PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Tracked metadata: Sourced from EMVCo's public document index. PCI Watch records each document's details and its extracted text so changes can be tracked over time; the document PDF itself is hosted by EMVCo.
View on EMVCo.com →

EMV® 3-D Secure Approval - Laboratory Recognition Requirements

v1.3.r Service Provider Recognition/Qualification
3-D Secure
Extracted document text

EMVCo's index flattens the document's layout, so this text is best used for searching and comparing versions rather than reading end-to-end.

This document is large; EMVCo's index truncates its extracted text, so the excerpt below is partial.

EMV® 3-D Secure Approval Laboratory Recognition Requirements Version 1.3.r September 2025 EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Legal Notice Page i / vii This document summarizes EMVCo’s present plans for evaluation services and related policies and is subject to change by EMVCo at any time. This document does not create any binding obligations upon EMVCo or any third party regarding the subject matter of this document, which obligations will exist, if at all, only to the extent set forth in separate written agreements executed by EMVCo or such third parties. In the absence of such a written agreement, no product provider, test laboratory or any other third party should rely on this document, and EMVCo shall not be liable for any such reliance. No product provider, test laboratory or other third party may refer to a product, service or facility as EMVCo approved, in form or in substance, nor otherwise state or imply that EMVCo (or any agent of EMVCo) has in whole or part approved a product provider, test laboratory or other third party or its products, services, or facilities, except to the extent and subject to the terms, conditions and restrictions expressly set forth in a written agreement with EMVCo, or in an approval letter, compliance certificate or similar document issued by EMVCo. All other references to EMVCo approval are strictly prohibited by EMVCo. Under no circumstances should EMVCo approvals, when granted, be construed to imply any endorsement or warranty regarding the security, functionality, quality, or performance of any particular product or service, and no party shall state or imply anything to the contrary. EMVCo specifically disclaims any and all representations and warranties with respect to products that have received evaluations or approvals, and to the evaluation process generally, including, without limitation, any implied warranties of merchantability, fitness for purpose or noninfringement. All warranties, rights and remedies relating to products and services that have undergone evaluation by EMVCo are provided solely by the parties selling or otherwise providing such products or services, and not by EMVCo, and EMVCo will have no liability whatsoever in connection with such products and services. This document is provided "AS IS" without warranties of any kind, and EMVCo neither assumes nor accepts any liability for any errors or omissions contained in this document. EMVCO DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT, AS TO THIS DOCUMENT. EMVCo makes no representations or warranties with respect to intellectual property rights of any third parties in or in relation to this document. EMVCo undertakes no responsibility to determine whether any implementation of this document may violate, infringe, or otherwise exercise the patent, copyright, trademark, trade secret, know-how, or other intellectual property rights of third parties, and thus any person who implements any part of this document should consult an intellectual property attorney before any such implementation. Without limiting the foregoing, this document may provide for the use of public key encryption and other technology, which may be the subject matter of patents in several countries. Any party seeking to implement this document is solely responsible for determining whether its activities require a license to any such technology, including for patents on public key encryption technology. EMVCo shall not be liable under any theory for any party's infringement of any intellectual property rights in connection with this document. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page ii / vii Revision Log – Version 1.3.r The following changes have been made to the document since the publication of Version 1.3. Some of the numbering and cross references in this version have been updated to reflect changes introduced by the published bulletins. The numbering of existing requirements did not change, unless explicitly stated otherwise. Incorporated changes described in the following Specification and Administrative Updates: • None identified. Other editorial changes: • Editorial updates. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page iii / vii Contents 1 INTRODUCTION................................................................................................................... 1 1.1 Purpose..................................................................................................................... 1 1.2 Audience ................................................................................................................... 1 1.3 Laboratory Structure.................................................................................................. 2 1.3.1 Laboratory with a Single Physical Location.................................................... 2 1.3.2 Laboratory with Multiple Physical Locations .................................................. 2 1.4 Normative References ............................................................................................... 3 1.5 Definitions ................................................................................................................. 5 1.6 Notational Conventions ........................................................................................... 11 1.6.1 Abbreviations............................................................................................... 11 1.6.2 Terminology and Conventions ..................................................................... 11 2 TYPES OF RECOGNITION AUDITS....................................................................................... 12 2.1 Initial Recognition Audit ........................................................................................... 12 2.2 Recognition Renewal Audit...................................................................................... 12 2.3 Interim Proficiency Audit .......................................................................................... 13 3 RECOGNITION PROCESSES ............................................................................................... 14 3.1 Initial Recognition Process ...................................................................................... 14 3.2 Recognition Renewal Process ................................................................................. 21 3.3 Interim Proficiency Audit Process ............................................................................ 25 3.4 Recognition Process when Adding 3DS SDK Approval Capability ........................... 29 3.5 Recognition Process When Adding a Secondary Test Laboratory Location............. 31 3.6 Recognition Process When Adding a New Test Platform Provider .......................... 33 4 MODIFICATION OR TERMINATION OF RECOGNITION............................................................. 35 4.1 Termination of Recognition...................................................................................... 35 4.2 Suspension of Recognition ...................................................................................... 35 4.3 Revocation of Recognition....................................................................................... 36 5 ROLES AND RESPONSIBILITIES .......................................................................................... 37 5.1 EMVCo.................................................................................................................... 37 5.2 Test Platform Provider ............................................................................................. 37 5.3 EMVCo Recognised Laboratory .............................................................................. 38 6 LABORATORY REQUIREMENTS .......................................................................................... 39 6.1 Business Requirements........................................................................................... 39 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page iv / vii 6.1.1 Partnership .................................................................................................. 39 6.1.2 Financial...................................................................................................... 39 6.1.3 Legal Entity ................................................................................................. 39 6.1.4 Public Communications ............................................................................... 40 6.1.5 Independence.............................................................................................. 40 6.1.6 Consistent Business Practices .................................................................... 41 6.1.7 Impartiality ................................................................................................... 41 6.1.8 Confidentiality.............................................................................................. 41 6.1.9 Business Coverage ..................................................................................... 42 6.1.10 Not Transferrable ........................................................................................ 42 6.2 Security Requirements ............................................................................................ 43 6.2.1 Physical Security ......................................................................................... 43 6.2.1.1 Physical Layout ............................................................................. 43 6.2.1.2 Storage ......................................................................................... 43 6.2.2 Logical Security ........................................................................................... 43 6.2.2.1 Confidential Materials and Information .......................................... 43 6.2.2.2 Test Reports.................................................................................. 44 6.2.2.3 Test Equipment Access................................................................. 44 6.2.2.4 Test Equipment/Test Platform Software Maintenance ................... 44 6.2.2.5 Networks ....................................................................................... 44 6.3 Administrative Requirements ................................................................................... 45 6.3.1 Quality Assurance ....................................................................................... 45 6.3.2 Personnel Management .............................................................................. 46 6.3.2.1 Personnel Information ................................................................... 46 6.3.2.2 Personnel Technical Expertise ...................................................... 46 6.3.3 Experience .................................................................................................. 47 6.3.4 EMV Test Case/Test Plan Update and Activation Dates.............................. 47 6.3.5 Test Data Retention Period ......................................................................... 47 6.3.6 Documentation Management....................................................................... 48 6.3.7 Language .................................................................................................... 48 6.3.8 Laboratory Fees .......................................................................................... 48 6.3.9 Local Sales/Project Interface ....................................................................... 48 6.3.10 Relationship with Test Platform Providers ................................................... 49 6.3.10.1 Single Interface ........................................................................... 50 6.3.10.2 Removal of TPP .......................................................................... 50 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page v / vii 6.3.11 Complaint resolutions .................................................................................. 50 6.3.12 Laboratory relocation................................................................................... 50 6.3.13 Remote testing ............................................................................................ 50 6.4 Process Requirements ............................................................................................ 52 6.4.1 Lab Tools .................................................................................................... 52 6.4.2 Communication to EMVCo .......................................................................... 52 6.4.3 Communication from EMVCo ...................................................................... 52 6.4.3.1 EMVCo 3DS Approval Communications ([APP COMS])................ 52 6.4.3.2 EMVCo 3DS Lab Document Repository ........................................ 53 6.4.3.3 Knowledge Base: .......................................................................... 53 6.4.4 ICS review................................................................................................... 54 6.4.5 Pre-Compliance support .............................................................................. 54 6.4.6 Compliance Validation ................................................................................. 54 6.4.7 Management of Issues during Pre-Compliance or Compliance Testing ....... 56 6.4.7.1 Issue Management Process with EMVCo...................................... 56 6.4.7.2 New Issue Reporting ..................................................................... 57 6.4.7.3 Issue Reporting Template ............................................................. 57 6.4.8 Test report ................................................................................................... 58 6.4.8.1 Test Case Retry ............................................................................ 59 6.4.8.2 Reporting Pass* ............................................................................ 59 6.4.9 Laboratory Monthly Pipeline Report............................................................. 60 6.5 Audit Requirements ................................................................................................. 61 6.5.1 Written Evidence ......................................................................................... 61 6.5.1.1 Business Conformance ................................................................. 61 6.5.1.2 Rules related to financial statement proof:..................................... 62 6.5.1.3 Security Conformance ................................................................... 62 6.5.1.4 Administrative Conformance ......................................................... 62 6.5.1.5 Process Conformance ................................................................... 63 6.5.2 Site Visit ...................................................................................................... 63 6.5.3 Paper Review for the Secondary Location................................................... 63 6.5.4 Demonstration of Verification Capabilities ................................................... 64 6.5.5 Corrective Action Plan ................................................................................. 64 7 NON-CONFORMANCE ........................................................................................................ 66 7.1 Non-Conformance Investigation .............................................................................. 66 7.2 Revalidation at an Recognised Laboratory .............................................................. 66 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page vi / vii 7.3 Corrective Action for Non-conformance ................................................................... 66 APPENDIX A RELATIONSHIP BETWEEN LABORATORY AND TEST PLATFORM PROVIDER(S) ........ 68 APPENDIX B FORMAT OF THE LABORATORY CORRECTIVE ACTION PLAN................................... 69 APPENDIX C MONTHLY PIPELINE REPORT TEMPLATE............................................................... 70 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page vii / vii Tables Table 1.1: 3-D Secure Specifications ................................................................................... 3 Table 1.2: 3-D Secure Approval Documents ........................................................................ 3 Table 1.3: 3-D Secure Approval Forms ................................................................................ 5 Table 1.4: External References ............................................................................................ 5 Table 1.5: Definitions ........................................................................................................... 5 Table 1.6: Abbreviations ..................................................................................................... 11 Table 3.1: Initial Recognition Audit process........................................................................ 14 Table 3.2: Recognition Renewal Audit process .................................................................. 21 Table 3.3: Interim Proficiency Audit Process ...................................................................... 25 Table 3.4: Addition of SDK Approval Capability process .................................................... 29 Table 3.5: Addition of a secondary location process .......................................................... 31 Table 3.6: Addition of a new Test Platform Provider process ............................................. 33 Table 6.1: EMVCo Issue Reporting Template .................................................................... 57 Figures Figure 3.1: Process Flow 1—Initial Recognition Audit Process (1 of 2) .............................. 19 Figure 3.2: Process Flow 2—Initial Recognition Audit Process (2 of 2) .............................. 20 Figure 3.3: Process Flow 3—Recognition Renewal Audit Process (1 of 2) ......................... 23 Figure 3.4: Process Flow 4—Recognition Renewal Audit Process (2 of 2) ......................... 24 Figure 3.5: Process Flow 5—Interim Proficiency Audit Process (1 of 2) ............................. 27 Figure 3.6: Process Flow 6—Interim Proficiency Audit Process (2 of 2) ............................. 28 Figure 6.1: Issue Management during Pre-Compliance or Compliance Testing ................. 56 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 1 / 72 1 Introduction EMVCo recognises independent Laboratories to review and validate 3DS Test Reports (PreCompliance and Compliance Test Reports) in support of the 3DS Approval Process. A Laboratory can be recognised for one or all of its physical locations. A Laboratory may choose to be recognised for the following 3DS Specifications and associated 3DS Components: • EMV® 3-D Secure Protocol and Core Functions Specification (for 3DS Server, Directory Server (DS) and Access Control Server (ACS)) • EMV® 3-D Secure SDK Specification (for 3DS SDK) Note: When a Laboratory is recognised for EMV® 3-D Secure Protocol and Core Functions Specification, it can only perform approvals for the components supported by the Test Platform Provider (s) with which it has a partnership agreement. 1.1 Purpose This document describes the EMV Laboratory recognition process for Functional Evaluations and outlines a set of requirements that an EMVCo Qualified Auditor will use along with the standard [ISO 17025] requirements to assess a Laboratory’s capabilities. The resulting audit report will enable EMVCo to judge whether a Laboratory has the proper competencies and the proper administrative structure to perform Functional Evaluations on behalf of EMVCo in each of its location. For the role and responsibilities of an EMVCo Recognised Laboratory in the approval process, please refer to [AP 3DS].1 Note: In case a Laboratory is already recognised for other EMV Approval Services, such as Card or Mobile or Terminal Approvals, this recognition is not valid for 3-D Secure Function Evaluation. However, the recognition process may be simplified. Note: Even if the scope of standard [ISO 17025] is wider than the needed requirement for 3DS purposes, this standard will be used as reference in the present document. 1.2 Audience This document is intended for Laboratories that are seeking EMV recognition, for EMVCo Recognised Laboratories, and for EMVCo Qualified Auditors that will perform 3DS recognition audits on behalf of EMVCo. 1 The normative references are listed in section 1.4. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 2 / 72 1.3 Laboratory Structure The activities that a 3-D Secure Laboratory performs are quite different from other EMVCo Laboratories (such as Laboratory for Card and Terminal Approvals) functions. Therefore, the possible Laboratory structures accepted by EMVCo are different. The present section describes the Laboratory organization structures that are supported for EMVCo 3-DS Recognition. 1.3.1 Laboratory with a Single Physical Location A Laboratory can have a single physical location that performs the EMVCo 3DS Functional Evaluation. 1.3.2 Laboratory with Multiple Physical Locations A Laboratory that has multiple physical locations (referred to as Secondary Locations) that perform the EMVCo 3DS Functional Evaluation is also acceptable. This is considered as a single Laboratory, as Functional Evaluation tasks do not include any testing capabilities but only support to Product Providers and verification tasks of test reports. In this Laboratory model, there is a Main Location that is responsible and accountable for managing, supervising, training, internal auditing, supporting, etc, of all Secondary Locations. The Laboratory is considered one legal entity managing multiple locations using the same Test Platform and the same operational procedure and controls. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r 1.4 Normative References Page 3 / 72 Table 1.1: 3-D Secure Specifications Ref. [PCF 3DS] [SDK 3DS] [SPLIT 3DS] [DEV 3DS] [VER 3DS] [SB 3DS] [SB 3DS 255] Document Title EMV® 3-D Secure Protocol and Core Functions Specification EMV® 3-D Secure SDK Specification EMV® 3-D Secure Split-SDK Specification EMV® 3-D Secure SDK Device Information EMV® 3DS Version Number Management - Protocol Version 2.3.0 & above EMV® 3-D Secure Specification Bulletins (SB Bulletins) EMV® 3-D Secure Specification Bulletins 255 – 3DS Specification Version Configuration Version Latest Available Latest Available Latest Available Latest Available Latest Available All Latest Available Distribution Publicly Available Publicly Available Publicly Available Publicly Available Publicly Available Publicly Available Publicly Available Table 1.2: 3-D Secure Approval Documents Ref. [Lab Recog Req] Document Title EMV® 3-D Secure Approval— Laboratory Recognition Requirements [this document] [AP 3DS] EMV® 3-D Secure Approval— Administrative Process [TC 3DS] EMV® 3-D Secure Test Suite (which includes EMV® 3-D Secure Test Plans) Version Latest Available Distribution Publicly Available Latest Available Publicly Available Latest Available Restricted to Laboratories and Test Platform Providers © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 4 / 72 Ref. [TPR 3DS] [TP ACR] [CM 3DS] [TP VER] [ICS LAB] [AB 3DS 03] [AB 3DS 19] [AB 3DS] [APP COMS] Document Title EMV® 3-D Secure Test Platform Requirements Version Latest Available Distribution Publicly Available EMV® 3-D Secure - Test Platform Provider Recognition and Test Platform Qualification Process Latest Available Publicly Available EMV® 3-D Secure Change Management and Notification Process Latest Available Restricted to Laboratories and Test Platform Providers EMV® 3-D Secure Test Plan Release Management Latest Available Restricted to Laboratories and Test Platform Providers EMV® 3DS ICS Form – Lab Latest Available Restricted to Annotations for ICS Verification Laboratories EMV® 3-D Secure Approval Bulletin n°3 – Laboratory Fees and Invoicing Process Latest Available Restricted to Laboratories EMV® 3-D Secure Approval Bulletin n°19 – Selectable EMV® 3-D Secure Specification Versions During an Approval Latest Available Publicly Available EMV® 3-D Secure Application All Bulletins (AB Bulletins) Publicly Available EMV® 3-D Secure Approval All Communications Restricted to Test Platform Providers EMVCo Functional Evaluation Laboratory Relationship Agreement Latest Available Restricted to Laboratories 3DS Addendum to Functional Evaluation Laboratory Agreement Latest Available Restricted to Laboratories Test Document License Agreement Latest Available Restricted to Laboratories and Test Platform Providers © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Table 1.3: 3-D Secure Approval Forms Page 5 / 72 Ref. [ICS 3DS] Document Title 3-D Secure - Implementation Conformance Statement 3-D Secure Report Template [LAB RRF] 3-D Secure – Laboratory Request for Registration Form Version Latest Available Distribution Publicly Available Latest Available Latest Available Restricted to Laboratories and Test Platform Providers Publicly Available Table 1.4: External References Ref. [ISO17025] Document Title ISO/IEC 17025—General requirements for the competence of testing and calibration laboratories Version Latest Available Distribution Publicly Available 1.5 Definitions Table 1.5 defines selected terms used in this document. Term 3DS Approval Bulletin 3DS Approval Communication Table 1.5: Definitions Definition Public notification released to communicate updates to the 3-D Secure Approval Process (Test Plan activation date or process updates). Restricted notification released to communicate to the Laboratories and/or Test Platform Providers updates to the 3-D Secure Approval Process (Test Plan activation dates, test case or Test Platform issues, testing guidelines, or process updates). © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 6 / 72 Term 3DS Component Recognition Action plan Active/Activation Active Protocol Approval Complaint Compliance Compliance Testing Corrective action plan EMVCo Definition A 3-D Secure Component that will be approved. There are four 3DS components: • 3DS SDK (Default-SDK or Split-SDK variants) • 3DS Server • Directory Server (DS) • Access Control Server (ACS) Formal recognition by EMVCo that a Test Laboratory or a Test Platform Provider is competent to carry out specific functions as defined by EMV 3DS approval procedures. See “Corrective action plan”. Refers to the condition that a Protocol Version, Test Plan version or a specific Test Plan Implementation is deployed on an EMVCo Recognised Test Platform and becomes available for Product Provider to execute. The list of the active protocols is provided in the latest 3DS Specification Bulletin 255 [SB 3DS 255] Acknowledgment by EMVCo that the specified Product has demonstrated sufficient compliance to the EMV Specifications for its stated purpose. Expression of dissatisfaction by any person or organization to a Laboratory, relating to the activities or results of that Laboratory, where a response is expected Meeting all requirements and any implemented optional requirements for a given specification. The execution by a Test Platform of a defined set of tests against requirements described in a specification to determine official compliance with that specification. A set of deliverables and due dates defined by the Laboratory, then reviewed and validated by the EMVCo Qualified Auditor, to enable a Laboratory to fully meet EMV requirements. See Appendix B for the format of the action plan report. The organization that manages the EMV specifications and their related testing processes. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 7 / 72 Term Definition EMVCo Recognised Laboratory (or Test Laboratory or Laboratory) An independent, impartial entity that has been audited by an EMVCo Qualified Auditor for compliance with the requirements outlined in this document and has received a Letter of Recognition from EMVCo, entitling it to perform 3D testing and test report validation. EMVCo Recognised Test Platform Provider (or Test Platform Provider) An independent, impartial entity that has been audited by an EMVCo Qualified Auditor for compliance with EMVCo 3DS Test Platform Requirements and has received a Letter of Recognition from EMVCo, entitling it to provide 3DS Test Platform services. EMVCo 3DS Approval Secretariat The EMVCo entity that manages the 3-D Secure Approval process defined in [AP 3DS] and related documents. EMVCo 3DS Laboratory Document Repository A digital file repository, used for distributing material from EMVCo to Laboratories, for example Test Plans. Currently referred to as Thrive. EMVCo Qualified Auditor An independent, impartial entity that has received a Letter of Qualification from EMVCo, entitling it to verify conformance to EMV defined Approval procedures. Note: The auditor reviewing the first approval test reports during the initial recognition is usually not the same as the auditor performing the onsite audit. EMVCo Qualified Test Platform A Test Platform for which the Test Platform Provider has received a Letter of Qualification from EMVCo. Functional Evaluation All Laboratory actions to perform the Pre-Compliance Test review and Compliance Test Report validation Impartiality Freedom from conflicts of interest, from bias, from prejudice, neutrality, fairness, open-mindedness, even-handedness detachment and balance. Ability to ensure that conflict of interest do not exist or are resolved so as not to adversely influence the activities of the Laboratory. Inactive/Deactivation Refers to the condition that a Protocol Version, Test Plan version or a specific Test Plan Implementation is phased out on an EMVCo Recognised Test Platform and becomes unavailable for Product Provider to execute. Incoming Test Plan Version Refers to the latest Test Plan to be activated or newly activated on the Test Platform. See also Outgoing Test Plan definition © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 8 / 72 Term Laboratory Location Letter of Recognition Letter of Approval Letter of Qualification Letter of Revocation Licensee Main Location MANUAL_PP Migration Period Definition Physical premises where the Laboratory operates the Functional Evaluations. One Laboratory can have one or multiple locations belonging to the same Laboratory. Written statement that confirms the formal recognition by EMVCo that a Test Laboratory or a Test Platform Provider has been audited and recognised by EMVCo to carry out specific functions as defined by EMVCo approval procedures. Written statement that documents the decision of EMVCo that a specified Product has demonstrated sufficient compliance to the applicable EMV specifications on the date of testing. Written statement that documents the decision of EMVCo that a Test Platform has demonstrated sufficient compliance to EMVCo support and operate test plans and requirements. Written statement that documents the decision of EMVCo that a Laboratory is no longer an EMVCo Recognised Laboratory and that EMVCo’s Functional Evaluation Laboratory Relationship Agreement with the Laboratory is terminated. An entity that has executed a Test Document License Agreement with EMVCo. Main Location of the Laboratory when Laboratory has a group of several physical locations, all performing Functional Evaluation and belonging to the same legal entity. This location is responsible to manage the Secondary Locations A test case requiring human verification with additional evidence provided by the Product Provider. Period during which both a newer Protocol Version and an older Protocol Version are available for selection by the Product Provider to perform testing for Letter of Approval. EMVCo will determine a date when the older Protocol Version is no longer available for selection. After this date, the older Protocol Version can no longer be selected. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 9 / 72 Term Multi-Protocol Version Support Outgoing Test Plan Version Overlapping Period Pilot Testing Pre-Compliance testing Product Product Provider Protocol Version Qualification Reference Number Registration Number Secondary Location Definition 3DS components are required to support all active Protocol Versions as defined in [PCF 3DS] Requirement 311 and in the latest 3DS Specification Bulletin 255 [SB 3DS 255]. This rule is applied in Compliance testing to include the highest Protocol Version selected and all lessor active Protocol Versions. Refers to the Test Plan version(s) to be deactivated on the Test Platform. See Incoming Test Plan definition. Period where both the Incoming and Outgoing Test Plans under a single Protocol Version are active and supported on the Test Platform. This period ends when the Outgoing Test Plan Version becomes Inactive. Tests performed by the Laboratory’s which verifies the test result on a previously approved EMVCo Product or on a simulation Product and provides a test report to the EMVCo Qualified Auditor to review. The format and presentation of assurance evidence will be an essential part of this exercise, in addition to the demonstration of verification capability. Results are expected to be prepared in accordance with ISO standards and EMVCo requirements. An approval process test phase where Product Providers can access the same defined set of Compliance tests allowing debug, analysis and review of the compliance with that specification. A 3-D Secure component submitted for approval Entity submitting a 3-D Secure component for approval. Protocol Version defines the interoperability between the 3DS Secure components. Protocol Version format is MAJOR.MINOR.PATCH and it is defined in [VER 3DS]. A unique identification number that EMVCo assigns to a specific version of the Test Platform once that version of the Test Platform has been qualified. Unique identification number that EMVCo assigns to an EMVCo Laboratory, to be used on all communication and reports sent to EMVCo. Secondary Location(s) of the Laboratory performing Functional Evaluations © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 10 / 72 Term Selectable Protocol Definition The list of the selectable Protocol Versions for a 3DS approval is provided in [AB 3DS 19] Specification Bulletin Notification released to communicate updates to the EMV specifications. System Under Test The 3-D Secure Component (may include hardware with identified Operating System) that is being evaluated for its compliance with EMVCo specification and for receipt of LOA. Test Case A description of the actions required to achieve a specific test objective. Test Plan Specification describing all Test Cases that have to be run to verify the compliance of a 3DS component to a version of 3DS Secure protocol and Core Functions Specification and 3DS Secure SDK Specification. Test Plan Implementation Implementation of a Test Plan by a Test Platform Provider in its testing environment. Test Platform (or 3DS Test Platform) An online test system that has been EMVCo recognised for 3DS testing. The Test Platform executes 3-D Secure test plans and test cases which SUTs use for 3DS compliance approval. Test Script The implementation of an individual test case. Test Suite The total collection of all test scripts that implement the individual test cases for a particular Test Plan version. The Test Suite also includes the documentation as well as the System Under Test Requirements. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r 1.6 Notational Conventions 1.6.1 Abbreviations The abbreviations listed in Table 1.6 are used in this document. Abbreviation 3DS 3DSS DS ACS ICS LoA PP SDK SUT TPP Table 1.6: Abbreviations Description EMV 3-D Secure 3DS Server Directory Server Access Control Server Implementation Conformance Statement Letter of Approval Product Provider Software Development Kit System Under Test Test Platform Provider Page 11 / 72 1.6.2 Terminology and Conventions The following words are used often in these specifications and have a specific meaning: Shall Defines a requirement or a capability which is mandatory. May Defines a requirement or a capability which is optional or a statement which is informative only and is out of scope for these specifications. Should Defines a requirement or a capability which is recommended. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 12 / 72 2 Types of Recognition Audits A Laboratory shall obtain and maintain current EMV recognition. Therefore, several types of audits may be required during a Laboratory’s relationship agreement with EMVCo: • Initial Recognition Audit • Recognition Renewal Audit • Interim Proficiency Audit In addition, three other recognition processes have been defined to cover the use cases below: - Addition of 3DS SDK Approval Capability - Addition a Secondary Test Laboratory Location - Addition of a new Test Platform Provider Note: Payment of fees for audit tasks undertaken by EMVCo Qualified Auditors is the responsibility of the Laboratory requesting EMVCo’s recognition. EMVCo is not responsible for auditor fees. 2.1 Initial Recognition Audit When a Laboratory initially requests EMV recognition, the Laboratory supplies EMVCo with documentation about the Laboratory which includes an overview of its abilities to meet EMV recognition requirements. Once EMVCo has reviewed the documents supplied and has accepted the Laboratory for potential recognition, a full recognition audit is required. This audit consists of items identified in section 6. 2.2 Recognition Renewal Audit A Laboratory shall be audited as specified in the recognition letter to renew its EMV recognition. The requirements for the Recognition Renewal Audit are determined by EMVCo at the time of renewal. The audit may include all items identified in section 6 or EMVCo may select specific items for the EMVCo Qualified Auditor to cover. The audit shall be completed before the expiration date of the Laboratory’s recognition. If a Laboratory wishes to renew its recognition with EMVCo, the Laboratory should contact EMVCo at least four months prior to the expiration date of the Laboratory’s recognition. It is the responsibility of the Laboratory to renew its recognition before it expires. If a Laboratory does not renew its recognition, EMVCo may revoke its recognition. See sections 4.2 and 4.3. If the recognition renewal has not been granted by EMVCo before the expiration date, The Approval Secretariat will stop reviewing any Test Report from the concerned Laboratory. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 13 / 72 2.3 Interim Proficiency Audit At any time, at the discretion of EMVCo, an Interim Proficiency Audit may be required. For instance, it may happen if: • A previous audit required a corrective action plan, • Deviations are not fixed appropriately or in the expected timeline, • Repetitive or quality related issues are noticed, • A Laboratory performs a low number of approvals a year, • The Laboratory is recognised for 3DS Core and wants to become recognised for 3DS SDK (see detail in section 3.4). • The laboratory is partnering with a new Test Platform Provider Or for any other reason that EMVCo deems relevant EMVCo reserve also the right to perform interim Proficiency Audit on Secondary Location of the Laboratory. In case of interim Proficiency Audit, EMVCo will: • Inform the Laboratory that an Interim Proficiency Audit shall be performed and the date by which the audit shall be completed. • Inform the Laboratory of the audit requirements (which will be based upon the issues or changes identified). The scope of the audit will primarily include a Laboratory’s validation procedures and capabilities. This scope and the date of the interim proficiency audit are usually determined by the list of corrective actions, which have been issued during the previous audit performed but it is at the discretion of the EMVCo Qualified Auditor and EMVCo to extend the scope. If a Laboratory does not complete the audit to the satisfaction of EMVCo by the required date, EMVCo may suspend or revoke its recognition. See sections 4.2 and 4.3. Note: Interim Proficiency audits requested during the period of the Provisional Letter of Recognition (see 3.1) or requested in a Letter of Recognition (see 3.2) have to be organized and planned by the Laboratory and EMVCo does not inform or remind the Laboratory to do it. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 14 / 72 3 Recognition Processes The following sections describe the processes involved in the various types of audits. 3.1 Initial Recognition Process The Initial Recognition Process is performed by each new Laboratory that wants to be recognised by EMVCo for 3-D Secure Functional Evaluations. Laboratory will follow an Audit process as described in Table 3.1. Note: Before applying to Laboratory recognition according to the process described in Table 3.1, a candidate Laboratory may obtain the 3DS Test Plan [TC 3DS] as well as the 3D Secure Approval Bulletin n°3 [AB 3DS 03] related to Laboratory Fees upon signature of an NDA with EMVCo. Table 3.1: Initial Recognition Audit process Entity Laboratory Recognition Process Sends email request to EMVCo Secretariat to begin the recognition process; the request shall include the following: • Executive and financial summary • Technical expertise summary, including experience with EMV Specifications • Laboratory background • 3DS Request for Registration Form [LAB RFF] Note: if the entity is already known by EMVCo as an recognised Laboratory for any other EMVCo Approval, the executive and financial summary as well as the Laboratory background may not be required. The documents provided shall permit a verification of the compliance to the requirements described in sections: • 6.1.2 Financial • 6.1.3 Legal Entity • 6.1.5 Independence • 6.1.9 Business Coverage • 6.3.2.2 Personnel Technical Expertise © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 15 / 72 Entity EMVCo Laboratory EMVCo Recognition Process Evaluates whether Laboratory qualifies to be accepted for consideration as a potential EMVCo Recognised Laboratory • Informs Laboratory if it may proceed with recognition Note: EMVCo reserves the right, at its own discretion and without providing a detailed explanation, to deny a Laboratory the right to proceed through the recognition process. • Provides Laboratory with: o The EMVCo Functional Evaluation Laboratory Relationship Agreement for signature o The EMVCo 3DS Addendum to Functional Evaluation Laboratory Agreement for signature o The EMVCo Test Document License Agreement for signature • Signs the Functional Evaluation Laboratory Relationship Agreement with EMVCo (using docusign) • Signs the 3DS Addendum to Functional Evaluation Laboratory Agreement with EMVCo (using docusign) • Signs the EMVCo Test Document License Agreement (using docusign) • Signs the Functional Evaluation Laboratory Relationship Agreement with EMVCo (using docusign) • Signs the 3DS Addendum to Functional Evaluation Laboratory Agreement with EMVCo (using docusign) • Signs the Test Document License Agreement (using docusign) • Provides the Laboratory with a Registration Letter including a Registration Number, to be used on all communication and reports sent to EMVCo • Provide credentials to access Thrive containing documents and communication restricted to 3DS Laboratories • Provides credentials to access the 3DS Knowledge Base (that list and describe Pass*) © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 16 / 72 Entity Laboratory EMVCo Qualified Auditor Laboratory EMVCo Qualified Auditor Recognition Process • Signs Partnership with recognised 3DS Test Platform Provider(s) • Connects to EMVCo-qualified Test Platform • Obtains adequate training on EMV Test Cases and test tool Note: Training is not the responsibility of EMVCo. • Selects an auditor from the list of EMVCo Qualified Auditors and makes financial and legal arrangements with the auditor for the Laboratory to be audited • Informs EMVCo of selected EMVCo Qualified Auditor • Provides to the EMVCo Qualified Auditor the information required to meet the audit requirements defined in section 6.5 • Demonstrates review and validation capabilities as described in section 6.5.4. • Performs audit in accordance with requirements described in section 6 and with [ISO 17025] requirements needed for 3DS purpose (see section 6.3.1) • Ensures Laboratory meets all requirements detailed in sections 6 Note: Some requirements may already have been checked during Registration and Contract step or during the Test Platform Qualification and the EMVCo Qualified Auditor may not check them again. • Audits the Laboratory’s review and validation capabilities • Provides audit findings to the Laboratory • If a corrective action plan (as described in section 6.5.5) is NOT necessary: Provides audit report to EMVCo If a corrective action plan (as described in section 6.5.5) is necessary: • Defines the action plan with deliverables and due dates to meet all EMV requirements • Provide action plan to EMVCo Qualified Auditor If a corrective action plan is necessary: • Reviews and validates the action plan defined by the Laboratory, • May ask the Laboratory to update its action plan if necessary, • Provides a copy of the validated Laboratory action plan in its audit report to EMVCo © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 17 / 72 Entity EMVCo Laboratory Recognition Process Reviews audit report (and action plan, if any) and determines whether the Laboratory may be recognised or whether follow-up action is required Note: EMVCo reserves the right to deny recognition at its own discretion and without detailed explanation. • If audit report is acceptable to EMVCo: o Sends the Laboratory an initial Letter of Recognition with a validity of typically nine months o Adds the Laboratory to the list of recognised Laboratories on the EMVCo website • If audit report is acceptable but action items of the Laboratory are required (e.g. a corrective action plan is pending), EMVCo may grant recognition on a provisional basis, as follows: o Sends the Laboratory a provisional Letter of Recognition with conditions (with a validity of nine months maximum). The letter will include the list of action items and a date by which they shall be completed. o Adds the Laboratory to the list of recognised Laboratories on the EMVCo website Note: EMVCo reserves the right to extend the duration of the provisional Letter of Recognition at its own discretion. During the validity of the initial or provisional Letter of Recognition: • The first two reports per supported 3DS specification (Protocol and Core Functions Specification and SDK Specification) shall be fully reviewed and controlled by an EMVCo Qualified Auditor to ensure correctness of these reports. The two reports can be validated by the main Laboratory or secondary Laboratory indifferently (when the Laboratory has secondary locations): the Laboratory is seen as a single entity by EMVCo and the main Laboratory is accountable for the deliverables of secondary Laboratories. • The Laboratory shall be responsible for all fees associated with such activity. The EMVCo Qualified Auditor shall report to EMVCo the result of these reviews. Failure to complete review and validation in the allotted time, or poor-quality audit results may trigger further interim proficiency audits and/or loss of recognition. • Before the expiration of the initial or provisional Letter of Recognition, the Laboratory shall organize an Interim Proficiency Audit (as described in in section 2.3). © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 18 / 72 Entity Recognition Process EMVCo Qualified Auditor EMVCo • Performs Interim Proficiency Audit on o the Laboratory’s operational review and validation activities during the period of the provisional Letter of Recognition, the results of the action plan if had been requested during the initial audit. Note: Additional check points will be organized remotely by the EMVCo Qualified Auditor before the Interim Proficiency audit to follow up the implementation of the action plan (see details in section 6.5.5) • Provides audit report to EMVCo. If no issues have been detected during the review by EMVCo of the report from the Laboratory (Main Location) or from the EMVCo Qualified Auditor and if no corrective action items have been identified during the Interim Proficiency Audit, then the Laboratory’s recognition is extended to three years from the initial recognition date. If issues and/or corrective action items have been identified, depending on the severity and number of deviations, a new interim proficiency audit may be required and the extension of the Laboratory recognition may be reduced to one to two years at EMVCo discretion. Note: Note: A Laboratory may decide to obtain first an recognition for 3DS Protocol and Core Functions Specification and later an recognition for SDK Specifications. In that case, the scope of the recognition audit described above will not include SDK verification procedures. Update of the recognition to support SDK specification will be performed through an Interim Proficiency Audit (see chapter 3.4) that will usually not require a physical audit but the delivery of documents and a call with EMVCo or EMVCo representative. When recognised, Laboratories may subscribe to receive the list of approved 3DS Products on a weekly basis, by sending an email to 3DS_approval@emvco.com. The email shall include the email addresses that will receive the list. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 19 / 72 Figure 3.1: Process Flow 1—Initial Recognition Audit Process (1 of 2) Laboratory sends request to EMVCo to begin recognition process EMVCo authorizes N End Laboratory to begin? Y EMVCo sends: Relationship Agreement 3DS Addendum Test Document License Agreement Laboratory signs Relationship Agreement, 3DS Addendum and Test Document License Agreement (Docusign) EMVCo • Signs Relationship Agreement, 3DS Addendum and Test Document License Agreement (Docusign) • Returns a Registration Letter including Registration Number • Provides credential to access Kavi and 3DS Knowledge Database Laboratory selects and connect to an EMVCo qualified Test Platform Laboratory selects an EMVCo Qualified Auditor Laboratory provides requested written evidences and demonstrates Review and Validation capabilities Auditor: Performs audit as per Laboratory requirements and ISO 17025 Provides audit findings to Laboratory D © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 20 / 72 Figure 3.2: Process Flow 2—Initial Recognition Audit Process (2 of 2) D Corrective action plan Y needed? N Laboratory defines action plan Auditor reviews and validates action plan Auditor sends audit report to EMVCo Audit report is acceptable to EMVCo? Yes with action items No End EMVCo: Sends Laboratory Initial Letter of Recognition Adds Laboratory to list of recognised Laboratories EMVCo: Sends Laboratory Provisional Letter of Recognition Adds Laboratory to list of recognised Laboratories Laboratory must complete Interim Proficiency Audit on the laboratory s operational testing activities (within 9 months) Laboratory must complete Interim Proficiency Audit On the laboratory s operational testing activities and complete pending action items (within 9 months) Auditor must verify 2 reports (per supported 3DS specification) from Laboratory, within 9 months (The 2 reports may be created by the main Laboratory or secondary location indifferently) If no major issues detected during the report review, and no corrective actions identified during the Interim Proficiency audit, EMVCo extends Laboratory recognition to 3 years If major issues detected during the report review, a new interim proficiency audit may be required and the extension of the laboratory recognition may be reduced to one to two years at EMVCo discretion © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r 3.2 Recognition Renewal Process Table 3.2 outlines the steps in the recognition renewal process. Page 21 / 72 Table 3.2: Recognition Renewal Audit process Entity Laboratory EMVCo Laboratory EMVCo Qualified Auditor Process Sends email request to EMVCo Secretariat to begin the recognition renewal process Note: If a Laboratory wishes to renew its recognition with EMVCo, the Laboratory should contact EMVCo at least four months prior to the expiration date of the Laboratory’s recognition. • Informs the Laboratory if it may proceed with the recognition renewal Note: EMVCo reserves the right, at its own discretion and without providing a detailed explanation, to deny a Laboratory the right to proceed through the recognition renewal process. • Identifies the audit requirements, which may be a subset of section 6, and informs the Laboratory • Selects an auditor from the list of EMVCo Qualified Auditors and makes financial and legal arrangements with the auditor for the Laboratory to be audited • Provides to the EMVCo Qualified Auditor the information required to meet the audit requirements identified by EMVCo • Demonstrates review and validation capabilities (as described in section 6.5.4) if requested by EMVCo • Performs audit in accordance with 3DS Laboratory requirements (or subset of 3DS Laboratory requirements) and with [ISO 17025] requirements needed for 3DS purpose (see section 6.3.1) • Ensures Laboratory meets all requirements identified by EMVCo • Audits the Laboratory’s review and validation capabilities if requested by EMVCo • Provides audit findings to the Laboratory • If a corrective action plan (as described in section 6.5.5) is NOT necessary: Provides audit report to EMVCo © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 22 / 72 Entity Laboratory EMVCo Qualified Auditor EMVCo EMVCo Qualified Auditor Process If a corrective action plan is necessary: • Defines the action plan with deliverables and due dates to meet all EMV requirements • Provides action plan to EMVCo Qualified Auditor If a corrective action plan is necessary: • Reviews and validates the action plan defined by the Laboratory • Provides a copy of the validated Laboratory action plan in its audit report to EMVCo Reviews audit report (and action plan, if any) and determines whether the Laboratory’s recognition may be renewed or whether follow-up action is required Note: EMVCo reserves the right to deny recognition at its own discretion and without detailed explanation. • If audit report is acceptable to EMVCo, sends a new Letter of Recognition to the Laboratory with duration following conditions defined in Table 3.1, starting from the expiration of the current recognition. • If audit report is acceptable but Laboratory action items are pending, o May renew recognition on a provisional basis, as follows: o Sends the Laboratory a provisional Letter of Recognition with a duration following conditions defined in Table 3.1, starting from the expiration of the current recognition. The letter may include the requirements for an Interim Proficiency Audit (as described in section 2.3) and a date by which it shall be completed. Organizes remote check points with the Laboratory to follow up the implementation of the action plan (If Laboratory action items are pending when the new Letter of Recognition is granted), See details in section 6.5.5 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 23 / 72 Figure 3.3: Process Flow 3—Recognition Renewal Audit Process (1 of 2) Laboratory sends request to EMVCo to begin recognition renewal process EMVCo authorizes N Laboratory to begin? Y EMVCo identifies audit requirements Laboratory: Selects EMVCo Qualified Auditor Demonstrates Review and Validation capabilities Auditor: Performs audit as per Laboratory requirements and ISO 17025 Provides audit findings to Laboratory Corrective action plan Y needed? N End Laboratory defines action plan Auditor reviews and validates action plan Auditor sends audit report to EMVCo F © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 24 / 72 Figure 3.4: Process Flow 4—Recognition Renewal Audit Process (2 of 2) F Audit report is acceptable to EMVCo? Yes No with action items End EMVCo sends Laboratory new Letter of Recognition EMVCo sends Laboratory provisional Letter of Recognition Laboratory must complete Interim Proficiency Audit as specified in provisional Letter of Recognition © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r 3.3 Interim Proficiency Audit Process Table 3.3 outlines the steps in the interim proficiency audit process. Page 25 / 72 Table 3.3: Interim Proficiency Audit Process Entity EMVCo Laboratory EMVCo Qualified Auditor Laboratory EMVCo Qualified Auditor Process • Informs the Laboratory that an Interim Proficiency Audit shall be performed and the date by which the audit shall be completed • Informs the Laboratory of the requirements for the Interim Proficiency Audit, which will be either a full audit as described in section 6 or a subset of those requirements • Selects an auditor from the list of EMVCo Qualified Auditors and makes financial and legal arrangements with the auditor for the Laboratory to be audited • Provides to the EMVCo Qualified Auditor the information required to meet the audit requirements identified by EMVCo • Demonstrates test review and validation capabilities (as described in section 6.5.4) if requested by EMVCo • Performs audit in accordance with [ISO 17025] requirements needed for 3DS purpose (see section 6.3.1) • Ensures Laboratory meets all requirements identified by EMVCo • Audits the Laboratory’s review and validation capabilities if requested by EMVCo • Provides audit findings to the Laboratory • If a corrective action plan (as described in section 6.5.5) is NOT necessary: Provides audit report to EMVCo If a corrective action plan is necessary: • Defines the action plan with deliverables and due dates to meet all EMV requirements • Provides action plan to EMVCo Qualified Auditor If a corrective action plan is necessary: • Reviews and validates the action plan defined by the Laboratory • Provides a copy of the validated Laboratory action plan in its audit report to EMVCo © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 26 / 72 Entity EMVCo Process • Reviews audit report (and action plan, if any) and determines whether the Laboratory’s Interim Proficiency Audit is acceptable • May choose one of the following based upon its evaluation of the audit report: o No further action required and Laboratory maintains its recognition status o No further action required, Laboratory now fully recognised and receives a new Letter of Recognition without conditions o Continue recognition on a provisional basis; send the Laboratory a provisional Letter of Recognition with conditions The letter will include the requirements and the date by which another Interim Proficiency Audit shall be completed. o Suspend the recognition of the Laboratory, remove the Laboratory’s name from the list of recognised Laboratories on the EMVCo website, and set the requirements and the date by which another Interim Proficiency Audit shall be completed o Revoke the Laboratory recognition, as described in section 4.2 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 27 / 72 Figure 3.5: Process Flow 5—Interim Proficiency Audit Process (1 of 2) EMVCo: ● Informs Laboratory Interim Proficiency Audit must be completed ● Identifies audit requirements Laboratory: ● Selects EMVCo Qualified Auditor ● Demonstrates Review and Validation capabilities Auditor: ● Performs audit as per ISO 17025 ● Provides audit findings to Laboratory Corrective action plan Y needed? N Laboratory defines action plan Auditor reviews and validates action plan Auditor sends audit report to EMVCo J © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 28 / 72 Figure 3.6: Process Flow 6—Interim Proficiency Audit Process (2 of 2) J Audit report is acceptable to EMVCo? Yes As appropriate, EMVCo does one of the following: Advises Laboratory that no further action is required and Laboratory maintains its recognition status Sends Laboratory a new Letter of Recognition without conditions No EMVCo revokes Laboratory s recognition With action items As appropriate, EMVCo does one of the following: Sends Laboratory provisional Letter of Recognition Suspends Laboratory s recognition Laboratory must complete another Interim Proficiency Audit © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 29 / 72 3.4 Recognition Process when Adding 3DS SDK Approval Capability The update of the recognition to support 3DS SDK specification will be performed through an Interim Proficiency Audit that will usually not require a physical audit but the delivery of documents and a call with EMVCo or EMVCo representative Table 3.4 outlines the steps when a Test Laboratory is recognised for 3DS Core approvals and wants to be recognised for 3DS SDK approvals Table 3.4: Addition of SDK Approval Capability process Entity Laboratory Process • Sends email request to EMVCo Secretariat to indicate its wish to be recognised for 3DS SDK • Provide the following documents: o Internal Visual Validation Process including operator detailed instructions, covering also MANUAL_PP tests. o Training material for personnel involved in the visual validation o Organization chart with names, roles, department, physical location (main or secondary Laboratory) and responsibilities for people involved in the visual validation. o If available, pilot test report(s) and associated SUT print screens. A pilot test report is a report that is generated by the Laboratory personnel when testing a real 3DS SDK Product or a simulator of a 3DS SDK Product. The Product does not have to be approved 3DS SDK and the report may contain Fail test outcomes. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Laboratory Recognition Requirements v1.3.r Page 30 / 72 Entity EMVCo Laboratory Process Review the documents provided and will assess the capability of the Laboratory to perform visual validation. The outcome of this review will be documented in a report that will be provided to the Laboratory • If there are major deviations, o Ask the Laboratory to fix the issue and resubmit the material or evidences that the issues have been fixed. o A new assessment will take place • If there are minor deviations or no deviation, o Grant the recognition for 3DS SDK approval. o Update the Letter of Recognition as well as the web site. o The resolution of the minor issues will be managed using the standard process (resolution plan to be provided and implemented by the Laboratory) Note: During the review process, EMVCo may request a conference call with the Laboratory to review some of the documents and obtain clarifications. If recognition is granted for 3DS SDK Approval, have the first two reports for 3DS SDK component within