PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Tracked metadata: Sourced from EMVCo's public document index. PCI Watch records each document's details and its extracted text so changes can be tracked over time; the document PDF itself is hosted by EMVCo.
View on EMVCo.com →

EMV® 3-D Secure Approval - Test Platform Provider Recognition and Test Platform Qualification Process

v1.2.r Service Provider Recognition/Qualification
3-D Secure
Extracted document text

EMVCo's index flattens the document's layout, so this text is best used for searching and comparing versions rather than reading end-to-end.

This document is large; EMVCo's index truncates its extracted text, so the excerpt below is partial.

EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process Version 1.2.r September 2025 EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page i / v Legal Notice This document summarizes EMVCo’s present plans for evaluation services and related policies and is subject to change by EMVCo at any time. This document does not create any binding obligations upon EMVCo or any third party regarding the subject matter of this document, which obligations will exist, if at all, only to the extent set forth in separate written agreements executed by EMVCo or such third parties. In the absence of such a written agreement, no product provider, test laboratory or any other third party should rely on this document, and EMVCo shall not be liable for any such reliance. No product provider, test laboratory or other third party may refer to a product, service or facility as EMVCo approved, in form or in substance, nor otherwise state or imply that EMVCo (or any agent of EMVCo) has in whole or part approved a product provider, test laboratory or other third party or its products, services, or facilities, except to the extent and subject to the terms, conditions and restrictions expressly set forth in a written agreement with EMVCo, or in an approval letter, compliance certificate or similar document issued by EMVCo. All other references to EMVCo approval are strictly prohibited by EMVCo. Under no circumstances should EMVCo approvals, when granted, be construed to imply any endorsement or warranty regarding the security, functionality, quality, or performance of any particular product or service, and no party shall state or imply anything to the contrary. EMVCo specifically disclaims any and all representations and warranties with respect to products that have received evaluations or approvals, and to the evaluation process generally, including, without limitation, any implied warranties of merchantability, fitness for purpose or noninfringement. All warranties, rights and remedies relating to products and services that have undergone evaluation by EMVCo are provided solely by the parties selling or otherwise providing such products or services, and not by EMVCo, and EMVCo will have no liability whatsoever in connection with such products and services. This document is provided "AS IS" without warranties of any kind, and EMVCo neither assumes nor accepts any liability for any errors or omissions contained in this document. EMVCO DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT, AS TO THIS DOCUMENT. EMVCo makes no representations or warranties with respect to intellectual property rights of any third parties in or in relation to this document. EMVCo undertakes no responsibility to determine whether any implementation of this document may violate, infringe, or otherwise exercise the patent, copyright, trademark, trade secret, know-how, or other intellectual property rights of third parties, and thus any person who implements any part of this document should consult an intellectual property attorney before any such implementation. Without limiting the foregoing, this document may provide for the use of public key encryption and other technology, which may be the subject matter of patents in several countries. Any party seeking to implement this document is solely responsible for determining whether its activities require a license to any such technology, including for patents on public key encryption technology. EMVCo shall not be liable under any theory for any party's infringement of any intellectual property rights in connection with this document. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page ii / v Revision Log – Version 1.2.r The following changes have been made to the document since the publication of Version 1.2. Some of the numbering and cross references in this version have been updated to reflect changes introduced by the published bulletins. The numbering of existing requirements did not change, unless explicitly stated otherwise. Incorporated changes described in the following Specification and Administrative Updates: • None identified. Other editorial changes: • Editorial updates. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page iii / v Contents 1 INTRODUCTION............................................................................................................. 1 1.1 Purpose............................................................................................................... 1 1.2 Audience ............................................................................................................. 1 1.3 Normative Reference........................................................................................... 1 1.4 Definitions ........................................................................................................... 5 1.5 Notational Conventions ....................................................................................... 9 1.5.1 Abbreviations ........................................................................................... 9 1.5.2 Terminology and Conventions.................................................................. 9 2 OBTAIN TEST PLATFORM PROVIDER RECOGNITION ...................................................... 10 2.1 Test Platform Recognition Manager .................................................................. 11 2.2 Step 1- Registration and Legal Agreements ...................................................... 12 2.3 Step 2- Test Platform “Recognition” Qualification .............................................. 14 2.3.1 Test Platform Qualification Declaration .................................................. 14 2.3.2 “Recognition” Qualification Process ....................................................... 15 2.3.2.1 “Recognition” Qualification Step 2A - Platform Functionalities and User Interface Verification ...................................................................... 15 2.3.2.2 “Recognition” Qualification Step 2B – Platform Design and Implementation Verification ............................................................ 15 2.3.2.3 “Recognition” Qualification Step 2C - Verification of the Test Plan(s) implementation............................................................................... 16 2.3.3 EMVCo Review and Delivery of Letter of Qualification ........................... 18 2.4 Step 3 - Initial Recognition Audit........................................................................ 19 2.4.1 Initial Recognition Audit Description ....................................................... 19 2.4.2 Audit Requirements ............................................................................... 23 2.4.2.1 Written Evidence ............................................................................ 23 2.4.2.2 Site Visit ......................................................................................... 25 2.4.2.3 Demonstration of Test Platform in Operation.................................. 25 2.4.2.4 Corrective Action Plan.................................................................... 26 3 MAINTAIN TEST PLATFORM PROVIDER RECOGNITION ................................................... 27 3.1 Additional Types of Qualification Processes ...................................................... 27 3.1.1 Protocol or Component Qualification...................................................... 27 3.1.2 Test Plan Implementation Qualification requested by EMVCo................ 27 3.1.3 Qualification requested by EMVCo – Test Platform or Script Update ..... 28 3.2 Additional Types of Recognition Audit ............................................................... 28 3.2.1 Recognition Renewal Audit .................................................................... 28 3.2.2 Interim Proficiency Audit ........................................................................ 32 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page iv / v 4 MODIFICATION OR TERMINATION OF RECOGNITION....................................................... 35 4.1 Termination of Recognition at Test Platform Provider’s request ........................ 35 4.2 Suspension of Recognition ................................................................................ 35 4.3 Revocation of Recognition................................................................................. 36 Appendix A – Requirement Matrix ............................................................................. 37 Appendix B – Test Platform Provider Fees ................................................................ 39 Appendix C – Test Platform Provider Corrective Action Plan ..................................... 40 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page v / v Tables Table 1.1: 3-D Secure Specifications ................................................................................... 1 Table 1.2: 3-D Secure Approval Documents ........................................................................ 2 Table 1.3: 3-D Secure Test Platform Forms .......................................................................... 3 Table 1.4: External References ............................................................................................ 3 Table 1.5: Definitions ............................................................................................................ 5 Table 1.6: Abbreviations ....................................................................................................... 9 Table 2.1: Registration and Contracts Procedure ............................................................... 12 Table 2.2: Verification of the Test Plan(s) implementation.................................................. 16 Table 2.3: Initial Recognition Audit process........................................................................ 19 Table 3.1: Recognition Renewal Audit process .................................................................. 28 Table 3.2: Interim Proficiency Audit Process ....................................................................... 32 Table 4.1: Requirement Matrix ........................................................................................... 37 Figures Figure 2.1: Process Flow 1 - Initial Recognition Audit Process ........................................... 22 Figure 3.1: Process Flow 2 - Recognition Renewal Audit Process ..................................... 31 Figure 3.2: Process Flow 3 - Interim Proficiency Audit Process.......................................... 34 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r 1 Introduction Page 1 / 41 1.1 Purpose This document describes the 3DS Test Platform Provider recognition process and the 3DS Test Platform qualification process that EMVCo uses to assess whether a 3DS Test Platform Provider has implemented its Test Platform, in compliance with EMV Test Platform Requirements. The document also outlines a set of requirements that an EMVCo Qualified Auditor will use along with the EMV Test Platform Requirements and the standard [ISO17025] requirements to assess a Test Platform Provider’s capabilities. The resulting audit report will enable EMVCo to judge whether a Test Platform Provider has the proper competencies and the proper administrative structure to perform and offer 3DS testing services. Note: Even if the scope of standard [ISO17025] is wider than the needed requirement for 3DS Test Platform purposes, this standard is used as reference in the present document 1.2 Audience This document is intended for parties who are willing to develop and host a 3DS Test Platform and are seeking EMV recognition. This document is also intended for EMVCo Qualified Auditors that will perform Test Platform Provider recognition audits. 1.3 Normative Reference Ref. [PCF 3DS] [SDK 3DS] [SPLIT 3DS] [DEV 3DS] [VER 3DS] Table 1.1: 3-D Secure Specifications Document Title EMV® 3-D Secure Protocol and Core Functions Specification EMV® 3-D Secure SDK Specification EMV® 3-D Secure Split-SDK Specification EMV® 3-D Secure SDK Device Information EMV® 3DS Version Number Management - Protocol Version 2.3.0 & above Version Latest Available per Protocol Version Latest Available per Protocol Version Latest Available Distribution Publicly Available Publicly Available Publicly Available Latest version Publicly Available Latest Available Publicly Available © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 2 / 41 Ref. [SB 3DS] [SB 3DS 255] Document Title EMV® 3-D Secure Specification Bulletins (SB Bulletins) EMV® 3-D Secure Specification Bulletins 255 – 3DS Specification Version Configuration Version All Distribution Publicly Available Latest Available Publicly Available Ref. [AP 3DS] [TP REQ] [TC 3DS] [SUT REQ] [HARNES] TPP_REQ [TP VER] [CM 3DS] [AB 3DS 04] Table 1.2: 3-D Secure Approval Documents Document Title EMV® 3-D Secure Approval Administrative Process EMV® 3-D Secure - Test Platform Requirements EMV® 3-D Secure Test Suite (which includes EMV® 3-D Secure Test Plan) Version Latest Available Latest Available Latest Available per Protocol Version Test Requirements - for all Systems Under Test - for ACS as System Under Test - for 3DS Default-SDK and Split- SDK as System Under Test - for DS as System Under Test - for 3DS Server as System Under Test Test Harness for Split-SDK as System Under Test Additional test requirements for Test Platform Providers Last Applicable version Last Applicable version Latest Available EMV® 3-D Secure - Test Plan Release Management Latest Available EMV® 3-D Secure - Change Management and Notification Process EMV® 3-D Secure Approval Bulletin n°4 – 3-D Secure Test Platform Fees and Invoicing Process Latest Available Latest Available Distribution Publicly Available Publicly Available Restricted to Laboratories and Test Platform Providers Publicly Available Publicly Available Restricted to Laboratories and Test Platform Providers Restricted to Laboratories and Test Platform Providers Restricted to Laboratories and Test Platform Providers Restricted to Test Platform Providers © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 3 / 41 Ref. [AB 3DS 19] [AB 3DS] [APP COM 03] [APP COM 04] [APP COMS] Document Title EMV® 3-D Secure Approval Bulletin n°19 – Selectable EMV® 3-D Secure Specification Versions During an Approval EMV® 3-D Secure Application Bulletins (AB Bulletins) EMV® 3-D Secure Approval Communication n°3 – Test Plan Implementation Qualification (Step 2c) – ACS, 3DS Server, DS components EMV® 3-D Secure Approval Communication n°3 – Test Plan Implementation Qualification (Step 2c) – 3DS SDK component EMV® 3-D Secure Approval Communications Test Document License Agreement Version Latest Available All Latest Available Latest Available All Latest Available Test Platform Provider Agreement Latest Available Distribution Publicly Available Publicly Available Restricted to Test Platform Providers Restricted to Test Platform Providers Restricted to Test Platform Providers Restricted to Laboratories and Test Platform Providers Restricted to Test Platform Providers Ref. [ICS 3DS] [TPP RRF] Table 1.3: 3-D Secure Test Platform Forms Document Title 3-D Secure - Implementation Conformance Statement 3-D Secure Report Template 3-D Secure – Test Platform Provider Request for Registration Form 3-D Secure – Test Platform Qualification Declaration Version Distribution Latest Available Publicly Available Latest Available Latest Available Restricted to Laboratories and Test Platform Providers Publicly Available Latest Available Restricted to Test Platform Providers Table 1.4: External References © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 4 / 41 Ref. Document Title [ISO17025] ISO/IEC 17025—General requirements for the competence of testing and calibration laboratories Version Latest Available Distribution Publicly Available [ISO27001] ISO/IEC 27001 Security techniques / Information security management systems Requirements Latest Available Publicly Available [SSAE18] AICPA Statement on Standards for Attestation Engagements no. 18 Latest Available Publicly Available © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r 1.4 Definitions Table 1.5 defines selected terms used in this document. Page 5 / 41 Table 1.5: Definitions Term 3DS Approval Bulletin 3DS Approval Communication 3DS Component Recognition Active/Activation Active Protocol Approval EMVCo EMVCo Recognised Laboratory (or Test Laboratory or Laboratory) EMVCo Recognised Test Platform Provider (or Test Platform Provider) Definition Public notification released to communicate updates to the 3-D Secure Approval Process (Test Plan activation date or process updates). Restricted notification released to communicate to the Laboratories and/or Test Platform Providers updates to the 3-D Secure Approval Process (Test Plan activation dates, test case or Test Platform issues, testing guidelines, or process updates). There are 4 3DS components: • 3DS SDK (Default-SDK or Split-SDK variants) • 3DS Server • Directory Server (DS) • Access Control Server (ACS) Formal recognition by EMVCo that a Test Platform Provider is competent to operate 3DS Test Platform services for one or more categories of testing defined by EMVCo 3-D Secure Approval procedures. Refers to the condition that a Protocol Version, Test Plan version or a specific Test Plan Implementation is deployed on an EMVCo Recognised Test Platform and becomes available for Product Provider to execute. The list of the active Protocol Versions is provided in the latest 3DS Specification Bulletin 255 [SB 3DS 255]. Acknowledgment by EMVCo that the specified product has demonstrated sufficient compliance to the EMV Specifications for its stated purpose. The organization that manages the EMV specifications and their related testing processes. An independent, impartial entity that has been audited by an EMVCo Qualified Auditor for compliance with EMVCo 3DS Laboratory requirements and has received a Letter of Recognition from EMVCo, entitling it to perform 3DS testing. An independent, impartial entity that has been audited by an EMVCo Qualified Auditor for compliance with EMVCo 3DS Test Platform requirements and has received a Letter of Recognition from EMVCo, entitling it to offer 3DS Test Platform services. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 6 / 41 EMVCo 3DS Approval Secretariat The EMVCo entity that manages the 3-D Secure Approval process defined in [AP 3DS] and related documents. EMVCo 3DS Laboratory Document Repository A digital file repository, used for distributing material from EMVCo to Laboratories, for example Test Plans. Currently referred to as Thrive. EMVCo Qualified Auditor EMVCo Qualified Test Platform Letter of Recognition Letter of Qualification Letter of Revocation Licensee Multi-Protocol Version Support Overlapping Period Protocol Version Product Provider An independent, impartial entity that has received a Letter of Qualification from EMVCo, entitling it to verify conformance to EMV defined Approval procedures. A Test Platform for which the Test Platform Provider has received a Letter of Qualification from EMVCo. Written statement that documents the decision of EMVCo that a 3DS Test Platform Provider has been audited and recognised by EMVCo and is competent to carry out specific functions as defined by EMVCo type approval procedures and EMV Test Platform requirements. Written statement that documents the decision of EMVCo that a 3DS Test Platform has demonstrated sufficient compliance to support and operate EMV test plans and requirements. Written statement that documents the decision of EMVCo that a Test Platform is no longer an EMVCo Qualified Test Platform and that the Test Platform Provider’s EMVCo Test Document License Agreement is terminated. An entity that has executed a Test Document License Agreement with EMVCo. 3DS components are required to support all active Protocol Versions as defined in [PCF 3DS] Requirement 311 and in the latest 3DS Specification Bulletin 255 [SB 3DS 255]. This rule is applied in Compliance testing to include the highest Protocol Version selected and all lessor active Protocol Versions. Period where both the Incoming and Outgoing Test Plans under a single Protocol Version are active and supported on the Test Platform. This period ends when the Outgoing Test Plan Version becomes Inactive. Protocol Version defines the interoperability between the 3DS Secure components. Protocol Version format is MAJOR.MINOR.PATCH and it is defined in [VER 3DS]. The entity that submits a 3-D Secure component for approval. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 7 / 41 Qualification Qualification Reference Number Registration Number Selectable Protocol Specification Bulletin System Under Test Test Case Test Plan Test Plan Implementation Test Platform (or 3DS Test Platform) Test Platform Recognition Manager Test Platform Provider Test Platform Qualification Declaration Test Platform Under Test Test Script Process to obtain formal recognition by EMVCo that a Test Platform has sufficiently implemented the test cases for a particular EMVCo Test Plan or type of EMVCo testing. A unique identification number that EMVCo assigns to a specific version of the Test Platform once that version of the Test Platform has been qualified. Unique identification number that EMVCo assigns to a Test Platform Provider, to be used on all communication and reports sent to EMVCo. The list of the selectable Protocol Versions for a 3DS approval is provided in [AB 3DS 19] Notification released to communicate updates to the EMV specifications. The 3-D Secure Component (may include hardware with identified Operating System) that is being evaluated for its compliance with EMVCo specification and for receipt of LOA A description of the actions required to achieve a specific test objective. Specification describing all Test Cases that have to be run to verify the compliance of a 3DS component to a version of 3DS Secure protocol and Core Functions Specification and 3DS Secure SDK Specification. Implementation of a Test Plan by a Test Platform Provider in its testing environment. An online test system that has been EMVCo recognised for 3DS testing. The Test Platform executes 3-D Secure test plans and test cases which SUTs use for 3DS compliance approval. An independent, impartial entity that has been selected by EMVCo to supervise the recognition of a Test Platform Provider and to conduct qualification evaluations. Entity developing and hosting the Test Platform, in accordance with EMVCo Test requirements. Form in which the Test Platform Provider indicates for which Test Plan Version and 3DS Components he wants to submit its Test Platform for qualification A Test Platform that is in the process of qualification by EMVCo The implementation of an individual test case. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 8 / 41 Test Suite The total collection of all test scripts that implement the individual test cases for a particular Test Plan version. The Test Suite also includes the documentation as well as the System Under Test Requirements. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r 1.5 Notational Conventions 1.5.1 Abbreviations The abbreviations listed in Table 1.6 are used in this document. Table 1.6: Abbreviations Abbreviation Description 3DS EMV 3-D Secure 3DSS 3DS Server 3DS TG EMVCo 3DS Testing Group DS Directory Server ACS Access Control Server ICS Implementation Conformance Statement LoA Letter of Recognition LoQ Letter of Qualification SDK Software Development Kit TPAM Test Platform Recognition Manager TPP Test Platform Provider TPQD Test Platform Qualification Declaration TPUT Test Platform Under Test Page 9 / 41 1.5.2 Terminology and Conventions The following words are used often in these specifications and have a specific meaning: Shall Defines a product or system capability which is mandatory. May Defines a product or system capability which is optional or a statement which is informative only and is out of scope for these specifications. Should Defines a product or system capability which is recommended. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 10 / 41 2 Obtain Test Platform Provider Recognition A 3DS Test Platform Provider shall obtain EMV recognition in order to prove compliance to the Test Platform Provider requirements described in the Test Platform Requirements [TP REQ]. The EMV Test Platform Provider recognition process comprises three different steps that have to be performed according to the sequence below: Step 1- Registration and Legal Agreements Step 2 – Test Platform « Recognition » Qualification - Step 2A: Functionalities and User Interface - Step 2B: Platform Design and Implementation - Step 2C: Test Plan Implementation Step 3 – Initial Recognition Audit After completing steps 1, 2 and 3 successfully, EMVCo shall issue a Letter of Qualification for the Test Platform and a Letter of Recognition to the Test Platform Provider. With both letters, the Test Platform Provider is authorized to offer 3DS testing services. Note: Please refer to Appendix A – Requirement Matrix for the detailed list of requirements that will be evaluated during the recognition process. Note: EMVCo reserves the right, at its own discretion and without providing a detailed explanation, to deny a Test Platform Provider the right to proceed through the recognition process. Note: Test Platform Provider recognition is subject to fees (See Appendix B – Test Platform Provider Fees). Note: Step 3 may start before the completion of Step 2C at the discretion of EMVCo. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 11 / 41 2.1 Test Platform Recognition Manager A Test Platform Recognition Manager (TPAM) is assigned by EMVCo to supervise the recognition of a Test Platform Provider. The TPAM can be contacted at tpam@emvco.com when a Test Platform Provider is in preparing for the recognition. The Test Platform Recognition Manager: - Follows up the registration and the signature of the legal agreement by the Test Platform Provider (Step 1) - Is the main interface to the Test Platform Provider during the Test Platform qualification (Step 2), - Shall be informed by the TPP of the selected Product Provider participants and the schedule of the Test Platform qualification, - Is authorized by EMVCo to access the Test Platform Under Test (TPUT) and to request TPUT documentation in order to perform the “Recognition” qualification Steps 2A and 2B described in this document (see sections 2.3.2.1 and 2.3.2.2), - Discusses and review test report discrepancies where the outcome of a test case does not match what was expected during the Step 2C (see section 2.3.2.3), - Analyzes results of qualification steps 2A, 2B and 2C and provide recommendation to 3DS TG for review and conclusion on the qualification of the TPUT in an evaluation report. - Supervises the Initial Recognition Audit of the Test Platform Provider (Step 3) Note: TPAM remains the main interface of a Test Platform Provider in case of other qualification processes as described in section 3.1. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 12 / 41 2.2 Step 1- Registration and Legal Agreements Each new Test Platform Provider that wants to be recognised by EMVCo for 3-D Secure Functional Evaluations shall register with EMVCo and sign agreements. This process is described in Table 2.1. Note: Before applying to Test Platform Provider recognition according to the process described in Table 2.1, a candidate Test Platform Provider may obtain the 3DS Test Plan [TC 3DS] as well as the 3-D Secure Approval Bulletin n°4 [AB 3DS 04] related to Test Platform Provider Fees upon signature of an NDA with EMVCo. Table 2.1: Registration and Contracts Procedure Entity Process Test Platform Provider Sends email request to the EMVCo Secretariat at EMVCo Secretariat to begin the recognition process; the request shall include the following: • Executive and financial summary • Technical expertise summary, including experience with EMV 3DS Specifications • Test Platform Provider background • 3DS Request for Registration Form [TPP RRF] Note: If the entity is already known by EMVCo as an recognised Laboratory or a qualified Test Tool Provider for any EMVCo Approval, the executive and financial summary as well as the Test Platform Provider background may not be required. The documents provided shall permit a verification of the compliance to the requirements described in [TP REQ] sections: • 3.1.1 Partnership • 3.1.2 Financial • 3.1.3 Legal Entity • 3.1.5 Independence • 3.7.2 Personnel Management © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 13 / 41 Entity Process EMVCo 3DS Secretariat Test Platform Provider EMVCo 3DS Secretariat Test Platform Provider Evaluates whether Test Platform Provider qualifies to be accepted for consideration as a potential EMVCo Recognised Test Platform Provider • Informs Test Platform Provider if it may proceed with recognition • Provides Test Platform Provider with: o The EMVCo 3DS Test Platform Provider Agreement for signature o The EMVCo Test Document License Agreement for signature • Signs the Test Platform Provider License Agreement (using docusign) • Signs the EMVCo Test Document License Agreement (using docusign) • Signs the Test Platform Provider Agreement (using docusign) • Signs the Test Document License Agreement (using docusign) • Provides Test Platform Provider with a Registration Letter including a Registration Number, to be used on all communications and reports sent to EMVCo • Provides credentials to access Thrive containing documents and communication restricted to Test Platform Providers • Provides credentials to access the 3DS Knowledge Database (that list and describe Pass* and Knowledge Items) • Requests an “Recognition” qualification of the Test Platform (see section 2.3) • Starts the initial recognition audit of the Test Platform Provider (see section 2.4) © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 14 / 41 2.3 Step 2- Test Platform “Recognition” Qualification The Test Platform “Recognition” Qualification process includes 3 verification steps that are performed on the Test Platform: • Step 2A - Test Platform Functionalities and User Interface Verification (through live access to the Test Platform) – see section 2.3.2.1. • Step 2B – Platform Design and Implementation Verification (Document based) – see section 2.3.2.2. • Step 2C - Verification of the Test Plan implementation(s) using 3DS Components having a valid LoA – see section 2.3.2.3. The Test Platform Recognition Manager (TPAM) is responsible for the organization and management of the three qualification Steps 2A, 2B and 2C. The Test Platform Provider will interface with the TPAM for the qualification of its Test Platform. The Test Platform submitted for qualification is called Test Platform Under Test (TPUT). 2.3.1 Test Platform Qualification Declaration Before starting the Test Platform “Recognition” Qualification of the TPUT (or any Test Platform Qualification described in section 3.1), the test Platform Provider (TPP) shall fill and submit a Test Platform Qualification Declaration (TPQD) to EMVCo 3DS secretariat and TPAM. This form is available on Thrive. This form will indicate: • For which Protocol Version(s) / Test Plan version(s) TPP want its Test Platform to be recognised for. Note: For each Protocol Version listed, the latest Test Plan version available when the TPQD is submitted shall at minimum be documented in the TPQD and used during the qualification. • For which 3DS Component TPP requests its Test Platform to be recognised for. • The 3DS Components selected for the Qualification step 2C. At reception of the TPQD, the TPAM verifies that it is consistent. A qualification session starts at the acceptance of the TPQD by the TPAM and the scope of the qualification session is defined by the content of the TPQD. Note: The TPP may decide to have separate qualification of its Test Platform for each active Protocol Version. In this case the qualification shall start from the lowest Protocol Version(s) to the highest Protocol Version(s). Note: The TPP may decide to have separate qualification of its Test Platform for each component the TPP intends to support. Note: Invoicing for qualification fee as described in Appendix B – Test Platform Provider Fees, occurs at the start of the Test Platform Qualification or Specification Bulletin Qualification session. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 15 / 41 2.3.2 “Recognition” Qualification Process The following sections describe the process to perform the three steps of the Test Platform “Recognition” Qualification: 2.3.2.1 “Recognition” Qualification Step 2A - Platform Functionalities and User Interface Verification The Test Platform Provider shall give remote access to its TPUT to the TPAM so that the TPAM can verify the conformance to functional requirements detailed in the section 3.2.5 to 3.2.11 of the Test Platform Requirements [TP REQ]: • Test Session and User interface, • PKI Management, • Test Plan Selection, • Multi-Protocol Version Support, • ICS import/export, • Report generation, • Documentation. A demonstration may be required to facilitate the verification. The conclusion of this review is provided to both TPP and EMVCo by the TPAM. 2.3.2.2 “Recognition” Qualification Step 2B – Platform Design and Implementation Verification The Test Platform Provider shall respond to a self-assessment questionnaire and upon request deliver the appropriate specification and implementation documentations including any validation and test result reports of its TPUT to the TPAM so that TPAM can verify the conformance to requirements 3.2.1, 3.2.3, 3.2.4, 3.4.1, 3.4.2, 3.5.1 and 3.5.2 of the Test Platform Requirements [TP REQ]: • Architecture, • Harness and SUT Requirements, • Reference/Requestor Application, • Application & Platform Management, • Application & Platform Resilience, • Performance, • Service Availability. The conclusion of this review is provided to both TPP and EMVCo by the TPAM. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 16 / 41 2.3.2.3 “Recognition” Qualification Step 2C - Verification of the Test Plan(s) implementation In this step, EMVCo ensures that the 3DS Test Plan(s) released by EMVCo and supported by the TPUT are implemented correctly on the TPUT to ensure a good verification of 3DS product component submitted for 3DS approval. The Test Platform Provider shall perform required test sessions on 3DS products (components) having a valid Letter of Approval from EMVCo and shall submit the reports generated by the platform to the TPAM for review. If several Protocol Versions are listed in the TPQD, the verification of the Test Plan Implementation will be performed for each Protocol Version. The different steps of this verification are described in Table 2.2. Table 2.2: Verification of the Test Plan(s) implementation Entity Process Test Platform Provider • Identifies and selects Product Providers for each 3DS component it wants its TPUT to be qualified for. The detailed rules to select Product Providers for a qualification are described in the latest version of [APP COM 03] and [APP COM 04] • Informs the TPAM of the schedule planned for the 3DS component testing and provides a read access (or equivalent) to the testing environment to control the test results. Product Provider Note: Note: Note: If the candidate Product Provider’s does not meet EMVCo requirements, EMVCo may reject it at its own discretion If the qualification highlights a Test Plan issue or a Product issue that was not identified during the approval process of the product, the issue will be managed as part of EMVCo’s business as usual defect/issue management process as described in [TP REQ] and its impact will be evaluated. The selected 3DS components will be used to test each Protocol Version listed in the TPQD. Connects to the Test Platform for the selected 3DS Component to be tested and performs a full 3DS test session for the selected product component(s). Note: Note: Note: Assistance of the Test Platform Provider to the Product Provider is required during this step. The process may require several iterations of test session. TPAM may participate during this step by monitoring the test session. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 17 / 41 Entity Test Platform Provider Process Checks the test report obtained for the 3DS Component tested on the TPUT. The objective is to obtain: • No Fail results • N/A results (in case of options not supported by the product) • Pass or Pass* results (**) the Pass and Pass* results may be different between the product’s LOA test report and the TPUT test report on the same 3DS component because the Test Plan may have been updated in between the two testing sessions (to fix some Pass* for instance) Once the test report is available and compliant with the above objectives, sends it to the TPAM for review and approval. Note: During this phase, the TPP may interface with TPAM in case of questions on the output of a Test Case. Note: Test reports can be submitted to the TPAM a maximum of 3 times over a maximum period of 3 months in a qualification session (regardless of the number of components supported in TPQD). Test reports submitted in batch for several components are considered as a single submission. Test Platform Recognition Manager • Following the execution of the testing, checks the test reports generated by the TPUT for the 3DS Component. • Submit the evaluation report to the 3DS TG for final acceptance The above steps shall be repeated for each 3DS component and each Protocol Version supported © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 18 / 41 2.3.3 EMVCo Review and Delivery of Letter of Qualification Once the 3 steps 2A, 2B and 2C of the Test Platform “Recognition” qualification have been completed for the TPUT, the TPAM combines the outputs of these steps and evaluates the results in an evaluation report. The TPAM analysis and recommendation is provided to 3DS TG that reviews them and concludes on the qualification of the TPUT: • If all the results are compliant with the requirements, 3DS TG informs the Test Platform Provider of the qualification of its Test Platform. A Letter of Qualification indicating supported Test Plan is created for the tested component(s). Delivery of the LoQ and publication on the web site is performed by 3DS TG if the scope of the Test Platform “Recognition” qualification was to increase the recognition scope of the TPP. In case the qualification was performed for the first time, delivery of the LoQ and publication on the web site will be on hold by 3DS TG until the Test Platform Provider has successfully concluded its initial recognition audit (see section 2.4). • 3DS TG may accept non-compliant results if a resolution plan is provided by the Test Platform Provider and it is considered acceptable by EMVCo. In this case, EMVCo may create a provisional Letter of Qualification. Criteria to deliver a provisional Letter of Qualification and its validity are at the discretion of EMVCo but is generally matching the time plan agreed in the resolution plan. A final Letter of Qualification is delivered when all non-compliance results have been fixed. Delivery of the provisional LoQ and publication on the web site is hold by 3DS TG until the Test Platform Provider has successfully concluded its initial recognition audit (see section 2.4). • If one or more report is not acceptable, 3DS TG informs the Test Platform Provider of the qualification conclusion. In this case, the Test Platform Provider shall fix the issues and run qualification again. Note: the qualification fee may apply again according to the limits defined in Table 2.2 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r 2.4 Step 3 - Initial Recognition Audit Page 19 / 41 2.4.1 Initial Recognition Audit Description Test Platform Provider will follow an Audit process as described in Table 2.3. The recognition audit can only take place once the Test Platform has obtained at minimum a provisional LoQ. Note: Payment of fees for audit tasks undertaken by EMVCo Qualified Auditors is the responsibility of the Platform Provider requesting EMVCo’s recognition. EMVCo is not responsible for auditor fees. Entity Test Platform Provider (TPP) EMVCo Qualified Auditor Test Platform Provider EMVCo Qualified Auditor Table 2.3: Initial Recognition Audit process Process • Selects an auditor from the list of EMVCo Qualified Auditors available on EMVCo website and makes financial and legal arrangements with the auditor for the TPP to be audited • Informs EMVCo of Qualified Auditor selected • Provides to the Qualified Auditor the information and documents required to meet the audit requirements. • Demonstrates how the Test Platform is operated (as described in section 2.4.2.3). • Performs audit in accordance with 3DS requirements described in section 2.4.2 and with [ISO17025] requirements needed for 3DS purpose: • Ensures TPP meets all requirements detailed in [TP REQ] Note: Some requirements may already have been checked during Registration and Contract step or during the Test Platform Qualification and the auditor may not check them again. • Provides audit findings to the TPP • If a corrective action plan (as described in section 2.4.2.4) is NOT necessary: Provides audit report to EMVCo If a corrective action plan (as described in section 2.4.2.4) is necessary: • Defines the action plan with deliverables and due dates to meet all EMV requirements • Provide action plan to EMVCo Qualified Auditor If a corrective action plan is necessary: • Reviews and validates the action plan defined by the TPP • May ask the TPP to update its plan if necessary, • Provides a copy of the validated TPP action plan in its audit report to EMVCo © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 20 / 41 Entity EMVCo 3DS TG Test Platform Provider EMVCo Qualified Auditor Process Reviews audit report (and action plan, if any) and determines whether the TPP may be recognised or whether follow-up action is required Note: EMVCo reserves the right to deny recognition at its own discretion and without detailed explanation. • If audit report is acceptable to EMVCo AND the Test Platform has been qualified (LoQ or provisional LoQ granted): o Sends the Test Platform Provider an initial Letter of Recognition with a validity of typically nine months o Adds the TPP to the list of recognised Test Platform Provider on the EMVCo website o Sends the Test Platform LoQ(s) or provisional LoQ(s) to the TPP • If audit report is acceptable AND the Test Platform has been qualified (LoQ or provisional LoQ granted) but action items of the TPP are required (e.g. a corrective action plan is pending), EMVCo 3DS TG may grant recognition on a provisional basis, as follows: o Sends the TPP a provisional Letter of Recognition with conditions (with a validity of nine months maximum). The letter will include the list of action items and a date by which they shall be completed. o Adds the TPP to the list of recognised TPP on the EMVCo website o Sends the Test Platform LoQ(s) or provisional LoQ(s) to the TPP Note: EMVCo reserves the right to extend the duration of the provisional Letter of Recognition at its own discretion. • Before the expiration of the initial or provisional Letter of Recognition, the TPP shall organize an Interim Proficiency Audit (as described in section 3.2.2). • Performs Interim Proficiency Audit on: o the TPP’s operational review and validation activities during the period of the initial or provisional Letter of Recognition, o the results of the action plan if it had been requested during the initial recognition audit. Note: Additional check points will be organized remotely by the EMVCo Qualified Auditor before the Interim Proficiency audit to follow up the implementation of the action plan (see details in section 2.4.2.4) • Provides audit report to EMVCo. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 21 / 41 Entity EMVCo 3DS TG Process If no issues have been detected during the review by EMVCo of the report from the TPP or from the EMVCo Qualified Auditor and if no corrective actions have been identified during the Interim Proficiency Audit, then the Test Platform Provider’s recognition is extended to three years from the initial recognition date. If issues and/or corrective action items have been identified, depending on the severity and number of deviations, a new interim proficiency audit may be required and the extension of the TPP recognition may be reduced by one to two years at EMVCo discretion. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 22 / 41 Figure 2.1: Process Flow 1 - Initial Recognition Audit Process TPP selects EMVCo Qualified Auditor TPP provides requested written evidences Auditor: Performs audit as per this document and ISO 17025 Provides audit findings to TPP Corrective action plan Y needed? N TPP defines action plan Auditor reviews and validates action plan TPP sends audit report to EMVCo Audit report is acceptable to EMVCo and Test Platform has been qualified? Yes No with action items End EMVCo: Sends TPP Initial Letter of Recognition Sends Test Platform LoQ Adds TPP to list of recognised TPPs EMVCo: Sends TPP Provisional Letter of Recognition Sends Test Platform LoQ Adds TPP to list of recognised TPPs TPP must complete Interim Proficiency Audit on the TPP s operational activities (within 9 months) TPP must complete Interim Proficiency Audit on the TPP s operational activities and complete pending action items (within 9 months) If no major issues detected during the report review, and no corrective actions identified during the Interim Proficiency audit, EMVCo extends TPP recognition to 3 years © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 23 / 41 2.4.2 Audit Requirements In order to prove conformance to the Test Platform Requirements described in [TP REQ], the Test Platform Provider shall do the following: • Provide written evidence to the EMVCo Qualified Auditor before or during the audit • Complete a physical site visit • Demonstrate that the Test Platform and test Platform personnel are operational in accordance to the Test Platform requirements • Demonstrate use of EMVCo 3DS Knowledge Database and EMVCo 3DS Ticketing Process • Complete a corrective action plan, if applicable This section describes information that the Test Platform Provider is required to supply to the EMVCo Qualified Auditor, and the level of detail required in the audit reports. The EMVCo Qualified Auditor, in reviewing the documentation, may request additional information from the Test Platform Provider prior to or during the site visit and/or the demonstration of testing capabilities. In preparation for the audit, the Test Platform Provider shall provide written consent for disclosure of this information to EMVCo and to the EMVCo Qualified Auditor during the site visit. The audit report that EMVCo receives from the EMVCo Qualified Auditor shall have the level of detail specified in this section. 2.4.2.1 Written Evidence 2.4.2.1.1 Business Conformance The Test Platform Provider provides the EMVCo Qualified Auditor with evidence of conformance to the Test Platform Provider business requirements. This evidence may be in the form of a written report describing: • Services of the organization • Structure of the organization, demonstrating the isolation between the Test Platform Provider and other areas of the organization (e.g. design area) • Percentage of revenue received from each of the Test Platform Provider’s top ten Product Provider customers relative to the total revenue of the Test Platform Provider • Organization legal information • Certificate of ownership and/or tax identification number In addition, the Test Platform Provider must provide the EMVCo approval secretariat with the following: • Audited financial statements for the organization • Official Annual Report as required by national or international law and/or regulation © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 24 / 41 Note: Note: A financial Statement is not required when the Test Platform Provider site is already recognised by EMVCo for another activity not listed in the present document. The Auditor may not request some business conformance evidences if they have already been checked during the registration step. 2.4.2.1.2 Security Conformance The Test Platform Provider provides to the EMVCo Qualified Auditor evidence of physical and logical security conformance for the Test Platform Location. This evidence must be in the form of an audit result report compliant with an information security standards such as ISO 27001, SSAE 16 or SSAE 18. This report shall cover the detailed aspects described in [TP REQ]. Additionally, the Test Platform Provider provides the vulnerability scan checks, penetration tests and secure code scan as requested in [TP REQ]. 2.4.2.1.3 Operational, Performance and Maintenance Conformance The Test Platform Provider provides to the EMVCo Qualified Auditor evidence of the processes and procedure in place to conform to the operational, performance and maintenance requirement described in [TP REQ]. This evidence must include: • Service availability control procedures • Incident management and ticketing procedures • Change management procedures • Disaster Recovery procedures • Backup procedures 2.4.2.1.4 Administrative Conformance The Test Platform Provider provides to the EMVCo Qualified Auditor evidence of administrative conformance. This evidence may be in the form of a written report describing: • Formal recognitions • The Test Platform Provider’s quality assurance system. The quality assurance system must comply with the requirements of the EMV approval process and must be comparable to ISO 17025. As such, the description shall contain, for instance: o An Overview of the Test Platform Provider personnel and the qualifications of Test Platform Provider personnel involved in the performing of any testing or administrative duties related with approval testing using the Test Platform. These duties include test result validation, test report generation, review as well as maintaining records for each approval session to provide during auditing, if requested o Overview of the Test Platform Provider techniques o Overview of Test Platform Provider asset management system for documentation o Overview of Test Platform software configuration management or version control © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 25 / 41 2.4.2.1.5 Communication Conformance The Test Platform Provider provides to the EMVCo Qualified Auditor evidence of communication conformance (To and from EMVCo) as defined in [TP REQ]. This evidence shall be included within Test Platform Provider’s procedures and documentation. 2.4.2.2 Site Visit EMVCo requires the auditor to conduct a visit at the Location for which the Test Platform Provider is seeking an recognition. The objectives of the site visit are to: • Verify that Test Platform Provider documentation and actual Test Platform Provider implementation are consistent • Observe the physical environment of the organization and the physical security measures taken • Verify the application of the service availability control procedures • Verify the application of the incident management procedures • Verify the application of the change management procedures including the software configuration management or version control • Verify the physical and logical security compliance • Verify the technical expertise of the Test Platform Provider’s personnel • Verify the Test Platform Provider’s business requirements including Independency, Impartiality, Confidentiality • Verify the Test Platform Provider’s Resource requirements (Personnel, Facilities, systems and support services necessary to manage and perform the Test Platform Provider activities) • Verify the Test Platform Provider’s quality assurance procedures. If available, the EMVCo Qualified Auditor may ask a copy of the audit report corresponding to the [ISO17025] certificate to the Test Platform Provider. 2.4.2.3 Demonstration of Test Platform in Operation EMVCo may require a demonstration of the Test Platform Provider’s actual verification capabilities. This may be done through witnessing the Test Platform Provider’s verification of a product or through pilot testing. Pilot testing is defined as the Test Platform Provider’s performing verification of test result on a previously approved EMVCo product or on a simulation product and providing a test report to the EMVCo Qualified Auditor to review. The choice of subject for this pilot validation is at the discretion of EMVCo and EMVCo reserves the right to witness a part of this validation. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 26 / 41 2.4.2.4 Corrective Action Plan An audit report may indicate that the Test Platform Provider does not meet all necessary requirements but has demonstrated sufficient capabilities that with specific corrective actions, it would do so. If so: • The Test Platform Provider will define an action plan with deliverables and estimated due dates for each deviation to meet all EMV requirements. Action plan shall include a brief analysis of the issue (root cause). When appropriate, preventive action may be described in addition to the corrective action. Test Platform Provider may use the template provided in Appendix C to report their action plan. • The EMVCo Qualified Auditor will review and validate the action plan, then provide a copy of the validated action plan in its audit report to EMVCo. • EMVCo, when reviewing the audit report, will review the action plan and, if the plan is acceptable, may grant recognition on a provisional basis and set a date when an Interim Proficiency Audit will be required, see 3.2.2. • After the delivery of the provisional recognition, the EMVCo Qualified Auditor will follow up the implementation of the action plan according to the following rules: o Three checks will be made over one year. The first review will take place three months after the audit report, the second review after six months and the third review after one year. o At each checkpoint, the EMVCo Qualified Auditor will ask the Test Platform Provider to provide a status on the open corrective actions and the evidence of the implementation of the closed corrective actions. Evidences can consist in screenshot, document's extract or even full document. In such case, Test Platform Provider shall precisely indicate where is the update. Ideally, all evidences for a given deviation should be gathered in a unique location (sheet of xls file, folder) named with the deviation's reference. o The EMVCo Qualified Auditor will review the evidences and will provide feedback to the Test Platform Provider. o Corrective actions that have not been fully implemented after one year will be reported to EMVCo for decision on the next step. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 27 / 41 3 Maintain Test Platform Provider Recognition A Test Platform Provider shall maintain current functional qualification for its Test Platform. Therefore, several types of 3DS Test Platform qualification may be required in addition to the Test Platform “Recognition” qualification. The Test Platform Recognition Manager is the main interface of the Test Platform Providers during the qualification processes described in this section. 3.1 Additional Types of Qualification Processes Each type of Test Platform qualification process described in this section requires the submission of a Test Platform Qualification Declaration (see section 2.3.1). 3.1.1 Protocol or Component Qualification As indicated in the 3DS Test Platform Requirements, the Test Platform Provider may choose the 3DS Components as well as the version of Active Protocols its Test Platform will support. Consequently, a Test Platform Provider may perform an “Recognition” Qualification for one 3DS component only or for one version of Active Protocol only, and request a Protocol Version or Component qualification for additional 3DS component or additional Protocol Version at a later stage In this case the same process as described in section 2.3 applies. However, EMVCo may decide that some items listed in section 2.3.2.1 or 2.3.2.2 do not have to be performed again if they are not linked to a specific 3DS component or Protocol Version. TPAM will communicate the details of qualification with the Test Platform Provider. Note: Protocol Version or Component Qualification is subject to fees (See Appendix B – Test Platform Provider Fees). 3.1.2 Test Plan Implementation Qualification requested by EMVCo EMVCo is updating released Test Plan on a regular basis. This can be due to a specification bulletin of 3DS protocol being released or to enhancement of the existing test plan. Type Approval Bulletins and/or new test plan releases detail any necessary updates to the EMVCo test cases. The Test Platform Provider shall update its Test Platform to support the updates to the test plan on the required date agreed with EMVCo. Depending on the number and complexity of the changes introduced by EMVCo, the requested Test Platform qualification may vary from a self-qualification by the Test Platform Provider and the delivery of the self-qualification evidence, to a formal verification of the Test Plan(s) implementation as described in section 2.3.2.3. EMVCo will inform the Test Platform Provider of the qualification requirements. If a Test Platform Provider cannot meet the timeframe defined by EMVCo, the Test Platform still maintains its qualification for the previous version of the test cases. However, when the the previous version of the test cases is deactivated at the end of the overlapping period, EMVCo Recognised Laboratories will not be able to use the Test Platform that does not contain the latest updates, for EMVCo approval testing. Note: Test Plan Implementation Qualification may be subject to fees (See Appendix B – Test Platform Provider Fees). © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 28 / 41 3.1.3 Qualification requested by EMVCo – Test Platform or Script Update If the Test Platform Providers implements changes on the Test Platform or on the script for maintenance reason (without Test Plan update), it has to inform EMVCo of the reason of the changes with sufficient notice (See [TP REQ]). EMVCo will assess on a case by case basis the Test Platform qualification requirements. Note: Test Platform or script update Qualification may be subject to fees (See Appendix B – Test Platform Provider Fees). Note: When EMVCo grants a new Letter of Qualification to the Test Platform, this latest LoQ shall replace and revoke any previous LoQ(s) granted for the Protocol Version. The latest LoQ(s) for the Protocol Version shall be used in Test Platform and laboratoryrelated materials. 3.2 Additional Types of Recognition Audit Additional types of audits may be required during a Platform Provider’s agreement with EMVCo • Recognition Renewal Audit • Interim Proficiency Audit 3.2.1 Recognition Renewal Audit A Test Platform Provider shall be audited as specified in the recognition letter to renew its EMV recognition. The requirements for the Recognition Renewal Audit are determined by EMVCo at the time of renewal. The audit may include all items identified in section 2.4.2 or EMVCo may select specific items for the auditor to cover. The audit shall be completed before the expiration date of the Test Platform Provider’s recognition. If a Test Platform Provider wishes to renew its recognition with EMVCo, the Test Platform Provider should contact EMVCo at least four months prior to the expiration date of the Test Platform Provider’s recognition. It is the responsibility of the Test Platform Provider to renew its recognition before it expires. If a Test Platform Provider does not renew its recognition, EMVCo may revoke its recognition. See section 4.2 and 4.3. If the recognition renewal has not been granted by EMVCo before the expiration date, The Approval Secretariat will stop reviewing any Test Report from the concerned Test Platform Provider. Table 3.1 outlines the steps in the recognition renewal process. Table 3.1: Recognition Renewal Audit process Entity Process Test Platform Provider (TPP) Sends email request to EMVCo Secretariat to begin the recognition renewal process Note: If a TPP wishes to renew its recognition with EMVCo, the TPP should contact EMVCo at least four months prior to the expiration date of the TPP’s recognition. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Provider Recognition and Test Platform Qualification Process v1.2.r Page 29 / 41 Entity EMVCo 3DS TG Test Platform Provider EMVCo Qualified Auditor Test Platform Provider EMVCo Qualified Auditor Process • Informs the TPP if it may proceed with the recognition renewal Note: EMVCo reserves the right, at its own discretion and without providing a detailed explanation, to deny a TPP the right to proceed through the recognition renewal process. • Identifies the audit requirements, which may be a subset of [TP REQ] section 3, and informs the TPP • Selects an auditor from the list of EMVCo Qualified Auditors and makes financial and legal arrangements with the auditor for the TPP to be audited • Provides to the EMVCo Qualified Auditor the information required to meet the audit requirements identified by EMVCo • Demonstrates how the Test Platform is operated (as described in section 2.4.2.3) if requested by EMVCo • Performs audit in accordance with 3DS requirements (or subset of 3DS requirements) described in section 2.4.2 and with [ISO17025], [ISO27001] or [SSAE18] requirements needed for 3DS purpose: • Ensures TPP meets all requirements identified by EMVCo in [TP REQ] • Provides audit findings to the TPP • If a corrective action plan (as described in section 2.4.2.4) is NOT necessary: Provides audit report to EMVCo If a corrective action plan (as described in section 2.4.2.4) is necessary: • Defines the action plan with deliverables and due dates to meet all EMV requirements • Provides action plan to EMVCo Qualified Auditor If a corrective action plan is necessary: • Reviews and validates the action plan defined by the TPP • Provides a copy of the validated TPP action plan in its audit report to EMVCo © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable