Chip & Platform Approval Process

Obtain a security evaluation certificate for an Integrated Circuit (IC) or a Platform product.

Search existing approved IC and Platform Product certificates (ICCNs/PCNs)
The Approval Process
STEP 1 REGISTER

Download & sign registration form and agreement.

Step 2 REGISTRATION REVIEW & INVOICE

Product Provider completes the IC or Platform registration questionnaire & submits it to the Security Evaluation Secretariat.

Step 3 PAYMENT

Product Provider pays the invoice. The security evaluation Laboratory sends the security evaluation report to the SEWG Secretariat.

Step 4 REPORT REVIEW

EMVCo evaluates the report and then issues a product certificate with an ICCN or PCN. Certificate published upon request.

Process Summary

This summary describes the standard process for Chip or Platform approval.  The major steps can be summarized as follows:

1 of 4 Step 1 Register

The Product Provider must complete the IC or Platform registration questionnaire and submit it to the Security Evaluation Secretariat.

2 of 4 Step 2 Registration Review & Invoice

EMVCo reviews the registration questionnaire, and if properly completed, works with EMVCo’s financial team to generate and send an invoice to the Product Provider.

3 of 4 Step 3 Payment

The Product Provider must pay the invoice, then ask its security evaluation Laboratory to send the security evaluation report to the Security Evaluation Secretariat.

4 of 4 Step 4 Report Review

EMVCo reviews the evaluation report.

If the report is found to be comprehensive (complete with product vulnerability analysis and penetration testing), EMVCo will approve the product and issue the Product Provider a product certificate, which will be either an ICCN (for an IC) or PCN (for a Platform). If the Product Provider requested that the certificate be published, EMVCo will add the certificate to the relevant list of approved IC Products or Platform Products.

If the report is not found satisfactory, EMVCo will work with the security evaluation Laboratory until the report meets the requirements.

Note that the policy applied by EMVCo for the initial security approval of products is described in the EMVCo Product Certification Policy. Additional information regarding the certificate issuance and life-cycle is provided in the Certificate Issuance, Renewal and Extension Process.

EMVCo has also issued Security Bulletins that are valid and complement the information provided in these documents.

Note that development and production sites also need to be considered in the context of an EMVCo product approval. Audits may need to be performed for these sites. EMVCo has derived specific guidelines for conducting such audits.

To obtain the Complaints and Appeal procedure, please contact the EMVCo Security Evaluation Secretariat.

Additional helpful links are as follows:

Prerequisites

Prior to being allowed to submit a product for security certification, the following must be completed:

The Product Provider must have been registered as an EMVCo Vendor, following the registration process described in the Card & Mobile Type Approval – Product Provider – Request for Registration

After registration, the Product Provider must have signed a Security Evaluation Agreement with EMVCo’s Security Evaluation Working Group (SEWG); an email should be sent to the Security Evaluation Secretariat to trigger this signature process.

Card & Mobile Type Approval - Product Provider - Request for Registration
Fee Structure

For each submission of a product for approval, either for a new product, a certificate renewal or update or an extension of expired certificate, specific registration fees shall be paid to EMVCo, as detailed in SEWG Bulletin #3.

SEWG Bulletin #3