Open/Close Search Menu
Close Search Bar
EMVCo Logo
Overview
For Review

Public review

Associate review

All Specifications
By Technology

Contact

Contactless

Mobile

Payment Tokenisation

QR

Secure Remote Commerce

3-D Secure

By Type

Draft Specification

Draft Specification Bulletins

Specifications

Specification Bulletins

General Bulletin

Overview
Overview

Software-Based Mobile Payment Evaluation Process

With the SBMP evaluation process, Product Providers can be granted a security evaluation certificate for their Software-Based Mobile Payment components or solutions (e.g. TEE, CDCVM, Attestation, Software Protection Tools, Mobile Applications and related Software Development Kits (SDK)).

Search evaluated SBMP components (SECNs)
The Approval Process
Step 1 PROVIDER

Product provider sends SBMP Registration Questionnaire to EMVCo.

Step 2 EMVCo

Reviews form and invoices product provider.

Step 3 PROVIDER

Pays invoice and asks security evaluation Laboratory to send report to EMVCo.

Step 4 EMVCo

Reviews security evaluation report, approves product, and issues evaluation certificate to product provider.

Process Summary

The detailed process for security evaluation of an SBMP solution or component is available here. Its major steps can be summarized as follows:

1 of 4 Step 1 Registration

The Product Provider must fill the SBMP registration questionnaire and submit to SBMP Security Evaluation Secretariat.

2 of 4 Step 2 Registration Review

EMVCo reviews the registration questionnaire, and if properly completed, works to generate an invoice that will be emailed to the Product Provider.

3 of 4 Step 3 Payment & Lab Report Submission

The Product Provider must pay invoice.

Then, it must ask its security evaluation Laboratory to send the security evaluation report to the Security Evaluation Secretariat.

4 of 4 Step 4 Evaluation Report Review

EMVCo then reviews the security evaluation report and proceeds as follows:

  • If the report is found comprehensive (product vulnerability analysis, penetration testing), EMVCo validates it and issues a product Evaluation Certificate (SECN) with a unique number to the Product Provider. If the Product Provider wants the certificate to be published, EMVCo adds the certificate to the list of approved products.
  • If the report is not found satisfactory, EMVCo issues additional requests to the security evaluation Laboratory until the report meets the requirements.

The process applied by EMVCo for the security evaluation of software-based mobile payment solutions or components is described in the EMVCo SBMP Security Evaluation Process.

To obtain the Complaints and Appeal procedure, please contact the EMVCo Security Evaluation Secretariat.

Additional helpful links are as follows:

SBMP registration questionnaire
List of SBMP Evaluation Certificates SECN
Other SBMP documentation
Submit Query here to send a complaint or appeal on the Security Evaluation Process
Prerequisites

Prior to being allowed to submit an SBMP solution or component for security certification, the following steps must be fulfilled:

The Product Provider must have been registered as an EMVCo Vendor, following the registration process described here.

After registration, the Product Provider must have signed a Security Evaluation Agreement with EMVCo’s Security Evaluation Working Group (SEWG). Contact the SBMP Security Evaluation Secretariat to trigger this signature process.

Registration process described here
Fee Structure

For each submission of an SBMP component or solution for review, either for a new product, a certificate renewal or an update, specific registration fees shall be paid to EMVCo, as detailed in SE Bulletin #15.

SE Bulletin #15