Software-Based Mobile Payment Evaluation Process

With the SBMP evaluation process, Product Providers can be granted a security evaluation certificate for their Software-Based Mobile Payment components or solutions (e.g. TEE, CDCVM, Attestation, Software Protection Tools, Mobile Applications and related Software Development Kits (SDK)).

Search evaluated SBMP components (SECNs)


Prior to being allowed to submit an SBMP solution or component for security certification, the following steps must be fulfilled:

  • The Product Provider must have been registered as an EMVCo Vendor, following the registration process described here.
  • After registration, the Product Provider must have signed a Security Evaluation Agreement with EMVCo’s Security Evaluation Working Group (SEWG). Contact the SBMP Security Evaluation Secretariat to trigger this signature process.


Q: What is the Security Evaluation Process for Software-Based Mobile Payments?

A: The EMVCo Security Evaluation Process assesses whether a Software-Based Mobile Payment (SBMP) component or solution demonstrates sufficient assurance of certain minimum levels of security, including security mechanisms and protections designed to withstand known attacks.

The scope of the Security Evaluation Process previously included Integrated Circuit (IC), Platform and Integrated Circuit Card (ICC) products. EMVCo has now extended the scope to include SBMP components or solutions that enable payment transactions on a mobile device.

Q: Why has EMVCo established a Security Evaluation Process for SBMP?

A: Unlike traditional chip-based and hardware-based secure element solutions, SBMP applications must operate in the more vulnerable consumer device environment.

SBMP solutions therefore often utilise a layered security approach incorporating various device and software components to help with combating the potential threats. This means that SBMP solutions can be built in different ways using different components, which can create complexities during the security evaluation and approval process.

Consequently, EMVCo recognised an opportunity to develop a dedicated, common approach to evaluating the security of SBMP components and solutions, consolidating existing processes and industry best-practices.

Q: How does the SBMP Security Evaluation Process meet the requirements of industry stakeholders?

A: The SBMP Security Evaluation Process provides an efficient, flexible offering for product providers and promotes a robust security foundation for SBMP solutions.

It introduces a ‘component’ and ‘integration’ evaluation model, allowing components to be evaluated independently or together to validate the security of the overall solution. The component evaluation modules include:
• Trusted Execution Environment (TEE)
• Consumer Device Cardholder Verification Method (CDCVM)
• Attestation
• Software Protection Tools (SPT)
• Mobile Applications and related Software Development Kits (SDK)

View all related FAQs (PDF)