CPA (Common Payment Application) approval is granted to a card product with an embedded CPA application. The CPA approval process attests the compliance of the card application to the EMV® CPA Specification. It also includes a security evaluation of the IC (integrated circuit) and the card on which the CPA-compliant application is installed.
Search approved CPA Products
This summary describes the standard process for the approval of a new CPA product. Specific processes may apply for a product change, a derivative product submission, or a product renewal. These additional processes are described in the administrative process.
Obtain the detailed CPA Administrative process
Obtain the card type approval update bulletins
Obtain the detailed Security Evaluation process
Obtain the CPA reference specification and bulletins
Obtain the CPS reference specification
Obtain the specification bulletins
The Integrated Circuit (IC) provider and the product provider shall download and submit a Request for Registration form and a Business Review form to EMVCo. Once EMVCo receives and accepts the forms, the IC and product provider will receive a contract. Once the contract is signed, EMVCo will assign both a registration number and a product provider registration number. Registration is a one-time process.
Obtain the Product Provider Registration Form
Obtain the Business Review Form
The product provider shall select a laboratory and execute bilateral, required agreements and contracts. The product provider shall complete an Implementation Conformance Statement (ICS) document in which it provides detailed information about the product and supported features. The laboratory will validate and submit the ICS to EMVCo for verification.
The product provider shall also select a laboratory to perform a Security Evaluation of the card product.
Obtain the list of EMV® accredited laboratories for CPA testing
Obtain the list of EMV® accredited laboratories for card security evaluation
Once EMVCo has accepted the ICS, CCD Level 1 and CCD and CPA Level 2 testing may be performed. The test results are documented in test reports that are submitted by the laboratory to the product provider. The security evaluation of the card product is also performed, with results being sent to the product provider.
Obtain the CPA Card Images Requirement Specification
Obtain the activation and deactivation date of the test cases
If the CPA product also supports additional CPA functionalities, the product provider shall select an EMVCo-qualified auditor, which will perform an evaluation to determine that (1) the additional CPA functionalities are correctly implemented and (2) they do not impact the CPA behavior.
Obtain the list of EMV® accredited auditor for CPA
Obtain the Request for Additional CPA Functions Review
Upon receipt of the test reports from the laboratory, the product provider decides if it will submit the product to EMVCo for approval. Assuming so, the product provider shall complete a Request for Approval form and ask the laboratory to send the test reports and the card security evaluation report to EMVCo. EMVCo will grant a Letter of Approval (LOA) when a test report demonstrates sufficient product conformance. Applicable fees must be paid before the LOA is granted.
Prior to starting the CPA approval process, the IC provider must request a Security Evaluation of the IC in order to obtain an IC Certificate Number (ICCN).
For each submission of a CPA product for approval (either for a new product, a renewal or update), specific fees shall be paid to EMVCo, as detailed in CTA Bulletin 26. Additional information on fees may be found in the CPA Administrative Process.
Note: EMVCo Accredited Laboratories will have a fee structure for laboratory testing services. EMVCo is not responsible for laboratory testing fees.
