SE Bulletin nº17: SBMP Evaluation and Testing Deliverables

EMV® Security Evaluation Bulletin 17 – Software-Based Mobile Payment Second Edition - July 2025 Software-Based Mobile Payment – Evaluation and Testing Deliverables This bulletin defines EMVCo’s policy regarding the evaluation documentary and testing deliverables provided by Product Providers to recognized Laboratories as part of the Software Based Mobile Payment (SBMP) Security Evaluation Process of their products. Any questions in relation to this bulletin should be directed to the EMVCo Security Evaluation Secretariat at sbmpsecurity@emvco.com. Applicability This Bulletin applies to: • SBMP Product Providers • SBMP recognized Laboratories Related Documents • SBMP Security Evaluation Process • Software-Based Mobile Payment Security Requirements • Software-Based Mobile Payment Security Evaluation Methodology Effective Date • 1st August 2025 © 2025 EMVCo, LLC. EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 1 Background The EMVCo SBMP Security Evaluation Process is based on a set of published EMVCo documents (requirements and security guidelines) made available to Product Providers and security Evaluation Laboratories for the development and security evaluation of their products. The process evaluates the security features of the different components that can be integrated within an SBMP solution. The following SBMP security evaluation categories are used within the EMVCo certification program: a) Trusted Execution Environments (hardware-based TEE, TPM, eSE, etc. or software-only vTEE) b) Mechanisms for providing a CDCVM (e.g. biometrics) c) Multi-Factor Authentication implementations (authenticators and back-end) d) Software Protection Tools, e.g. cryptographic libraries using, for example, White Box Cryptography (WBC), software libraries and techniques providing obfuscation, Application/OS tamper detection mechanisms e) Attestation mechanisms f) Software Development Kits (SDKs) g) Mobile Applications The figure below depicts the roles of the various actors and the major phases of an EMVCo SBMP Security Evaluation: © 2025 EMVCo, LLC. EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 2 As a complement to the SBMP Security Evaluation Process, this bulletin highlights the documentary and key technical aspects that Product Providers need to address and the deliverables they shall provide to Evaluation Laboratories to enable them to perform their evaluations while addressing EMVCo security evaluation requirements from a documentary and testing perspective. Prerequisites Before launching an evaluation of their SBMP component or solution, Product Providers first need to register with EMVCo by signing the appropriate security evaluation contract. Once this step is complete, they shall submit a product Registration Questionnaire to the Security Evaluation Secretariat and select an EMVCo recognized Laboratory to perform the evaluation of their product. The following sections of this bulletin detail the items that need to be considered and provided in order to allow the Evaluation Laboratory to meet the EMVCo requirements while performing their evaluation tasks. Documentation to be provided Please refer to the SBMP Security Evaluation Requirements document for details on the requirement categories mentioned throughout this section. The following documents or information shall be made available to the Evaluation Laboratory before the start of the evaluation process: • SBMP Integration Model information, listing all involved components and their versions (including supported OS, TEE, SPT, MPA: main components such as APKs and sub-components like libraries, Trusted Applications, etc.) • A comprehensive list of security assets as part of the Security Guidance as required in MA-SEC-REQ-1.3 • A hierarchy of cryptographic keys as required in MA-SEC-REQ-7.4 • A document explaining the functional design of the TOE and its security architecture. This shall include at least the logical architecture diagram and data flow, external communication interfaces, description of relevant components, and communication protocols. • The Security Guidance document (see requirement MA-SEC-REQ-1). • The name and version of any tools or methods used for software protection strategies such as code obfuscation, White-Box Crypto, anti-instrumentation or anti-emulation, along with the parameters used shall be provided, together with a rationale on the specific parameters chosen. • The name and version of any tools or methods used for root prevention / detection shall be provided along with a rationale detailing the known root exploits that should be detected and/or prevented. • A document describing the entity binding model. • Information related to the TOE development process including evidence required for MA-SEC-REQ-8. • For the case of Software Protection Tools, the Product Provider’s recommended tool configuration to be evaluated. © 2025 EMVCo, LLC. EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 3 Security Guidance The Security Guidance is an important TOE document (or set of documents) which provides necessary information on the security gaps and goals of the TOE. In case of an evolution during the evaluation to add recommendations following successful attacks, the final version shall then be provided to the Evaluation Laboratory. The audience varies according to the type of TOE: • If the TOE is an SDK or library, the audience is Mobile Application (MA) developers, • If the TOE is an MA, the audience is MA integrators (e.g., the Issuer). In either case, the Evaluation Laboratory shall obtain a copy of the Security Guidance of the TOE as part of the Product Provider deliverables. The Evaluation Laboratory shall be enabled to validate the Security Guidance and ensure that it contains at least the following: • All the elements mentioned in requirement MA-SEC-REQ-1, • The system level security mechanisms used by the TOE, • If the TOE is implemented following a specification, the guidance shall list the deviations, if any, from said specification, both at a functional and security level. Source Code The Product Provider shall make available all relevant source code within evaluation scope of an SBMP product solution comprising software (including all sensitive functions or features of the enrolment and payment processes) and related hardware components, allowing for an independent review by the Evaluation Laboratory, for the duration of the evaluation. For an efficient evaluation process, the developer shall provide the Laboratory with the stable, most recent, uniquely identifiable version of the source code. It should be up to date without test, debugging, old, or deprecated source code that is not used in production releases. If the Product Provider does not have time for code cleaning (e.g., removing debug instructions which are eliminated at compilation time), then the Product Provider shall inform the Laboratory and explain how to distinguish the effective source code from code that will be eliminated. For Software Protection Tool evaluations, the source code together with the design documentation describing the tool’s features shall be delivered upon Laboratory’s request. Access to the code must be available for the duration of the security evaluation and any issues shall be discussed with the Security Evaluation Secretariat. © 2025 EMVCo, LLC. EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 4 Testing Environment It is important for the Product Provider to pre-arrange server-side controls to enable testing with the TOE during the security evaluation. The Product Provider shall therefore provide the Evaluation Laboratory with a fully functional test environment, either through their own network or through the Payment System’s network, providing at least the following features: • Initialisation of test MAs in test-designated Mobile Consumer Devices with root prevention/detection mechanism activated/deactivated as necessary (for products claiming such security mechanisms). • Test card enrolment • Payment keys replenishment Different TOE configurations may be used depending on the test scenarios. Additional test environment functionalities may be necessary for the Evaluation Laboratory during testing. These functionalities may include, for example, the ability to trigger key replenishment or modify serverside component settings such as risk parameters, transaction quotas, etc. For Software Protection Tool evaluations, it is mandatory to provide access to the tool itself so that the Laboratory can challenge the tool’s security features. However, this might not be relevant for specific tools. In such case a rationale shall be provided and discussed with the Security Evaluation Secretariat prior to the evaluation. Submitting a security evaluation after the 1st April 2025 without conformance to this Bulletin will result in a failed review and EMVCo will not grant an evaluation certificate. Details of the EMVCo SBMP Security Evaluation Process are available from www.emvco.com. © 2025 EMVCo, LLC. EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 5 Legal Notice This document summarizes EMVCo’s present plans for evaluation services and related policies and is subject to change by EMVCo at any time. This document does not create any binding obligations upon EMVCo or any third party regarding the subject matter of this document, which obligations will exist, if at all, only to the extent set forth in separate written agreements executed by EMVCo or such third parties. In the absence of such a written agreement, no product provider, test laboratory or any other third party should rely on this document, and EMVCo shall not be liable for any such reliance. No product provider, test laboratory or other third party may refer to a product, service or facility as EMVCo approved, in form or in substance, nor otherwise state or imply that EMVCo (or any agent of EMVCo) has in whole or part approved a product provider, test laboratory or other third party or its products, services, or facilities, except to the extent and subject to the terms, conditions and restrictions expressly set forth in a written agreement with EMVCo, or in an approval letter, compliance certificate or similar document issued by EMVCo. All other references to EMVCo approval are strictly prohibited by EMVCo. Under no circumstances should EMVCo approvals, when granted, be construed to imply any endorsement or warranty regarding the security, functionality, quality, or performance of any particular product or service, and no party shall state or imply anything to the contrary. EMVCo specifically disclaims any and all representations and warranties with respect to products that have received evaluations or approvals, and to the evaluation process generally, including, without limitation, any implied warranties of merchantability, fitness for purpose or non-infringement. All warranties, rights and remedies relating to products and services that have undergone evaluation by EMVCo are provided solely by the parties selling or otherwise providing such products or services, and not by EMVCo, and EMVCo will have no liability whatsoever in connection with such products and services. This document is provided "AS IS" without warranties of any kind, and EMVCo neither assumes nor accepts any liability for any errors or omissions contained in this document. EMVCO DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT, AS TO THIS DOCUMENT. EMVCo makes no representations or warranties with respect to intellectual property rights of any third parties in or in relation to this document. EMVCo undertakes no responsibility to determine whether any implementation of this document may violate, infringe, or otherwise exercise the patent, copyright, trademark, trade secret, know-how, or other intellectual property rights of third parties, and thus any person who implements any part of this document should consult an intellectual property attorney before any such implementation. Without limiting the foregoing, this document may provide for the use of public key encryption and other technology, which may be the subject matter of patents in several countries. Any party seeking to implement this document is solely responsible for determining whether its activities require a license to any such technology, including for patents on public key encryption technology. EMVCo shall not be liable under any theory for any party's infringement of any intellectual property rights in connection with this document. © 2025 EMVCo, LLC. EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 6