Common Payment Application (CPA) Approval Process

The Integrated Circuit (IC) provider and the product provider shall:

• fill out the Registration form
• download and submit a Business Review form to EMVCo.

Once EMVCo receives and accepts the forms, the IC and product provider will receive a contract. Once the contract is signed, EMVCo will assign both a registration number and a product provider registration number. Registration is a one-time process.

The product provider shall select a laboratory and execute bilateral, required agreements and contracts. The product provider shall complete an Implementation Conformance Statement (ICS) document in which it provides detailed information about the product and supported features. The laboratory will validate and submit the ICS to EMVCo for verification.

The product provider shall also select a laboratory to perform a Security Evaluation of the card product.

Once EMVCo has accepted the ICS, CCD Level 1 and CCD and CPA Level 2 testing may be performed. The test results are documented in test reports that are submitted by the laboratory to the product provider. The security evaluation of the card product is also performed, with results being sent to the product provider.

If the CPA product also supports additional CPA functionalities, the product provider shall select an EMVCo-qualified auditor, which will perform an evaluation to determine that (1) the additional CPA functionalities are correctly implemented and (2) they do not impact the CPA behavior.

Upon receipt of the test reports from the laboratory, the product provider decides if it will submit the product to EMVCo for approval. Assuming so, the product provider shall complete a Request for Approval form and ask the laboratory to send the test reports and the card security evaluation report to EMVCo. EMVCo will grant a Letter of Approval (LOA) when a test report demonstrates sufficient product conformance. Applicable fees must be paid before the LOA is granted.