Open/Close Search Menu
Close Search Bar
EMVCo Logo
Overview
For Review

Public review

Associate review

All Specifications
By Technology

Contact

Contactless

Mobile

Payment Tokenisation

QR

Secure Remote Commerce

3-D Secure

By Type

Draft Specification

Draft Specification Bulletins

Specifications

Specification Bulletins

General Bulletin

Overview
Overview

Common Payment Application (CPA) Approval Process

CPA (Common Payment Application) approval is granted to a card product with an embedded CPA application. The CPA approval process attests the compliance of the card application to the EMV CPA Specification. It also includes a security evaluation of the IC (integrated circuit) and the card on which the CPA-compliant application is installed.

Search approved CPA Products
The Approval Process
STEP 1 PROVIDER

Downloads & signs registration form and business review form to receive a contract and registration number (Product Provider and IC Provider).

STEP 2 PROVIDER

Selects a Laboratory & declares the product. Completes a conformance statement. Also selects a Security Laboratory.

STEP 3 LAB

Tests the product and submits a test report to the product provider (Laboratory and Security Laboratory).

STEP 4 PROVIDER

Selects an EMVCo qualified auditor to perform an evaluation of the additional CPA features (Conditional).

STEP 5 EMVCo

Evaluates the test reports and issues a 3-year Letter of Approval (LOA).

Process Summary

This summary describes the standard process for the approval of a new CPA product. Specific processes may apply for a product change, a derivative product submission, or a product renewal. These additional processes are described in the administrative process.

Obtain the detailed CPA Administrative process
Obtain the card type approval update bulletins
Obtain the detailed Security Evaluation process
Obtain the CPA reference specification and bulletins
Obtain the CPS reference specification
Obtain the specification bulletins
1 of 5 Step 1 Registration

The Integrated Circuit (IC) provider and the product provider shall:

  • fill out the Registration form
  • download and submit a Business Review form to EMVCo.

Once EMVCo receives and accepts the forms, the IC and product provider will receive a contract. Once the contract is signed, EMVCo will assign both a registration number and a product provider registration number. Registration is a one-time process.

Registration Form
Obtain the Business Review Form
2 of 5 Step 2 Product Declaration

The product provider shall select a laboratory and execute bilateral, required agreements and contracts. The product provider shall complete an Implementation Conformance Statement (ICS) document in which it provides detailed information about the product and supported features. The laboratory will validate and submit the ICS to EMVCo for verification.

The product provider shall also select a laboratory to perform a Security Evaluation of the card product.

Obtain the CPA ICS Form
Obtain the list of EMV accredited laboratories for CPA testing
Obtain the list of EMV accredited laboratories for card security evaluation
3 of 5 Step 3 Product Validation

Once EMVCo has accepted the ICS, CCD Level 1 and CCD and CPA Level 2 testing may be performed. The test results are documented in test reports that are submitted by the laboratory to the product provider. The security evaluation of the card product is also performed, with results being sent to the product provider.

Obtain the CPA Card Images Requirement Specification
Obtain the activation and deactivation date of the test cases
4 of 5 Step 4 (Conditional): Audit the Additional CPA Functionalities

If the CPA product also supports additional CPA functionalities, the product provider shall select an EMVCo-qualified auditor, which will perform an evaluation to determine that (1) the additional CPA functionalities are correctly implemented and (2) they do not impact the CPA behavior.

Obtain the list of EMV accredited auditor for CPA
Obtain the Request for Additional CPA Functions Review
5 of 5 Step 5 Product Approval

Upon receipt of the test reports from the laboratory, the product provider decides if it will submit the product to EMVCo for approval. Assuming so, the product provider shall complete a Request for Approval form and ask the laboratory to send the test reports and the card security evaluation report to EMVCo. EMVCo will grant a Letter of Approval (LOA) when a test report demonstrates sufficient product conformance. Applicable fees must be paid before the LOA is granted.

Obtain the CPA Request for Approval Form
Prerequisites

Prior to starting the CPA approval process, the IC provider must request a Security Evaluation of the IC in order to obtain an IC Certificate Number (ICCN).

Chip and Platform Approval Process
Fee Structure

For each submission of a CPA product for approval (either for a new product, a renewal or update), specific fees shall be paid to EMVCo, as detailed in CTA Bulletin 26. Additional information on fees may be found in the CPA Administrative Process.

Note: EMVCo Accredited Laboratories will have a fee structure for laboratory testing services. EMVCo is not responsible for laboratory testing fees.

Obtain the CPA approval fees