PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Tracked metadata: Sourced from EMVCo's public document index. PCI Watch records each document's details and its extracted text so changes can be tracked over time; the document PDF itself is hosted by EMVCo.
View on EMVCo.com →

EMVCo Qualification Requirements for Auditors (Card and Mobile Functional Evaluation)

v2.1.r Service Provider Recognition/Qualification
ContactContactlessMobile CardNFC Consumer Device
Extracted document text

EMVCo's index flattens the document's layout, so this text is best used for searching and comparing versions rather than reading end-to-end.

EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors Version 2.1.r September 2025 © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page i / vi Legal Notice This document is subject to change by EMVCo at any time. This document does not create any binding obligations upon EMVCo or any third party regarding the subject matter of this document, which obligations will exist, if at all, only to the extent set forth in separate written agreements executed by EMVCo or such third parties. In the absence of such a written agreement, no product provider, test laboratory or any other third party should rely on this document, and EMVCo shall not be liable for any such reliance. No product provider, test laboratory or other third party may refer to a product, service or facility as EMVCo approved, in form or in substance, nor otherwise state or imply that EMVCo (or any agent of EMVCo) has in whole or part approved a product provider, test laboratory or other third party or its products, services, or facilities, except to the extent and subject to the terms, conditions and restrictions expressly set forth in a written agreement with EMVCo, or in an approval letter, compliance certificate or similar document issued by EMVCo. All other references to EMVCo approval are strictly prohibited by EMVCo. Under no circumstances should EMVCo approvals, when granted, be construed to imply any endorsement or warranty regarding the security, functionality, quality, or performance of any particular product or service, and no party shall state or imply anything to the contrary. EMVCo specifically disclaims any and all representations and warranties with respect to products that have received evaluations or approvals, and to the evaluation process generally, including, without limitation, any implied warranties of merchantability, fitness for purpose or noninfringement. All warranties, rights and remedies relating to products and services that have undergone evaluation by EMVCo are provided solely by the parties selling or otherwise providing such products or services, and not by EMVCo, and EMVCo will have no liability whatsoever in connection with such products and services. This document is provided "AS IS" without warranties of any kind, and EMVCo neither assumes nor accepts any liability for any errors or omissions contained in this document. EMVCO DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT, AS TO THIS DOCUMENT. EMVCo makes no representations or warranties with respect to intellectual property rights of any third parties in or in relation to this document. EMVCo undertakes no responsibility to determine whether any implementation of this document may violate, infringe, or otherwise exercise the patent, copyright, trademark, trade secret, know-how, or other intellectual property rights of third parties, and thus any person who implements any part of this document should consult an intellectual property attorney before any such implementation. Without limiting the foregoing, this document may provide for the use of public key encryption and other technology, which may be the subject matter of patents in several countries. Any party seeking to implement this document is solely responsible for determining whether its activities require a license to any such technology, including for patents on public key encryption technology. EMVCo shall not be liable under any theory for any party's infringement of any intellectual property rights in connection with this document. © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page ii / vi Revision Log – Version 2.1.r The following changes have been made to the document since the publication of Version 2.1. Some of the numbering and cross references in this version have been updated to reflect changes introduced by the published bulletins. The numbering of existing requirements did not change, unless explicitly stated otherwise. Incorporated changes described in the following Specification Updates: • None Other editorial changes: • Reference approval processes names updated • Reference specification names updated • New EMVCo template • Editorial Updates © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page iii / vi Contents 1 Introduction .................................................................................................................. 1 1.1 Purpose and Audience ............................................................................................ 1 1.2 Scope...................................................................................................................... 2 1.3 Normative References............................................................................................. 3 1.4 Definitions ............................................................................................................... 4 2 Types of Qualification Reviews................................................................................... 6 2.1 Initial Qualification Review ...................................................................................... 6 2.2 Qualification Renewal Review ................................................................................. 6 2.3 Incremental Qualification Review ............................................................................ 6 2.4 Interim Proficiency Review ...................................................................................... 7 3 Qualification Processes............................................................................................... 8 3.1 Initial Qualification Process ..................................................................................... 8 3.2 Qualification Renewal Process.............................................................................. 13 3.3 Incremental Qualification Process ......................................................................... 15 3.4 Interim Proficiency Review Process ...................................................................... 17 4 Modification or Termination of Qualification ........................................................... 19 4.1 Change in Audit Services Offered ......................................................................... 19 4.2 Termination of Qualification................................................................................... 19 4.3 Suspension of Qualification ................................................................................... 20 4.4 Revocation of Qualification.................................................................................... 20 5 Auditor Requirements ............................................................................................... 21 5.1 General Requirements .......................................................................................... 21 5.1.1 Skills .......................................................................................................... 21 5.1.2 Availability ................................................................................................. 21 5.2 Business Requirements ........................................................................................ 21 5.2.1 Financial .................................................................................................... 21 5.2.2 Legal ......................................................................................................... 22 5.2.3 Insurance................................................................................................... 22 5.2.4 Public Communications ............................................................................. 22 5.2.5 Independence............................................................................................ 23 5.2.6 Consistent Business Practices................................................................... 24 5.3 Security Requirements .......................................................................................... 25 5.3.1 Classified Materials and Information .......................................................... 25 5.3.2 Audit Reports............................................................................................. 25 © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page iv / vi 5.3.3 EMVCo Documentation Update and Implementation ................................. 26 5.3.4 Networks ................................................................................................... 26 5.4 Administrative Requirements................................................................................. 27 5.4.1 Quality Assurance ..................................................................................... 27 5.4.2 Personnel .................................................................................................. 27 5.5 Administrative Requirements................................................................................. 28 5.5.1 Technical Expertise ................................................................................... 28 5.5.2 Experience ................................................................................................ 28 6 Qualification Review Requirements.......................................................................... 30 6.1 Written Evidence ................................................................................................... 30 6.1.1 Business Conformance.............................................................................. 30 6.1.2 Security Conformance ............................................................................... 30 6.1.3 Administrative Conformance...................................................................... 31 6.1.4 Technical Conformance ............................................................................. 31 © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page v / vi Figures Process Flow 1: Initial Qualification Process ................................................................................. 11 Process Flow 2: Qualification Renewal Process ........................................................................... 14 Process Flow 3: Incremental Qualification Process ...................................................................... 16 Process Flow 4: Interim Proficiency Review Process ................................................................... 18 © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page vi / vi Tables Table 1 : Normative References ...................................................................................................... 3 Table 2 : Initial Qualification Process.............................................................................................. 8 Table 3: Qualification Renewal Process ....................................................................................... 13 Table 4: Incremental Qualification Process .................................................................................. 15 Table 5: Interim Proficiency Review Process ............................................................................... 17 © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 1 / 32 1 Introduction EMVCo qualifies independent auditors throughout the world to conduct one or more of the following types of audits on its behalf as part of the EMVCo Card Type Approval Processes for Common Core Definition (CCD) and Common Payment Application (CPA), and EMVCo Mobile Type Approval Processes for Contactless Mobile Payment (CMP), and EMVCo Test Tool Qualification for CCD, CPA, CMP, and Contactless Interface Specification (CIS). For a description of each type of audit, please refer to [AP CCD] , [AP CPA], [AP_CMP] and [AP_ML1].1 • Audit of Chip Provider EMV Level 1 Electrical Test Procedures (CCD & CPA) • Audit of Owner Specification (CCD) • Audit of Non-CCD Test Cases (CCD) • Audit of Test Results (CCD): Non-CCD test results from all laboratories and CCD test results from non-EMVCo laboratories • Audit of Change to an Approved Product (CCD) • Laboratory Audit – Non-EMVCo Laboratory (CCD) • Laboratory Recognition Audit – EMVCo Laboratory (CCD, CPA, CIS, CMP ) • Test Tool Qualification Audit for CCD, CPA, CIS and CMP. An auditor may choose to be qualified for only one type of audit or multiple audits. An auditor is a company that is qualified for one individual or a specific list of individuals. 1.1 Purpose and Audience This document describes the EMVCo auditor qualification process and outlines a set of requirements that EMVCo will use to assess whether an auditor has the proper credentials, competencies, and administrative structure to perform audits on behalf of EMVCo. This document is intended for auditors that are seeking EMVCo qualification and for EMVCo Qualified Auditors. 1 The normative references are listed in section 1.3. © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 2 / 32 1.2 Scope This document is to be used for auditor qualification for CCD , CPA, Mobile CMP and Contactless Level 1 for Card and Mobile. This document covers the EMVCo auditor qualification process and requirements for functional evaluations. For the role and responsibilities of an EMVCo Qualified Auditor in the Card or Mobile Type Approval process, please refer to [AP CCD], [AP CPA], [AP_CMP] and [AP_ML1].2 2 The normative references are listed in section 1.3. © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r 1.3 Normative References Table 1 : Normative References Ref. [AP CCD] [AP CPA] [Lab Reco Req] [AP_CMP] [AP_ML1] Document Title EMVCo Card Type Approval Administrative Process for CCD EMVCo Card Type Approval Administrative Process for CPA EMV Card and Terminal Type Approval - Laboratory Recognition Requirements EMVCo Contactless Mobile Payment Type Approval Administrative Process EMVCo Mobile Product Level 1 Type Approval Administrative Process Version Latest Version Latest Version Latest Version Latest Version Latest Version Page 3 / 32 Distribution Publicly Available Publicly Available Publicly Available Publicly Available Publicly Available © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r 1.4 Definitions The following terms are used in this specification: Term Definition Page 4 / 32 Chip Provider EMVCo EMVCo Recognised Laboratory EMVCo Qualified Auditor Letter of Revocation Letter of Qualification Owner Specification Product Provider Qualification Recognition Registration Number Specification Owner A vendor that submits Integrated Circuit(s) to EMVCo for security evaluation. A Limited Liability Company established to maintain the EMV specifications and administer Type Approval against those specifications. An independent, impartial entity that has been audited by an EMVCo Qualified Auditor for compliance with the requirements outlined in this document and has received a Letter of Recognition from EMVCo, entitling it to perform testing for Card or Mobile Type Approval. An independent, impartial entity that has received a Letter of Qualification from EMVCo, entitling it to perform one or more of the audits defined in [AP CCD] , [AP CPA], [AP_CMP] and [AP_ML1]. Written statement that documents the decision of EMVCo that an auditor is no longer an EMVCo Qualified Auditor and that EMVCo’s Auditor Relationship Agreement with the auditor is terminated. Written statement that documents the decision of EMVCo that an auditor is an EMVCo Qualified Auditor. The statement includes a specific list of individuals and the specific types of audits for which they are qualified. A specification, based on the EMV specifications, created by an entity other than EMVCo (e.g. a payment organization or card issuer). The entity that submits a product to EMVCo for Card or Mobile Type Approval. Formal recognition by EMVCo that an auditor is competent to perform one of more type of audits on behalf of EMVCo. Formal recognition by EMVCo that a test laboratory is competent to perform one or more categories of testing defined by EMVCo Card or Mobile Type Approval procedures. Unique identification number that EMVCo assigns to an EMVCo Qualified Auditor, to be used on all communication and reports sent to EMVCo. Entity other than EMVCo (e.g. a payment organization or card issuer) responsible for the Owner Specification contents. © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 5 / 32 Type Approval Verification by EMVCo that a specific product has demonstrated sufficient conformance to the EMV specifications. © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 6 / 32 2 Types of Qualification Reviews An auditor must obtain and maintain current qualification. Therefore, several types of qualification reviews may be required during an auditor’s relationship agreement with EMVCo: 2.1 - Initial Qualification Review 2.2 - Qualification Renewal Review 2.3 - Incremental Qualification Review 2.4 - Interim Proficiency Review 2.1 Initial Qualification Review When an auditor initially requests qualification, the auditor supplies EMVCo with documentation about the company and the individual(s) which includes an overview of their abilities to meet EMVCo qualification requirements. Once EMVCo has reviewed the documents supplied and has accepted the auditor for potential qualification, an interview is required. The qualification requirements are identified in sections 5 and 6. 2.2 Qualification Renewal Review An auditor must apply for renewal of their qualification every four years. The requirements for the Qualification Renewal Review are determined by EMVCo at the time of renewal. The requirements may include all items identified in sections 5 and 6 or EMVCo may select specific requirements that the auditor must satisfy. The requirements must be met before the expiration date of the auditor’s qualification. If an auditor wishes to renew their qualification with EMVCo, the auditor should contact EMVCo at least four months prior to the expiration date of the auditor’s qualification. The auditor is responsible for renewing their qualification before it expires. If an auditor does not renew their qualification, EMVCo suspends or revokes their qualification. See sections 4.3 and 4.4. 2.3 Incremental Qualification Review If an auditor requests to add a new type of audit or a new individual to their qualification, an Incremental Qualification Review is required. The existing renewal date for the auditor’s qualification does not change. The requirements for the Incremental Qualification Review are determined by EMVCo at the time of the review. The requirements may be a subset of the items identified in sections 5 and 6. If an auditor does not satisfy the requirements of the review to the satisfaction of EMVCo by the required date, EMVCo may require an Interim Proficiency Review. See section 3.4. © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 7 / 32 2.4 Interim Proficiency Review At any time, at the discretion of EMVCo, an Interim Proficiency Review may be required. EMVCo will: • Inform the auditor that an Interim Proficiency Review must be performed and the date by which the review must be completed • Inform the auditor of the review requirements (which will be based upon the issue identified) The scope of the review will primarily include an auditor’s audit procedures and capabilities. If an auditor does not complete the review to the satisfaction of EMVCo by the required date, EMVCo suspends or revokes their qualification. See sections 4.3 and 4.4. © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 8 / 32 3 Qualification Processes The following sections describe the processes involved in the various types of qualification reviews. 3.1 Initial Qualification Process Table 2 outlines the steps in the initial qualification process. Auditor Sends request to EMVCo to begin the qualification process; the request should include the following: • Written evidence of conformance as described in section 6.1 • EMVCo Card & Mobile Type Approval Auditor Request for Registration form (available at www.emvco.com) • Name(s) of individual(s) for which the auditor is seeking qualification • Type(s) of audit for which (each) individual is to be qualified The request should also include the following for (each) individual for which the auditor is seeking qualification: • Resume including relevant experience and a summary of technical expertise, including experience with EMV card and mobile specifications • Cover Letter describing how the individual can contribute to the EMVCo Card and/or Mobile Type Approval Process • Copies of any ISO and/or other relevant recognition certificates • References Table 2 : Initial Qualification Process © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 9 / 32 EMVCo Auditor EMVCo • Evaluates whether auditor qualifies to be accepted for consideration as a potential EMVCo Qualified Auditor • Verifies auditor’s certificates and experience • Informs auditor if they may proceed with qualification Note: EMVCo reserves the right, at its own discretion and without providing a detailed explanation, to deny an auditor or one of the individuals the right to proceed through the qualification process. • Provides auditor with: ▪ The EMVCo Auditor Relationship Agreement for signature ▪ The EMVCo Test Document License Agreement for signature ▪ A Letter of Registration including a Registration Number, to be used on all communication and reports sent to EMVCo • Signs the Relationship Agreement with EMVCo and returns two signed copies to EMVCo Note: The auditor may proceed with qualification once the Relationship Agreement has been received by EMVCo. • Signs the EMVCo Test Document License Agreement and returns two signed copies to EMVCo Note: Not required if auditor only applies to be qualified for auditing Owner Specifications. • Signs the Test Document License Agreement and sends a signed version and the test documents to the auditor • Conducts an interview(s) with (each) individual for which the auditor is seeking qualification. The interview may be in person or via teleconference. The purpose of the interview is to: ▪ Ensure auditor meets all requirements detailed in sections 5 and 6 ▪ Examine auditor’s background and certificates (if applicable) ▪ Assess auditor’s skills and knowledge of EMV specifications, test cases, and processes Table 2 : Initial Qualification ProcessTable 2 : Initial Qualification Process , continued © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 10 / 32 EMVCo Auditor • Reviews auditor documentation and interview results and determines whether the auditor may be qualified Note: EMVCo reserves the right to deny qualification at its own discretion and without detailed explanation. • If auditor is acceptable to EMVCo:  Signs the Relationship Agreement with the auditor and sends a signed version to the auditor  Sends the auditor a Letter of Qualification  Adds the auditor to the list of qualified auditors on the EMVCo website. The auditor’s listing on the website will include the name(s) of the individual(s) and the types of audits for which they are qualified. If the auditor is not acceptable to EMVCo: • Destroys all EMVCo Confidential material including EMVCo Card and Mobile Type Approval test cases Table 2 : Initial Qualification Process, continued © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Auditor sends request and appropriate documentation to EMVCo to begin qualification process Page 11 / 32 EMVCo authorizes auditor N End to begin? Y EMVCo sends: ● Relationship Agreement ● Test Document License Agreement ● Letter of Registration including Registration Number Auditor: ● Signs and returns Relationship Agreement ● Signs and returns Test Document License Agreement EMVCo: ● Signs Test Document License Agreement and returns with test documents ● Conducts interview(s) A Process Flow 1: Initial Qualification Process © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r A Page 12 / 32 Auditor acceptable to EMVCo? Yes No EMVCo: ● Sends auditor: • Signed Relationship Agreement • Letter of Qualification ● Adds auditor to list of qualified auditors Auditor must destroy all EMVCo Confidential material including EMVCo Type Approval test cases End Process Flow 1: Initial Qualification Process, continued © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r 3.2 Qualification Renewal Process Table 3 outlines the steps in the qualification renewal process. Page 13 / 32 Auditor EMVCo Auditor EMVCo Sends request to EMVCo to begin the qualification renewal process Note: If an auditor wishes to renew their qualification with EMVCo, the auditor should contact EMVCo at least four months prior to the expiration date of the auditor’s qualification. • Informs the auditor if they may proceed with the qualification renewal Note: EMVCo reserves the right, at its own discretion and without providing a detailed explanation, to deny an auditor or one of the individuals the right to proceed through the qualification renewal process. • Identifies the qualification renewal requirements, which may be a subset of sections 5 and 6 and may include interview(s), and informs the auditor • Provides to EMVCo the information required to meet the qualification renewal requirements identified by EMVCo • Ensures auditor meets all requirements identified by EMVCo • Conducts interview(s) at its own discretion • Determines whether the auditor’s qualification may be renewed Note: EMVCo reserves the right to deny qualification at its own discretion and without detailed explanation. • If auditor is acceptable to EMVCo, sends a new Letter of Qualification to the auditor • If auditor is not acceptable to EMVCo, suspends or revokes qualification. See sections 4.3 and 4.4. Table 3: Qualification Renewal Process © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Auditor sends request to EMVCo to begin qualification renewal process Page 14 / 32 EMVCo authorizes auditor N End to begin? Y EMVCo identifies qualification renewal requirements and informs auditor Auditor provides to EMVCo information required to meet qualification renewal requirements EMVCo: ● Ensures auditor meets all requirements ● Conducts interview(s) at its own discretion Auditor acceptable to Yes EMVCo? No EMVCo sends auditor a new Letter of Qualification EMVCo suspends or revokes qualification End Process Flow 2: Qualification Renewal Process © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 15 / 32 3.3 Incremental Qualification Process Table 4 outlines the steps in the incremental qualification process. Auditor EMVCo Auditor EMVCo Sends request to EMVCo to begin the incremental qualification process • Informs the auditor if they may proceed with the incremental qualification and the date by which the review must be completed Note: EMVCo reserves the right, at its own discretion and without providing a detailed explanation, to deny an auditor or one of the individuals the right to proceed through the incremental qualification. • Identifies the incremental qualification requirements, which may be a subset of sections 5 and 6 and may include interview(s), and informs the auditor • Provides to EMVCo the information required to meet the incremental qualification requirements identified by EMVCo • Ensures auditor meets all requirements identified by EMVCo • Conducts interview(s) at its own discretion • Determines whether the auditor may be qualified Note: EMVCo reserves the right to deny qualification at its own discretion and without detailed explanation. • If auditor and additional type of audit or individual are acceptable to EMVCo:  Updates the Relationship Agreement with the auditor  Sends an updated Letter of Qualification to the auditor Note: The existing renewal date for the auditor’s qualification does not change.  Updates the list of qualified auditors on the EMVCo website • If auditor is acceptable, but the additional type of audit or individual is not acceptable to EMVCo, the auditor maintains its current qualification. No further action required • If auditor is not acceptable to EMVCo, may require an Interim Proficiency Review. See section 3.4 Table 4: Incremental Qualification Process © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Auditor sends request to EMVCo to begin incremental qualification process Page 16 / 32 EMVCo authorizes auditor N End to begin? Y EMVCo identifies incremental qualification requirements and informs auditor Auditor provides to EMVCo information required to meet incremental qualification requirements EMVCo: ● Ensures auditor meets all requirements ● Conducts interview(s) at its own discretion Auditor EMVCo may require an acceptable to No Interim Proficiency Review End EMVCo? Yes Addition Auditor maintains current acceptable No qualification End to EMVCo? Yes EMVCo: ● Sends auditor: • Updated Relationship Agreement • Updated Letter of Qualification ● Updates list of qualified auditors Process Flow 3: Incremental Qualification Process © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 17 / 32 3.4 Interim Proficiency Review Process Table 5 outlines the steps in the interim proficiency review process described in section 2.4. EMVCo Auditor EMVCo • Informs the auditor that an Interim Proficiency review must be performed and the date by which the review must be completed • Informs the auditor of the requirements for the Interim Proficiency review, which will be either all requirements described in sections 5 and 6 or a subset of those requirements, and may include interview(s) • Provides to the EMVCo the information required to meet the interim proficiency requirements identified by EMVCo • Ensures auditor meets all requirements identified by EMVCo • Conducts interviews at its own discretion • Determines whether the auditor’s Interim Proficiency Review is acceptable • If auditor is acceptable to EMVCo:  No further action required and auditor maintains their qualification status • If auditor is not acceptable to EMVCo, suspends or revokes qualification. See sections 4.3 and 4.4 Table 5: Interim Proficiency Review Process © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 18 / 32 EMVCo: ● Informs auditor that Interim Proficiency Review must be completed ● Identifies review requirements Auditor provides to EMVCo the information required to meet requirements EMVCo: ● Ensures auditor meets all requirements ● Conducts interview(s) at its own discretion Yes EMVCo advises auditor that no further action is required and auditor maintains its qualification status Auditor acceptable to EMVCo? No EMVCo suspends or revokes qualification End Process Flow 4: Interim Proficiency Review Process © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 19 / 32 4 Modification or Termination of Qualification At any time, an auditor’s Relationship Agreement with EMVCo may be modified or terminated: • An auditor may decide to add or cease offering a specific audit service. • An auditor may decide to terminate their qualification. • EMVCo may decide to revoke an auditor’s qualification. The following sections provide further details. 4.1 Change in Audit Services Offered At any time, an auditor may decide to change the audit services it offers. If an auditor decides to add an audit service, an Incremental Qualification Review is required as described in section 2.3. If an auditor decides to cease offering an audit service, the auditor must send a request to EMVCo. Upon receipt of such request, EMVCo will modify the auditor’s Relationship Agreement accordingly, re-issue a Letter of Qualification (without changing the qualification expiration date), and update the list of qualified auditors on the EMVCo website. 4.2 Termination of Qualification At any time, an auditor may request termination of their EMVCo Auditor Relationship Agreement. Upon receipt of such request, EMVCo will confirm termination of the auditor’s Relationship Agreement and qualification and remove the auditor’s name from the list of qualified auditors on the EMVCo website. Upon termination of their qualification, the auditor must make available to EMVCo all audit reports already accepted by EMVCo or currently under review. The auditor also must make available to EMVCo all test reports and test logs (whether paper or electronic) from audits of CCD test results performed by non-EMVCo laboratories and EMV Level 1 Electrical Test Procedures performed by Chip Providers. EMVCo recommends that the auditor also return all documentation (e.g. Owner Specifications, Non-CCD Test Cases, EMV Level 1 Test Procedures, etc.) to the entity that owns the documentation. The auditor must also promptly return to EMVCo all EMVCo property and all confidential information. Alternatively, if so directed by EMVCo, the auditor must destroy all confidential information, and all copies thereof, in the auditor’s possession or control, and must provide a certificate signed by an officer of the auditor that certifies such destruction in detail acceptable to EMVCo. © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 20 / 32 4.3 Suspension of Qualification At any time, at EMVCo’s own discretion, EMVCo may suspend an auditor’s qualification: • Based on the results of a review • Due to an auditor’s failure to perform the roles and responsibilities of an EMVCo Qualified Auditor • If a auditor fails to complete an Incremental Qualification Review or Interim Proficiency Review to the satisfaction of EMVCo by the required date If the qualification of an auditor is suspended: • The name of the auditor will be removed from the list of qualified auditors • EMVCo will set the requirements and the date by which another Interim Proficiency Review must be completed 4.4 Revocation of Qualification At any time and at EMVCo’s own discretion, EMVCo may revoke an auditor’s qualification: • Based upon the results of a review • Due to an auditor’s failure to perform the roles and responsibilities of an EMVCo Qualified Auditor • If an auditor has not performed an audit on behalf of EMVCo within the last two years • If an auditor fails to renew their qualification before it expires Revocation of qualification automatically terminates the EMVCo Auditor Relationship Agreement with the auditor. EMVCo will also remove the auditor’s name from the list of qualified auditors on the EMVCo website. Upon revocation of their qualification, the auditor must make available to EMVCo all audit reports already accepted by EMVCo or currently under review. The auditor also must make available to EMVCo all test reports and test logs (whether paper or electronic) from audits of CCD test results performed by non-EMVCo laboratories and EMV Level 1 Electrical Test Procedures performed by Chip Providers. EMVCo recommends that the auditor also return all documentation (e.g. Owner Specifications, Non-CCD Test Cases, EMV Level 1 Test Procedures, etc.) to the entity that owns the documentation. The auditor must also promptly return to EMVCo all EMVCo property and all confidential information. Alternatively, if so directed by EMVCo, the auditor must destroy all confidential information, and all copies thereof, in the auditor’s possession or control, and must provide a certificate signed by an officer of the auditor that certifies such destruction in detail acceptable to EMVCo. © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 21 / 32 5 Auditor Requirements An auditor must satisfy all requirements in this document and in the applicable Card or Mobile Type Approval Process documentation. (See [AP CCD] , [AP CPA], [AP_CMP] and [AP_ML1].) An auditor must obtain and keep current their qualification with EMVCo and must successfully meet all qualification review requirements at EMVCo’s request, as described in sections 3 and 6. This section identifies the general, business, security, administrative, and technical requirements which an auditor must meet in order to obtain and maintain EMVCo qualification. 5.1 General Requirements This section describes the general requirements which an auditor must meet. 5.1.1 Skills • The auditor must have good communication skills, particularly in written English, and be comfortable with presenting findings to an external group • The auditor must be an independent thinker with strong analytical and evaluation skills 5.1.2 Availability The auditor must be able to travel internationally. 5.2 Business Requirements This section describes the overall business requirements which an auditor must meet. 5.2.1 Financial The auditor must conduct business in a manner that is consistent with the highest ethical standards and with practices that minimize risk. The auditor must be subject to a due diligence review, with the primary focus of identifying and mitigating potential financial and goodwill risks. • The auditor must have a sound financial basis. • The auditor must adhere to ethical business standards and practices. • The auditor must have no financial dependencies on any entity for which an audit is being performed other than the entity’s payment for the service provided. • The auditor must be free of any past fraudulent or criminal activity. © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 22 / 32 5.2.2 Legal • The auditor must be recognised as a legal entity and must be (or must be part of) an organization that is registered as a tax-paying business or as having a tax exempt status or as a legal entity in some form with a national body. • The auditor must be able to sign and abide by all EMVCo legal agreements for qualified auditors, including EMVCo Auditor Relationship Agreement and EMVCo Test Document License Agreement. 5.2.3 Insurance The auditor must procure the following types of insurance, at their own expense, for the duration of the EMVCo Auditor Relationship Agreement. The auditor must provide a certificate from each insurer as part of the qualification requirements and then annually thereafter to EMVCo. If any of the insurance is written on a claims-made basis, then the auditor must maintain such insurance for five years after termination of the EMVCo Auditor Relationship Agreement. The insurers shall agree that the auditor’s insurance is primary and any insurance maintained by EMVCo shall be excess and non-contributing to the auditor. • Workers’ Compensation (Statutory Workers Compensation as required by applicable law) • Employer’s Liability • Commercial General Liability Insurance (or Public Liability Insurance): including Products, Completed Operations including Personal Injury and Advertising Injury. EMVCo shall be named as an additional insured (or included as a Principle) • Automobile Insurance • Technology Errors and Omissions Liability: covering liabilities for financial loss resulting or arising from acts, errors or omissions in rendering the audit • Waiver of Subrogation 5.2.4 Public Communications The auditor agrees to abide by EMVCo’s policy that an audit performed by any EMVCo Qualified Auditor is acceptable for EMVCo CCD or CPA Card Type Approval or CMP Type Approval or EMV Contactless Mobile Type Approval, and must make no claims to the contrary in their marketing material. The auditor must not, under any circumstances, communicate nor disclose to any third party, including to the entity submitting a document, process, or product for auditing, that a document or product has or has not been accepted by EMVCo, nor that a laboratory has or has not been recognised by EMVCo. EMVCo, not the auditor, shall be the final party to determine whether a particular document or product conforms to the EMV Specifications and whether a particular laboratory conforms to EMVCo’s recognition requirements. © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 23 / 32 5.2.5 Independence The auditor must be able to demonstrate independence from the product, document, process, or entity under audit. • The auditor must receive communication and direction related to EMV Card Type Approval Processes for CCD and CPA only from EMVCo. • The auditor must receive communication and direction related to EMV Mobile Type Approval Processes only from EMVCo. • The auditor must disclose to EMVCo in writing when an individual Chip Provider or Specification Owner or Product Provider or laboratory represents more than 25% of the auditor’s total annual revenue for the auditor’s audit of products, whether card, device or mobile. • The auditor must disclose to EMVCo in writing when any payment scheme or card issuer represents more than 25% of the auditor’s annual revenue within the last three years. • The auditor must also satisfy the independence requirements for the type of audit for which they are seeking qualification. See the following sections for details. Audit of Owner Specification (CCD), Audit of Non-CCD Test Cases (CCD), and Audit of Change to an Approved Product (CCD) • The auditor must not be owned by a Product Provider or Specification Owner involved in the creation of a CCD/CPA application product or specification or card operating system without prior agreement from EMVCo. • The auditor must not evaluate a specification, test cases or a change to an approved product that they have been involved in designing or developing. Audit of Chip Provider EMV Level 1 Electrical Test Procedures (CCD & CPA) and Audit of Test Results (CCD) • The auditor must not be owned by a Chip Provider or Product Provider or Specification Owner involved in the creation or testing of a CCD/CPA application product or specification or card operating system without prior agreement from EMVCo. • The auditor must not evaluate a product, documentation, or process that they have been involved in designing or developing except that they may provide quality assurance testing (debug sessions) prior to the Product Provider submitting the product for official EMVCo Card Type Approval. • The auditor must not audit the test results from testing that they have performed Laboratory Audit – Non-EMVCo Laboratory (CCD) and Laboratory Recognition Audit – EMVCo Laboratory (CCD, CPA, CIS & CMP) • The auditor must not be owned by a laboratory for which they are conducting an audit. • The auditor must not be owned by a Chip Provider or Product Provider. • The auditor must not have any financial relationship with the laboratory other than the laboratory’s payment for the audit services provided. © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 24 / 32 Test Tool Qualification Audit – (CCD, CPA, CIS & CMP) • The auditor must not be owned by a test tool provider for which they are conducting an audit. • The auditor must not be owned by a Chip Provider, Test Tool Provider, or Product Provider. • The auditor must not have any financial relationship with the Test Tool Provider other than the payment for the audit services provided. 5.2.6 Consistent Business Practices It is mandatory that any audit report from any EMVCo Qualified Auditor be recognised by all other EMVCo Qualified Auditors, without any further investigation and without any discrimination regarding pricing for complementary audits. When an EMVCo Qualified Auditor performs an audit for a specific non-EMV scheme, that auditor must also recognise, without any further investigation and without any discrimination regarding pricing for complementary audits, the accepted EMVCo audit report performed by any other EMVCo Qualified Auditor that corresponds to (the part of) the EMVCo specifications referenced by that specific non-EMV scheme. © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 25 / 32 5.3 Security Requirements The auditor must maintain and comply with a logical security policy that includes, at a minimum, the following requirements. 5.3.1 Classified Materials and Information Test samples, documents, and specifications must be handled with particular care and kept within the company such that they are accessible only to persons appointed by the business management. These materials must be controlled and stored securely whether in electronic or paper format. Disclosure of EMVCo or laboratory or Product Provider or Specification Owner data and documents to third parties must be authorized in writing by an officer of the company that owns the data or documents to be released. Receipt of restricted information must be acknowledged by signature of the company’s official representative. Classified material must be stored in secure containers, where unauthorized access is prevented by appropriate measures (e.g. alarms, surveillance, and sufficient mechanical protection). The auditor must hold in strict confidence any classified information received from EMVCo, laboratories, Product Providers, and Specification Owners. Classified documents must be stored according to their classification level. When an entity grants permission to the auditor to release classified information to EMVCo, this information may be released only to EMVCo. The EMVCo Card Type Approval Secretariat will release the information to appropriate working group members within EMVCo. 5.3.2 Audit Reports All audit reports must be stored securely. If reports are stored electronically, they must be in an industry-recognised protected form. All back-up processes must be appropriately managed by the auditor according to industry standards for recovery purposes. For audits of CCD test results performed by non-EMVCo laboratories and audits of EMV Level 1 Electrical Test Procedures performed by Chip Providers, the auditor must store all reports and logs from the test sessions (whether paper or electronic) for a period of six years following the expiration date of the Letter of Approval. Note: If the card product is renewed by EMVCo, the auditor must store the audit report, test report, and test logs for an additional six years after the expiration date of the new Letter of Approval. When issuing a paper report, the report must be issued in a tamper-evident package with a listed unique number. When auditing test results, the report must include the ICS reference number on the cover page. When auditing a laboratory, the report must include the laboratory’s registration number on the cover page. When issuing an electronic report to EMVCo, the report must be password-protected using EMVCo standard technique. Passwords must never be sent in the same email as the actual report. Passwords for EMVCo may not be shared with third parties, including Chip Providers, Specification Owners, Product Providers, or laboratories. © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 26 / 32 5.3.3 EMVCo Documentation Update and Implementation The auditor must have procedures in place and must maintain records for EMV specifications, test cases, and Card and Mobile Type Approval documentation updates and implementation dates authorized by EMVCo. 5.3.4 Networks All systems that are used to handle audit data or constituent parts of audit data must be, where possible, on a dedicated isolated network. Any computers used to store secure information (audit reports, laboratory evaluation reports, laboratory data, Product Provider data, etc.) must not be connected to an external network or to an internal network that allows unauthorized personnel access. If the auditor uses a non-dedicated network, then suitable controls must be in place to protect the integrity of the data within the auditor’s company. These controls include the use of firewalls and routers that offer sufficient security levels for the data being handled. Networks linking the auditor to third parties for the transfer of customer information must be separate and isolated, either physically or using network filters and adequate authentication. Networks that link separate auditor premises must use the network controls described above and all security sensitive data must be encrypted when using such networks. The auditor must have a secure method of transferring customer data to its systems and computers that does not introduce security risks or vulnerabilities. © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 27 / 32 5.4 Administrative Requirements This section describes the administrative requirements that an auditor must meet. 5.4.1 Quality Assurance The auditor must conduct audits according to industry/ISO standards and document the audit procedures used in each audit report. These procedures must comply with the Card and Mobile Type Approval Process (see [AP CCD], [AP CPA], [AP_CMP] and [AP_ML1]). 5.4.2 Personnel The auditor must have procedures to ensure a match between staff training and roles in the performance of EMVCo activities. The auditor must maintain a file in the personnel office for each individual for which they are seeking EMVCo qualification. These files must be available to EMVCo and must include, but is not limited to, the following (if legally permissible): • Individual resume and job application • Role in the organization • Experience and Qualifications • Employment history including any background checks conducted on the individual • Training programs, especially those involving any EMVCo testing process or EMVCo-qualified test tools • Current photograph, updated at least every three years • Verification of aliases (when applicable) • Level of formal education • Appropriate national identification number • Signed document indicating that the individual has read and received a copy of the auditor’s policies and procedures When individuals are terminated, the auditor must have designated staff members who execute and document the following: • Recover the individual’s photo ID badge or access card, access keys, or passes and immediately deactivate any access devices. • Ensure that the individual surrenders all property and documentation involving EMVCo testing and approval processes. • Ensure that all computer access passwords are revoked or changed. • Complete an employment termination checklist, which must include the above as a minimum. © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r 5.5 Administrative Requirements This section describes the technical requirements for an auditor. Page 28 / 32 5.5.1 Technical Expertise Auditor must be familiar with ISO smart card standards, EMV specifications, and EMVCo Card and Mobile Type Approval Process documentation, and have an understanding of the payments industry and software testing. It is not necessary that each member of the auditor’s staff have knowledge and skills in each of these areas, but the auditor staff as a whole must have an expert level of knowledge in the identified areas. 5.5.2 Experience The auditor must have strong experience applicable to the type of audit for which they are seeking qualification. Audit of Owner Specification (CCD), Audit of Non-CCD Test Cases (CCD), and Audit of Change to an Approved Product (CCD) • The auditor must have experience evaluating specifications, creating test cases, conducting tests, and creating test reports. • The auditor must have four years experience with EMV card specifications. Audit of Chip Provider EMV Level 1 Electrical Test Procedures (CCD & CPA) • The auditor must have experience working with test tools, conducting tests, evaluating test results against test case documents and specifications, and creating test reports. • The auditor must have four years experience with chip hardware. Audit of Test Results (CCD) • The auditor must have experience working with test tools, conducting tests, evaluating test results against test case documents and specifications, and creating test reports. • The auditor must have four years experience with EMV card specifications. © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 29 / 32 Laboratory Audit – Non-EMVCo Laboratory (CCD) and Laboratory Recognition Audit – EMVCo Laboratory (CCD & CPA) • The auditor must have current ISO certificates for conducting ISO 17025 audits. • The auditor must have conducted a laboratory audit within the last two years. • EMVCo prefers auditors who have an accreditation from a national body for performing audits. • EMVCo prefers auditors who have current ISO certificates for conducting ISO 10001 and/or ISO 9000 audits. • EMVCo prefers auditors who have knowledge of current testing technology related to laboratory testing. Test Tool Qualification Audit – (CCD, CPA) • The auditor must have experience working with test tools, conducting tests, evaluating test results against test case documents and specifications, and creating test reports. • The auditor must have four years experience with EMV card specifications. Test Tool Qualification Audit – (CIS) • The auditor must have experience working with test tools, conducting tests, evaluating test results against test case documents and specifications, and creating test reports. • The auditor must have four years experience with EMV contactless specifications. Test Tool Qualification Audit – (CMP) • The auditor must have experience working with test tools, conducting tests, evaluating test results against test case documents and specifications, and creating test reports. • The auditor must have two years experience with EMV Application Activation User Interface specifications. © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 30 / 32 6 Qualification Review Requirements In order to prove conformance to the auditor requirements in section 5, the auditor must do the following: • Provide written evidence to the EMVCo before the interview • Complete an interview This section describes information that the auditor is required to supply to EMVCo. EMVCo, in reviewing the documentation, may request additional information from the auditor prior to or during the interview. In preparation for the interview, the auditor will provide written consent for disclosure of this information to EMVCo. 6.1 Written Evidence 6.1.1 Business Conformance The auditor provides EMVCo with evidence of conformance to the auditor business requirements. This evidence may be in the form of a written report describing: • Services of the organization • Structure of the organization, demonstrating the isolation between the auditor and other areas of the organization (e.g. design area, testing facility) • Percentage of revenue received from each of the auditor’s top ten smart card technology related customers (Chip Providers, Specification Owners, Product Providers, or laboratories) relative to the total revenue of the auditor • Organization legal information • Certificate of ownership and/or tax identification number In addition, the auditor must provide EMVCo with the following: • Audited financial statements for the organization • Official Annual Report as required by national or international law and/or regulation 6.1.2 Security Conformance The auditor provides to EMVCo evidence of logical security conformance. This evidence must be in one of the following forms: 1. Included within auditor procedures and documentation, or 2. A written report describing: • Auditor security policy with particular focus on the logical network security measures • Personnel background check security policies • Confidential data protection practices © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 31 / 32 6.1.3 Administrative Conformance The auditor provides to EMVCo evidence of administrative conformance. This evidence may be in the form of a written report describing: • Auditor’s procedures for conducting audits • Auditor’s procedures for maintaining personnel files 6.1.4 Technical Conformance The auditor provides to EMVCo evidence of technical conformance. This evidence may be in the form of a written report describing: • Formal qualifications including certificates • References for entities for which previous audits were performed • Experience relevant to the desired auditor role © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Card and Mobile Functional Evaluation Qualification Requirements for Auditors v2.1.r Page 32 / 32 *** END OF DOCUMENT *** © 2006-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries.