with EMVCo’s financial team to generate and send an invoice to the Product Provider.

Step 3: Payment

The Product Provider must pay the invoice, then ask its security evaluation Laboratory to send the security evaluation report to the Security Evaluation Secretariat.

See approved security evaluation laboratories.

Step 4: Report Review

EMVCo reviews the evaluation report.

If the report is found to be comprehensive (complete with product vulnerability analysis and penetration testing), EMVCo will approve the product and issue the Product Provider a product certificate, which will be either an ICCN (for an IC) or PCN (for a Platform). If the Product Provider requested that the certificate be published, EMVCo will add the certificate to the relevant list of approved IC Products or Platform Products.

If the report is not found satisfactory, EMVCo will work with the security evaluation Laboratory until the report meets the requirements.

Note that the policy applied by EMVCo for the initial security approval of products is described in the EMVCo Product Certification Policy. Additional information regarding the certificate issuance and life-cycle is provided in the Certificate Issuance, Renewal and Extension Process.

EMVCo has also issued Security Bulletins that are valid and complement the information provided in these documents.

Note that development and production sites also need to be considered in the context of an EMVCo product approval. Audits may need to be performed for these sites. EMVCo has derived specific guidelines for conducting such audits.

Prerequisites

Prior to being allowed to submit a product for security certification, the following must be completed:

The Product Provider must have been registered as an EMVCo Vendor, following the registration process described in the Card & Mobile Type Approval – Product Provider – Request for Registration
After registration, the Product Provider must have signed a Security Evaluation Agreement with EMVCo’s Security Evaluation Working Group (SEWG); an email should be sent to the Security Evaluation Secretariat to trigger this signature process.

Fee Structure

For each submission of a product for approval, either for a new product, a certificate renewal or update or an extension of expired certificate, specific registration fees shall be paid to EMVCo, as detailed in SEWG Bulletin #3.

Q: Who is the primary contact for EMVCo Security Evaluations?

A: The Security Evaluation secretariat can be reached at securityevaluation@emvco.com.

Q: I want to register for the EMVCo Security Evaluation Process. Are there any prerequisites?

A: If there is no candidate product in development or available, a product provider will have to demonstrate that it intends developing a product (Integrated Circuit, Platform or Integrated Circuit Card) for an existing customer.

Q: Where can I get more information on the EMVCo Security Evaluation Process?

A: The EMVCo Security Evaluation Process document is available at the EMVCo website.

View all related FAQs (PDF)