With the SBMP evaluation process, Product Providers can be granted a security evaluation certificate for their Software-Based Mobile Payment components or solutions (e.g. TEE, CDCVM, Attestation, Software Protection Tools, Mobile Applications and related Software Development Kits (SDK)).
Search evaluated SBMP components (SECNs)
The detailed process for security evaluation of an SBMP solution or component is available here. Its major steps can be summarized as follows:
The Product Provider must fill the SBMP registration questionnaire and submit to SBMP Security Evaluation Secretariat.
EMVCo reviews the registration questionnaire, and if properly completed, works to generate an invoice that will be emailed to the Product Provider.
The Product Provider must pay invoice.
Then, it must ask its security evaluation Laboratory to send the security evaluation report to the Security Evaluation Secretariat.
EMVCo then reviews the security evaluation report and proceeds as follows:
The process applied by EMVCo for the security evaluation of software-based mobile payment solutions or components is described in the EMVCo SBMP Security Evaluation Process.
Additional helpful links are as follows:
Prior to being allowed to submit an SBMP solution or component for security certification, the following steps must be fulfilled:
For each submission of an SBMP component or solution for review, either for a new product, a certificate renewal or an update, specific registration fees shall be paid to EMVCo, as detailed in SE Bulletin #15.
Q: What is the Security Evaluation Process for Software-Based Mobile Payments?
A: The EMVCo Security Evaluation Process assesses whether a Software-Based Mobile Payment (SBMP) component or solution demonstrates sufficient assurance of certain minimum levels of security, including security mechanisms and protections designed to withstand known attacks.
The scope of the Security Evaluation Process previously included Integrated Circuit (IC), Platform and Integrated Circuit Card (ICC) products. EMVCo has now extended the scope to include SBMP components or solutions that enable payment transactions on a mobile device.
Q: Why has EMVCo established a Security Evaluation Process for SBMP?
A: Unlike traditional chip-based and hardware-based secure element solutions, SBMP applications must operate in the more vulnerable consumer device environment.
SBMP solutions therefore often utilise a layered security approach incorporating various device and software components to help with combating the potential threats. This means that SBMP solutions can be built in different ways using different components, which can create complexities during the security evaluation and approval process.
Consequently, EMVCo recognised an opportunity to develop a dedicated, common approach to evaluating the security of SBMP components and solutions, consolidating existing processes and industry best-practices.
Q: How does the SBMP Security Evaluation Process meet the requirements of industry stakeholders?
A: The SBMP Security Evaluation Process provides an efficient, flexible offering for product providers and promotes a robust security foundation for SBMP solutions.
It introduces a ‘component’ and ‘integration’ evaluation model, allowing components to be evaluated independently or together to validate the security of the overall solution. The component evaluation modules include:
• Trusted Execution Environment (TEE)
• Consumer Device Cardholder Verification Method (CDCVM)
• Attestation
• Software Protection Tools (SPT)
• Mobile Applications and related Software Development Kits (SDK)
