ℹ️
Tracked metadata: Sourced from EMVCo's public document index. PCI Watch records each document's details and its extracted text so changes can be tracked over time; the document PDF itself is hosted by EMVCo.
View on EMVCo.com →

EMV® Contactless Mobile Payment Type Approval – Administrative Process

v1.7 Type Approval Process
ContactlessMobile NFC Consumer Device
Extracted document text

EMVCo's index flattens the document's layout, so this text is best used for searching and comparing versions rather than reading end-to-end.

This document is large; EMVCo's index truncates its extracted text, so the excerpt below is partial.

EMV® Contactless Mobile Payment Type Approval Administrative Process Version 1.7 September 2025 ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page i / vii Legal Notice This document summarizes EMVCo’s present plans for evaluation services and related policies and is subject to change by EMVCo at any time. This document does not create any binding obligations upon EMVCo or any third party regarding the subject matter of this document, which obligations will exist, if at all, only to the extent set forth in separate written agreements executed by EMVCo or such third parties. In the absence of such a written agreement, no product provider, test laboratory or any other third party should rely on this document, and EMVCo shall not be liable for any such reliance. No product provider, test laboratory or other third party may refer to a product, service or facility as EMVCo approved, in form or in substance, nor otherwise state or imply that EMVCo (or any agent of EMVCo) has in whole or part approved a product provider, test laboratory or other third party or its products, services, or facilities, except to the extent and subject to the terms, conditions and restrictions expressly set forth in a written agreement with EMVCo, or in an approval letter, compliance certificate or similar document issued by EMVCo. All other references to EMVCo approval are strictly prohibited by EMVCo. Under no circumstances should EMVCo approvals, when granted, be construed to imply any endorsement or warranty regarding the security, functionality, quality, or performance of any particular product or service, and no party shall state or imply anything to the contrary. EMVCo specifically disclaims any and all representations and warranties with respect to products that have received evaluations or approvals, and to the evaluation process generally, including, without limitation, any implied warranties of merchantability, fitness for purpose or noninfringement. All warranties, rights and remedies relating to products and services that have undergone evaluation by EMVCo are provided solely by the parties selling or otherwise providing such products or services, and not by EMVCo, and EMVCo will have no liability whatsoever in connection with such products and services. This document is provided "AS IS" without warranties of any kind, and EMVCo neither assumes nor accepts any liability for any errors or omissions contained in this document. EMVCO DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT, AS TO THIS DOCUMENT. EMVCo makes no representations or warranties with respect to intellectual property rights of any third parties in or in relation to this document. EMVCo undertakes no responsibility to determine whether any implementation of this document may violate, infringe, or otherwise exercise the patent, copyright, trademark, trade secret, know-how, or other intellectual property rights of third parties, and thus any person who implements any part of this document should consult an intellectual property attorney before any such implementation. Without limiting the foregoing, this document may provide for the use of public key encryption and other technology, which may be the subject matter of patents in several countries. Any party seeking to implement this document is solely responsible for determining whether its activities require a license to any such technology, including for patents on public key encryption technology. EMVCo shall not be liable under any theory for any party's infringement of any intellectual property rights in connection with this document. ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page ii / vii Revision Log – Version 1.7 The following changes have been made to the document since the publication of Version 1.6. Some of the numbering and cross references in this version have been updated to reflect changes introduced by the published bulletins. The numbering of existing requirements did not change, unless explicitly stated otherwise. Incorporated changes described in the following Specification Updates: • Section 4.7: ICS is valid for 6 months and RFA and report shall be sent and approval fee paid within the 6 months • Section 4.9: test report is valid for 90 days Other editorial changes: • Editorial updates ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page iii / vii Contents 1 Introduction .................................................................................................................. 1 1.1 Audience ................................................................................................................. 1 1.2 Normative References............................................................................................. 2 1.2.1 EMV Specifications................................................................................................ 2 1.2.2 Related EMV Documents ...................................................................................... 3 1.2.3 CMP Type Approval Documents............................................................................ 3 1.2.4 CMP Type Approval Forms ................................................................................... 4 1.2.5 External References .............................................................................................. 4 1.3 Definitions ............................................................................................................... 5 1.4 Notational Conventions ..........................................................................................11 1.4.1 Abbreviations....................................................................................................... 11 1.4.2 Terminology and Conventions ............................................................................. 12 2 Scope of CMP Type Approval.................................................................................... 13 2.1 Concepts and Terminology .................................................................................... 13 2.1.1 Overall CMP Architecture .................................................................................... 13 2.1.2 Secure Element Architecture ............................................................................... 14 2.2 Overview ............................................................................................................... 15 2.3 Scope of CMP Secure Element Type Approval...................................................... 16 2.3.1 CMP Secure Element Product Definition ............................................................. 16 2.3.2 In the Scope of CMP Secure Element Product Functional Evaluation.................. 17 2.3.3 Out of the Scope of CMP Secure Element Product Functional Evaluation ........... 18 2.3.4 Debug Sessions .................................................................................................. 19 2.3.5 Security Evaluation Overview .............................................................................. 19 2.4 Scope of CMP PPSE Applet Type Approval .......................................................... 20 2.4.1 CMP PPSE Applet Product Definition .................................................................. 20 2.4.2 In the Scope of CMP PPSE Applet Functional Evaluation ................................... 20 2.4.3 Out of Scope of CMP PPSE Applet Functional Evaluation................................... 21 2.4.4 Debug Sessions .................................................................................................. 21 2.4.5 Security Evaluation Overview .............................................................................. 21 3 CMP Type Approval Overview ................................................................................... 22 3.1 Generic EMVCo Type Approval Flow .................................................................... 22 3.2 CMP Type Approval Flow ...................................................................................... 23 3.2.1 CMP Secure Element Type Approval Flow .......................................................... 23 3.2.2 CMP PPSE Applet Type Approval Flow............................................................... 24 ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page iv / vii 3.2.3 Combined CMP Secure Element Product and CMP PPSE Applet Product Type Approval Submissions ................................................................................................... 25 3.3 Reporting Results to EMVCo................................................................................. 25 3.3.1 Reporting Level 2 Evaluation Results .................................................................. 25 3.3.2 Reporting GlobalPlatform Evaluation Results ...................................................... 25 3.3.3 All Test Reports ................................................................................................... 25 3.3.4 Request for Approval ........................................................................................... 25 3.4 General Rules for a Test Session .......................................................................... 26 3.5 Submitting a Request for Approval Form ............................................................... 26 3.6 Fee Structure ........................................................................................................ 26 3.7 EMVCo Service Levels.......................................................................................... 28 3.8 Multiple Laboratories ............................................................................................. 28 4 CMP Type Approval Procedures ............................................................................... 29 4.1 IC Provider Registration ........................................................................................ 29 4.2 CMP Secure Element Product Provider Registration............................................. 31 4.3 CMP PPSE Applet Product Provider Registration.................................................. 33 4.4 IC Security Evaluation ........................................................................................... 35 4.5 GlobalPlatform Evaluation for CMP Secure Element Products .............................. 35 4.6 GlobalPlatform Evaluation and EMVCo CMP Type Approval Performed in Parallel 35 4.7 Testing Phase ....................................................................................................... 36 4.8 Platform Security Evaluation ................................................................................. 39 4.9 Product Provider Decision to Submit ..................................................................... 39 4.10 Approval Phase..................................................................................................... 40 4.11 Request for Approval............................................................................................. 44 4.12 Functional Test Reports......................................................................................... 45 4.13 GlobalPlatform Letter of Qualification .................................................................... 46 4.14 Letter of Compliance ............................................................................................. 46 4.15 Letter of Rejection – Appeals................................................................................. 47 4.16 Renewal of a Compliant CMP Product .................................................................. 47 4.17 Changes to Previously Compliant Products........................................................... 48 5 Test Version and Specification Change.................................................................... 49 5.1 Test Cases Change without EMV Specification Change........................................ 49 5.2 Test Cases Change due to new EMV Specifications or Bulletins ........................... 50 5.3 Migration Period for Renewal ................................................................................ 51 6 Conformance.............................................................................................................. 52 6.1 Non-conformance Investigation ............................................................................. 52 ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page v / vii 6.2 Revocation of a Letter of Compliance.................................................................... 52 6.3 Corrective Action ................................................................................................... 53 7 Roles & Responsibilities ........................................................................................... 54 7.1 EMVCo ................................................................................................................. 54 7.1.1 EMVCo Card Type Approval Secretariat ............................................................. 54 7.1.2 Security Evaluation Secretariat............................................................................ 55 7.2 Payment System ................................................................................................... 56 7.3 IC Provider ............................................................................................................ 56 7.4 Product Provider ................................................................................................... 57 7.5 EMVCo Recognised Laboratories ......................................................................... 58 7.6 EMVCo Qualified Auditors ..................................................................................... 59 7.6.1 Laboratory Recognition Audit............................................................................... 60 7.7 Relationships between Laboratories and Product Providers.................................. 60 7.8 Relationships between Auditors and Product Providers......................................... 61 7.9 Relationships between Auditors and Laboratories ................................................. 61 7.10 Change in Corporate Identity or Contact Information............................................. 62 8 Termination of Type Approval ................................................................................... 63 8.1 Termination Right .................................................................................................. 63 8.2 Submissions after Notice of Termination................................................................ 63 9 Test Environment ....................................................................................................... 64 9.1 Test Environment for CMP Secure Element Product ............................................. 64 9.2 Test Environment for CMP PPSE Applet Product .................................................. 68 10 Appendix A – Product Samples ................................................................................ 69 ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page vi / vii Figures Figure 2-1: Architectural Zones .......................................................................................... 13 Figure 2-2: Example Secure Element Logical Architecture ................................................. 15 Figure 2-3: EMV Level 2 Testing Requirements for CMP Type Approval ............................ 18 Figure 3-1: Generic EMVCo Type Approval Flow ................................................................ 22 Figure 3-2: CMP Secure Element Type Approval Flow ....................................................... 23 Figure 3-3: CMP PPSE Applet Type Approval Flow ............................................................ 24 Figure 4-1: IC Provider Registration ................................................................................... 30 Figure 4-2: CMP Secure Element Product Provider Registration........................................ 32 Figure 4-3: CMP PPSE Applet Product Provider Registration ............................................ 34 Figure 4-4: Testing Phase .................................................................................................. 38 Figure 4-5: Approval Phase................................................................................................ 43 Figure 5-1: Release of New Test Cases without EMV Specification Change ...................... 49 Figure 5-2: Release of New Test Cases with EMV Specification or Bulletin Change .......... 51 Figure 9-1: CMP Secure Element Product Configuration for External Mode....................... 64 Figure 9-2: CMP Secure Element Product Configuration for Internal Mode ........................ 65 Figure 9-3: Test Tool Minimum Interfaces ........................................................................... 66 Figure 9-4: Testing using APDU Gate interface .................................................................. 66 Figure 9-5: Testing UICC using test app proxy ................................................................... 67 Figure 9-6: Testing eSE using test app proxy ..................................................................... 67 ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page vii / vii Tables Table 1-1: EMV Specifications.............................................................................................. 2 Table 1-2: Related EMV Documents .................................................................................... 3 Table 1-3: CMP Type Approval Documents .......................................................................... 3 Table 1-4: CMP Type Approval Forms .................................................................................. 4 Table 1-5: External References ............................................................................................ 4 Table 1-6: Definitions............................................................................................................ 5 Table 1-7: Abbreviations...................................................................................................11 Table 2-1: CMP Architectural Zones ................................................................................... 14 Table 2-2: Evaluations for CMP Product Type Approval...................................................... 17 Table 2-3: Evaluations for CMP PPSE Applet Type Approval.............................................. 20 ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 1 / 70 1 Introduction EMVCo, LLC (“EMVCo”) is the owner of the EMV® Integrated Circuit Card Specifications for Payment Systems, EMV Contactless Communication Protocol Specification, and EMV Contactless Mobile Payment - Application Activation User Interface, hereinafter called EMV Specifications. 1 EMVCo’s objective in publishing this document is to provide an overview of the EMVCo Contactless Mobile Payment (CMP) Type Approval activities and offerings. In this document, EMVCo also describes the boundary of responsibilities for testing and approval for the different components within the Contactless Mobile Payment ecosystem. All readers of this document are advised that CMP Type Approval, when granted by EMVCo, shall not be construed as a warranty or representation of any sort, nor may it be relied upon by any party as an assurance of quality or functionality of any product or service. Please review the legal notice on page i of this document for important limitations on the scope of Type Approval. CMP Type Approval is the verification by EMVCo that a specific mobile product has demonstrated sufficient conformance to the EMV Specifications. The CMP Type Approval process includes both functional and security evaluations. This document describes functional evaluation. Limited information regarding security evaluation is included for completeness. 1.1 Audience This document is intended for all stakeholders interested in the Contactless Mobile Payment Type Approval, including but not limited to: • Payment systems, acquirers, and issuers • Mobile network operators • Mobile payment service providers • Mobile handset suppliers • NFC controller suppliers • Secure Element (UICC, embedded Secure Element, etc.) suppliers • Laboratories intending to offer testing services • EMVCo Qualified Auditors • Any other entity interested in developing to the EMV Specifications The document may also be of use to other industry bodies focused on standardising different parts of the Contactless Mobile Payment ecosystem. 1 Table 1-1 lists the EMV Specifications. ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 2 / 70 1.2 Normative References The version numbers identified in the references below are valid at the time of release of this document. Nevertheless, the latest version available from EMVCo shall apply. 1.2.1 EMV Specifications EMVCo, LLC (EMVCo) manages and maintains the EMV Integrated Circuit Card (ICC) Specifications for Payment Systems and related specifications. As used in this document, “EMV Specifications” denotes all documents listed in Table 1-1. EMV Specifications are publicly available on the EMVCo website: www.emvco.com. Table 1-1: EMV Specifications Reference Publication Name Version [EMV Book 1] [EMV Book 2] [EMV Book 3] [EMV Book 4] [Book D] [Book B] [PPSE AM SE] [UICC Conf] EMV Integrated Circuit Card Specifications for Payment Systems: Book 1 – Application Independent ICC to Terminal Interface Requirements EMV Integrated Circuit Card Specifications for Payment Systems: Book 2 – Security and Key Management EMV Integrated Circuit Card Specifications for Payment Systems: Book 3 – Application Specification EMV Integrated Circuit Card Specifications for Payment Systems: Book 4 – Cardholder, Attendant, and Acquirer Interface Requirements All Specification Update Bulletins as published on the EMVCo website EMV Contactless Specifications for Payment Systems – Book D – EMV Contactless Communication Protocol Specification EMV Contactless Specifications for Payment Systems – Book B – Entry Point Specification EMVCo Contactless Mobile Payment – PPSE and Application Management for Secure Elements EMVCo Contactless Mobile Payment – EMV Profiles of GlobalPlatform UICC Configuration Latest available Latest available Latest available Latest available Latest available Latest available Latest available Latest available Latest available ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 3 / 70 1.2.2 Related EMV Documents The following documents are available in the Best Practices, Mobile section of www.emvco.com. Table 1-2: Related EMV Documents Publication Name EMVCo Handset Requirements for Contactless Mobile Payment EMVCo Contactless Mobile Payment Architecture Overview Version 1.0 – June 2010 1.0 – June 2010 1.2.3 CMP Type Approval Documents Table 1-3: CMP Type Approval Documents Reference Publication Name Version Distribution [CT FW] [SEG] [Aud Qual Req] [Lab Req] Reco [Sec Proc] [SG IC] [SG PF] [SITE AUDIT] [PCP] [CMP TAR] EMVCo Card and Mobile Testing Framework for Contactless EMV Security Guidelines – Security Evaluation Guidance EMVCo Qualification Requirements for Auditors (Card and Mobile Functional Evaluation) EMV Card and Terminal Type Approval - Laboratory Recognition Requirements EMV Security Evaluation Process EMV Security Guidelines for Smart Card Integrated Circuits EMV Security Guidelines for Java Card, Multos and GlobalPlatform Implementations EMV Security Guidelines – Development & Production Site Audit Guidelines EMV Security Guidelines – Product Certification Policy EMV Contactless Mobile Payment SE Test Applet Requirements Latest Available Version 1.1, October 2017 Latest available Latest available Latest Available Version 2.1, September 2017 Version 1.2, September 2017 Version 1.1, May 2015 Version 1.0, April 2016 Latest available EMVCo Website EMVCo Website (*) EMVCo Website EMVCo Website EMVCo Website EMVCo Website (*) EMVCo Website (*) EMVCo Website (*) EMVCo Website (*) EMVCo Website ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 4 / 70 Reference [CMP TC] Publication Name Version EMV Contactless Mobile Payment Type Approval Application Activation User Interface Test Cases Latest available (*) document with restricted access Distribution Restricted to EMVCo Test Tool Suppliers, EMVCo Recognised Laboratories, and EMVCo Qualified Auditors 1.2.4 CMP Type Approval Forms Table 1-4: CMP Type Approval Forms Publication Name Version Request for Registration for Product Providers Business Review Form EMVCo Contactless Mobile Payment Application Activation User Interface Implementation Conformance Statement EMVCo Contactless Mobile Payment - PPSE Applet - Implementation Conformance Statement Request for Approval Form Request for Renewal of CMP Product Approval Product Registration Providers Questionnaire: Chip Product Registration Questionnaire: Platform Providers Latest available Latest available Latest available Latest available Latest available Latest available Latest available Latest available Distribution EMVCo Website EMVCo Website EMVCo Website EMVCo Website EMVCo Website EMVCo Website EMVCo Website EMVCo Website 1.2.5 External References Reference [102588] [7816] [14443] Table 1-5: External References Publication Name ETSI TS 102 588, Technical Specification Smart Cards; Application invocation Application Programming Interface (API) by a UICC webserver for Java Card™ platform ISO/IEC 7816 Identification cards — Integrated circuit cards ISO/IEC 14443 Identification cards — Contactless integrated circuit(s) cards — Proximity cards ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 5 / 70 [18092] [GPCS] [GPUICC] [GPCS-C] [HCI] [SWP] [GPESE] [GPESEHCI] ISO/IEC 18092 Information technology — Telecommunications and information exchange between systems — Near Field Communication — Interface and Protocol (NFCIP-1) GlobalPlatform, Card Specification, Version 2.2.1 GlobalPlatform, Card UICC Configuration, Version 1.0.1 GlobalPlatform Card, Contactless Services Card Specification v2.2 – Amendment C, Version 1.0, February 2010 ETSI TS 102 622, Technical Specification Smart Cards; UICC – Contactless Front-end (CLF) interface; Host Controller Interface (HCI) ETSI TS 102 613, Technical Specification Smart Cards; UICC – Contactless Front-end (CLF) Interface; Part 1: Physical and data link layer characteristics GlobalPlatform, Requirements for Embedded SE Interfaces GlobalPlatform, HCI Extension for the embedded Secure Element Certification 1.3 Definitions The following terms are used in this document Term Application Activation User Interface (AAUI) Audit report Auditor Card Type Approval Secretariat CMP Product CMP Product Provider CMP Type Approval Table 1-6: Definitions Definition A user interface application on a mobile device that enables the consumer to manage the use of their contactless applications. A report written by an EMVCo Qualified Auditor assessing, for example, CMP Type Approval test results or laboratory test processes. See “EMVCo Qualified Auditor”. The EMVCo entity that manages the CMP Type Approval process. A contactless product as defined in section 2.3.1 and 2.4.1 The entity that submits a CMP Product to EMVCo for CMP Type Approval. Verification by EMVCo that a specific CMP Product has demonstrated sufficient conformance to the EMV Specifications. ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 6 / 70 CMP Type Approval documentation CMP Type Approval process Conformance Contactless Mobile Payment (CMP) Contactless Mobile Payment Application NFC Controller Contactless Payment Terminal Contactless Registry Service (CRS) Delta Testing EMV EMV Specifications EMVCo EMVCo Recognised Laboratory EMVCo Compliance Certificate EMVCo Qualified Auditor Set of documents and procedures issued by EMVCo describing EMVCo CMP Type Approval process. (See section 1.2.3.) The steps necessary for a CMP Product to obtain an EMVCo Letter of Compliance. Meeting all EMVCo requirements defined for CMP Type Approval including requirements for implemented optional functions. Integration of EMV-based contactless payment technology in mobile devices. An application that is hosted in a Secure Element and that performs information exchange and processing needed to perform a contactless mobile payment transaction. A module within a mobile device providing a contactless interface compatible with EMV Contactless Communication Protocol Specification [Book D] A contactless reader conforming to EMV Contactless Communication Protocol Specification [Book D] and compliant with EMV Specifications related to the use of the PPSE that is capable of conducting a payment transaction with a Contactless Mobile Payment Application. A GlobalPlatform SECM service for managing the contactless applications on a Secure Element. Testing that covers the difference between the test plan versions the product was approved against versus the current version of the test plan when the product is reaching its renewal date. A term referring to certain technical specifications developed and maintained by EMVCo and/or technologies conforming to such specifications. Specifications managed, maintained, and enhanced by EMVCo, including those listed in Table 1-1. A Limited Liability Company established to maintain the EMV specifications and administer Contactless Mobile Payment Type Approval against those specifications. An independent, impartial entity that has received a Letter of Recognition from EMVCo, entitling it to perform testing for specified Type Approval; in the context of this document, to perform testing for CMP Type Approval. A certificate issued by EMVCo when sufficient assurance has been demonstrated for an IC, Platform, or Card Product. An independent, impartial entity that has received a Letter of Qualification from EMVCo, entitling it to verify conformance to EMVCo-defined CMP Type Approval procedures. ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 7 / 70 EMVCo Test Tool Environment GSMA Handset IC Certificate Number “ICCN” IC Security Evaluation Implementation Conformance Statement (ICS) International Organization for Standardization (ISO) Kernel Kernel ID Laboratory Letter of Recognition Letter of Compliance A test tool qualified by EMVCo for use in Type Approval testing (by EMVCo Recognised Laboratories) or debug testing (by CMP Product Providers). Any software components and/or applications present on the CMP Product other than the EMV Application(s) being submitted for testing for CMP Type Approval. GSM Association – an association of GSM operators A type of mobile device; specifically a mobile phone handset. A unique reference number that identifies the EMVCo Compliance Certificate of an IC. The steps necessary for an IC product to obtain an EMVCo Compliance Certificate. A form completed by the CMP Product Provider identifying the CMP Product, the EMV mandatory functions, the EMV optional functions supported, and (if any) the non-EMV proprietary functions. An international body that provides standards for financial transactions and telecommunication messages. ISO works in conjunction with the International Telecommunication Union (ITU) for standards that affect telecommunications. ISO supports specific technical committees and work groups to promulgate and maintain financial service industry standards. The kernel contains interface routines, security and control functions, and logic to manage a set of commands and responses to retrieve the necessary data from a card to complete a transaction. Identifier to distinguish between different kernels that may be supported by the terminal device. A facility that performs testing for CMP Type Approval. Written statement that documents the decision of EMVCo that a laboratory is an EMVCo Recognised Laboratory and performs testing for CMP Type Approval in conformance with the rules defined by EMVCo. Written statement that documents the decision of EMVCo that a specified CMP Product has demonstrated sufficient conformance to the EMV Specifications as of its test date. ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 8 / 70 Letter of Qualification Letter of Rejection Level 1 Level 2 Level 2 evaluation Mobile Device Near Field Communications (NFC) Operating System (OS) Payment System Platform Platform Certificate Number (PCN) Platform Security evaluation Proximity Payment System Environment (PPSE) If issued by EMVCo: Written statement that documents the decision of EMVCo that an auditor is an EMVCo Qualified Auditor and performs audits for CMP Type Approval in conformance with the rules defined by EMVCo. If issued by GlobalPlatform: Written statement that documents the decision of GlobalPlatform that a specified Secure Element has demonstrated sufficient conformance to the GlobalPlatform specifications as of its test date. Written statement that documents the decision of EMVCo that a specified CMP Product has NOT demonstrated sufficient conformance to the EMV Specifications as of its test date. One of the two levels of EMV testing: Testing the terminal to chip card interface. One of the two levels of EMV testing: Testing the payment application(s) and applications covered by EMV mobile specifications. Execution and reporting on the results of a defined set of functional tests to verify conformance to the requirements defined in [PPSE AM SE] A portable electronic device with contactless and wide area communication capabilities. Mobile devices include mobile phones and other consumer electronic devices such as a suitably equipped Personal Digital Assistant. A short range contactless proximity technology based on ISO/IEC 18092, which provides for ISO/IEC 14443 compatible communications Set of software components allowing an EMV Application to be executed on a specific Integrated Circuit. For the purpose of this document, Payment System is defined as an EMVCo member. “Platform” is the collective name for Integrated Circuit (IC) hardware with its dedicated software, Operating System (OS), Run Time Environment (RTE), and Platform environment on which one or more applications can be executed. A unique reference number that identifies the EMVCo Compliance Certificate of a Platform. The steps necessary for a Platform to obtain an EMVCo Compliance Certificate. A list of all combinations of ADF Name and Kernel Identifier supported by the contactless card. PPSE is used in the Entry Point Combination Selection process discussed in [Book B] ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 9 / 70 Recognition Registration Letter Registration Number Regression Testing Request for Approval Request for Approval Form Secure Element (SE) Secure Element Contactless Management (SECM) Security Evaluation Secretariat Test Test case Test report Type Approval Type Approval documentation Type Approval process Formal recognition by EMVCo that a test laboratory is competent to perform one or more categories of testing defined by EMVCo CMP Type Approval procedures. Written statement provided by the Card Type Approval Secretariat including the Registration Number of the IC Provider, CMP Product Provider, EMVCo Qualified Auditor, or EMVCo Recognised Laboratory. Unique identification number that EMVCo assigns to an IC Provider, CMP Product Provider, EMVCo Qualified Auditor, or EMVCo Recognised Laboratory. A predefined subset of functional test cases executed to determine whether undeclared changes have been made to the originally approved product. Regression Testing may be performed when Delta Testing is not required. The entire package submitted by the Product Provider (or by a laboratory on behalf of the Product Provider), including the Request for Approval Form and other information as discussed in section 4.11. A form that accompanies the test reports for a CMP Product submitted to EMVCo for CMP Type Approval. A tamper resistant module capable of hosting applications in a secure manner. An operating system level application of a Secure Element that manages the contactless related characteristics of the contactless applications on that Secure Element. The EMVCo entity responsible for evaluating IC and Platform security for CMP Type Approval. Any activity that aims at verifying the conformance of a selected product or process to a given requirement under a given set of conditions. A description of the actions required to achieve a specific test objective. Document provided by a laboratory containing the test results for a CMP Product. Acknowledgment by EMVCo that the specified product has demonstrated sufficient conformance to the EMV Specifications for its stated purpose. As used in this document, the term is interchangeable with CMP Type Approval. Full set of documents and procedures issued by EMVCo to enable the Type Approval process. The processes that test a product type for compliance with specification. ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 10 / 70 Type Approval testing The execution of a defined set of tests against requirements described in a specification to determine compliance with that specification. ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 11 / 70 1.4 Notational Conventions 1.4.1 Abbreviations The abbreviations listed in Table 1-7 are used in this specification. Table 1-7: Abbreviations Abbreviation AAUI ADF API CMP CRS ETSI ETSI SCP GP GSM HCI IC ICC ICS IEC OS PCN PCSC PPSE RF RTE SCO SD SECM SEWG Description Application Activation User Interface Application Definition File Application Program Interface Contactless Mobile Payment Contactless Registry Service European Telecommunication Standards Institute ETSI Smart Card Platform GlobalPlatform Global System for Mobile Communications Host Controller Interface, defined by ETSI TS 102 622 Integrated Circuit Integrated Circuit Card Implementation Conformance Statement International Electrotechnical Commission Operating System Platform Certificate Number Personal Computer/Smart Card Proximity Payment System Environment Radio Frequency Run Time Environment GlobalPlatform Supported Configuration Options Secure Digital Secure Element Contactless Management Security Evaluation Working Group ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 SWP UICC Single Wire Protocol Universal Integrated Circuit Card Page 12 / 70 1.4.2 Terminology and Conventions The following words are used often in this specification and have a specific meaning: Shall Defines a product or system capability which is mandatory. May Defines a product or system capability which is optional or a statement which is informative only and is out of scope for this specification. Should Defines a product or system capability which is recommended. ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 2 Scope of CMP Type Approval Page 13 / 70 2.1 Concepts and Terminology 2.1.1 Overall CMP Architecture The EMVCo Contactless Mobile Payment Architecture Overview document identifies the architectural zones illustrated in Figure 2-1 and listed in Table 2-1. Figure 2-1: Architectural Zones G Personalisation backend Personalisation and provisioning server H Update Server Payment application issuer D Mobile Device Wide area modem ASecure E EleSmeecnutre EleSmeecnutre Element User Interface Application Environment B Router NFC Controller C F Contactless Payment Terminal Payment system network ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 14 / 70 Zone A B C D E F G H Table 2-1: CMP Architectural Zones Description The Secure Element that hosts the contactless payment application and other application(s) The NFC controller, which implements the digital portion of the EMV contactless interface and is responsible for the routing of contactless information The component (antenna) that implements the analogue part of the EMV contactless interface The baseband and application processors and other components (excluding the Secure Element, NFC controller, and antenna) that form the mobile device The contactless payment application(s) The payment terminal The provisioning and personalisation system The application update system Requirements specified by EMVCo, ETSI SCP, GlobalPlatform, GSMA EMVCo, ETSI SCP, NFC Forum EMVCo, NFC Forum EMVCo, ETSI SCP, GSMA Payment System(s) EMVCo, Payment Systems EMVCo, GSMA, Payment Systems EMVCo, Payment Systems 2.1.2 Secure Element Architecture A Secure Element (SE) is a tamper resistant module, capable of hosting applications in a secure manner. The Secure Element provides both physical tamper resistance and logical protection of the applications, including securely isolating each of the applications. There are a number of architectural options for a Secure Element, including: • An SE that is embedded in a mobile device as an integral part of the device • A removable CMP product containing a secure area; for example, a removable smart card or a removable memory card with a secured area • As part of the UICC in a handset From a logical point of view, a Secure Element has the following parts: 1. An operating system which supports the secure execution of applications and secure storage of application data. 2. The operating system may also support a multi-application management platform that enables the secure loading of applications. GlobalPlatform is one example of a secure multi-application management platform. 3. A device interface which enables commands and responses to be exchanged with the mobile device. The device interface allows the mobile device to communicate with applications in the SE and possibly with the Secure Element Contactless Management (SECM, discussed below). ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 15 / 70 4. An antenna interface which enables the exchange of commands and responses between an application in the SE and a contactless terminal via the NFC controller of the mobile device. 5. Optionally, Secure Element Contactless Management (SECM) – The SECM is responsible for maintaining a list of contactless applications on the Secure Element, the status of the applications, and data associated with each application. The status of the application indicates whether the application is available for selection on the contactless interface. The GlobalPlatform Contactless Registry Service (CRS) defined by [GPCS-C] is one example of an SECM. 6. Optionally, the Proximity Payment System Environment (PPSE). Figure 2-2 depicts the logical content of a Secure Element when PPSE and SECM are internal to the Secure Element. Figure 2-2: Example Secure Element Logical Architecture Secure Element PPSE App X App Y SEC M Device interface Antenna interface For a UICC, • Device interface is ISO7816 as defined in [7816] • Antenna interface is HCI/SWP as defined in [HCI] and [SWP] For other types of SE, various interfaces can be supported. For instance, ETSI and GP have defined an extension of HCI to support Device interface (Refer to APDU Gate definition in [GPESE], [GPESEHCI] and [HCI]. 2.2 Overview EMVCo CMP Type Approval covers two product types: • CMP Secure Element Product • CMP PPSE Applet products A CMP Secure Element product is a Secure Element as described in 2.1.2. A CMP PPSE Applet product is a standalone PPSE application. ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 16 / 70 2.3 Scope of CMP Secure Element Type Approval 2.3.1 CMP Secure Element Product Definition 1/ A non-GlobalPlatform compliant CMP Secure Element Product submitted for CMP Type Approval is uniquely defined as follows: • the PPSE and/or SECM Applications is compliant to EMV Specifications ([Book B] and [PPSE AM SE] ) • present on a specific Integrated Circuit that has received an EMVCo Compliance Certificate • with a specific multi-application management platform • and a specific Environment including any other application(s), e.g. Payment System-specific CMP applications, that are not covered by EMVCo CMP Type Approval, and/or software components. • and the platform is in compliance with one of the recognised EMV Profiles, e.g. [UICC Conf] • and the platform is communicating using identified Device and Antenna interfaces 2/ A GlobalPlatform compliant CMP Secure Element Product submitted for CMP Type Approval is uniquely defined as follows: • the PPSE and/or SECM Applications is compliant to EMV Specifications ([Book B] and [PPSE AM SE]) • present on a specific Integrated Circuit that has received an EMVCo Compliance Certificate • with a specific form factor • with a multi-application management platform that has received a GlobalPlatform Letter of Qualification • where the GlobalPlatform Letter of Qualification covers testing of the SWP protocol using a SWP/HCI test suite qualified by GP (for SEs using SWP) • and the platform is in compliance with one of the recognised EMV Profiles, e.g. [UICC Conf] • and the platform is communicating using identified Device and Antenna interfaces • regardless of any other application(s), e.g. Payment System-specific CMP applications, that are not covered by EMVCo CMP Type Approval. Note 1: Although EMVCo specifically references a GlobalPlatform compliant CMP Product in this version of the process, EMVCo may address other multi-application management platforms should they become significant in the future. Note 2: The product provider shall list in the ICS all the interfaces supported by the product under test. If several interfaces are listed in the ICS for Device interface or Antenna interface, some test cases shall be repeated on the different interfaces according to [CMP TC]. ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 17 / 70 2.3.2 In the Scope of CMP Secure Element Product Functional Evaluation EMVCo issues a Letter of Compliance for a CMP Secure Element Product when it has successfully completed all the evaluations listed in Table 2-2. Table 2-2: Evaluations for CMP Product Type Approval Prerequisite EMVCo IC Security evaluation Prerequisite if the CMP Product includes GlobalPlatform Secure Element evaluation a GlobalPlatform Secure Element Level 2 evaluation EMVCo PPSE Application and/or SECM Application evaluation (when one or both are within the CMP Product) Platform Security evaluation EMVCo Platform Security evaluation The scope of EMVCo’s Level 2 testing for CMP Secure Element Products is testing the minimum functionality the CMP Secure Element Product should support for the EMV Proximity Payment System Environment (PPSE) (as defined in [Book B]) and the Application Activation User Interface (as defined in [PPSE AM SE]). The minimum functionality to be tested will depend on whether the CMP Secure Element Product is a GlobalPlatform compliant CMP Product, whether the PPSE Application is internal or external to the CMP Product, and whether the CMP Secure Element Product has an internal Secure Element Contactless Management (SECM) Application, as shown in Figure 2-3. Note 1: CMP Secure Element Products shall not restrict, disfavor or otherwise discriminate against any contactless application IDs, and shall be neutral and nondiscriminatory with respect to all contactless applications, including contactless application IDs and contactless applications, of EMVCo's members and non-EMVCo members. EMVCo shall only consider a CMP Secure Element Product for type approval that meets these conditions. ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 18 / 70 Figure 2-3: EMV Level 2 Testing Requirements for CMP Type Approval Note 2: The Contactless Mobile Payment Type Approval process is not applicable for CMP Secure Element Products where the PPSE and SECM are external to the CMP Product. In this scenario the CMP Secure Element Product can only be submitted for platform certification through the EMV Security Evaluation Guidance [SEG]. 2.3.3 Out of the Scope of CMP Secure Element Product Functional Evaluation Currently EMVCo does not functionally evaluate the platform (multi-application management functionality such as GlobalPlatform, Operating System such as Java Card, MULTOS, or any native OS) but does perform a security evaluation of the platform; see [SEG]. EMVCo does not evaluate Contactless Level 1 as part of the CMP Secure Element Product functional evaluation. However if the CMP Secure Element Product includes a Contactless Level 1 component, for example a microSD with an internal antenna, please see EMVCo [CT FW] available on the website regarding Contactless Level 1 testing requirements. The EMVCo process allows some simplifications in case of multi-application management platforms compliant with GlobalPlatform, deferring to GlobalPlatform for evaluating GlobalPlatform compliance, with some conditions defined in section 4.5. EMVCo intends to leverage GlobalPlatform compliance program to avoid duplication of testing; the CRS application being a good example. EMVCo does not evaluate the Payment System-specific CMP applications but evaluates the PPSE and SECM applications that are built to EMV Specifications ([Book B] and [PPSE AM SE]). ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 19 / 70 EMVCo also does not evaluate the following components of a CMP Product Type Approval: 1. The contactless antenna and the NFC controller present in a mobile handset device If the CMP Secure Element Product has an internal antenna, EMVCo would consider the CMP Secure Element Product a standalone product similar to a contactless card, subject to the RF power and signal interface requirements defined by EMV Contactless Communication Protocol Specification [Book D]. 2. The PPSE Application when external to the Secure Element 3. The SECM Application when external to the Secure Element 4. The User Interface Application present in a mobile handset device 5. The Operating System or transmission protocol For these components, any testing requirement would be Payment System specific and Type Approval (if any) would be issued by the Payment Systems and/or mobile network operators. 2.3.4 Debug Sessions Debug sessions may occur between the laboratory and the Product Provider, at any time and are beyond the scope of EMVCo. 2.3.5 Security Evaluation Overview For information about the IC Security Evaluation and the Platform Security Evaluation, please refer to EMV Security Evaluation Guidance [SEG], available on the EMVCo website. ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 20 / 70 2.4 Scope of CMP PPSE Applet Type Approval 2.4.1 CMP PPSE Applet Product Definition • A CMP PPSE Applet Product submitted for Type Approval is uniquely defined as follows: • the PPSE Application built to EMV Specifications ([Book B] and [PPSE AM SE] ) • designed for a specific GlobalPlatform Specification • present on a specific form factor • designed to work on a platform with a specific combination of modes (internal and/or external) • and the platform is in compliance with one of the recognised EMV Profiles, e.g. [UICC Conf] • and the platform is communicating using identified Device and Antenna interfaces For the purpose of testing, the PPSE applet shall be loaded on a platform which has been granted a GlobalPlatform Letter of Qualification, where the GlobalPlatform Letter of Qualification includes testing of the SWP protocol using a SWP/HCI test suite qualified by GP (for platforms using SWP). The GlobalPlatform Letter of Qualification will be referenced in the Letter of Compliance Note: The product provider shall list in the ICS all the interfaces supported by the product under test. If several Antenna or Device interfaces are listed in the ICS, some test cases shall be repeated on the different interfaces according to [CMP TC]. 2.4.2 In the Scope of CMP PPSE Applet Functional Evaluation EMVCo issues a Letter of Compliance for a standalone PPSE applet when the applet has successfully completed all the evaluations listed in Table 2-3. Table 2-3: Evaluations for CMP PPSE Applet Type Approval Level 2 Evaluation EMVCo PPSE Application Evaluation The scope of EMVCo’s Level 2 testing for a standalone PPSE applet is testing the minimum functionality the PPSE applet should support for the EMV Proximity Payment System Environment (PPSE) (as defined in [Book B]) and the Application Activation User Interface (as defined in [PPSE AM SE]), and whether the PPSE Application supports internal or external modes. Note 1: A type approved PPSE applet shall only be deployed on a GP qualified platform developed to the same version of GP specifications (GlobalPlatform Card Specification, Amendment C), to the same version of GP APIs (Card Contactless API, Java Card API) and fulfilling the same requirements as a CMP Product with the same antenna and device interfaces. Note 2: If the form factor is eSE and the PPSE applet is deployed on a platform with a different GP LOQ it has to be resubmitted for testing. ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 21 / 70 Note 3: PPSE applets shall not restrict, disfavor or otherwise discriminate against any contactless application IDs, and shall be neutral and non-discriminatory with respect to all contactless applications, including contactless application IDs and contactless applications, of EMVCo's members and non-EMVCo members. EMVCo shall only consider a PPSE applet for type approval that meets these conditions. 2.4.3 Out of Scope of CMP PPSE Applet Functional Evaluation EMVCo does not evaluate the platform hosting the PPSE applet. EMVCo only evaluates the functionality of the PPSE applet built to EMV Specifications ([Book B] and [PPSE AM SE]). Any other functionality supported by the PPSE applet is out of scope. 2.4.4 Debug Sessions Debug sessions may occur between the laboratory and the Product Provider, at any time and are beyond the scope of EMVCo. 2.4.5 Security Evaluation Overview Since PPSE does not contain any sensitive data or functionality no security evaluation of the PPSE applet is required. ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 3 CMP Type Approval Overview The following sections provide an overview of the Type Approval process: Page 22 / 70 3.1 Generic EMVCo Type Approval Flow The following picture describes the generic steps applicable to any EMVCo Type Approval. Figure 3-1: Generic EMVCo Type Approval Flow ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 23 / 70 3.2 CMP Type Approval Flow The generic flow is customized to address the specific requirements of a CMP Type Approval 3.2.1 CMP Secure Element Type Approval Flow Figure 3-2: CMP Secure Element Type Approval Flow IC Provider Registration CMP Product Provider Registration No Yes IC evaluated? IC Registration Form Submitted IC Security Evaluation IC Approval Request IC Compliance Certificate GlobalPlatform No Secure Element? Yes GlobalPlatform Functional Evaluation Implementation Conformance Statement Submitted CMP Functional Evaluation Level 2 Evaluation No GlobalPlatform SE? Yes Review GlobalPlatform Letter of Qualification Platform Security Evaluation Request for Approval Pay invoice Invoice paid No Invoice paid? Yes Letter of Compliance including Platform Certificate Number ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 3.2.2 CMP PPSE Applet Type Approval Flow Figure 3-3: CMP PPSE Applet Type Approval Flow Page 24 / 70 ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 25 / 70 3.2.3 Combined CMP Secure Element Product and CMP PPSE Applet Product Type Approval Submissions A Product Provider can combine submission of a CMP Secure Element Product with the submission of a CMP PPSE Applet Product. The combined type approval submission is only valid when the PPSE functionality is internal to the CMP Secure Element Product and the product provider submits both ICS forms at the same time. The CMP Secure Element Product must comply with all conditions and requirements as stated in Section 2.3.1, while the CMP PPSE Applet Product must comply with all conditions and requirements as stated in Section 2.4.2. The benefit of a combined submission is that the Product Provider only needs to submit one set of samples for testing to a laboratory, and all testing are done in a single test session to create the two test reports. The product provider is responsible for completing a Request for Compliance for the CMP Secure Element Product and another Request for Compliance for the CMP PPSE Applet Product. 3.3 Reporting Results to EMVCo 3.3.1 Reporting Level 2 Evaluation Results The Product Provider shall ask the EMVCo Recognised Laboratory to send the level 2 report directly to EMVCo. 3.3.2 Reporting GlobalPlatform Evaluation Results If a CMP Product Provider wishes to have a product recognised by EMVCo as a GlobalPlatform compliant Secure Element, GlobalPlatform evaluation shall be performed at an EMVCo Recognised Laboratory and the corresponding GlobalPlatform Letter of Qualification shall be supplied to EMVCo. EMVCo reserves the right to question the GlobalPlatform Letter of Qualification and to reject the GlobalPlatform Letter of Qualification if considered insufficient for EMVCo needs. 3.3.3 All Test Reports Each test report must include the ICS reference number on the cover page.2 3.3.4 Request for Approval Upon receipt of a Request for Approval, the Card Type Approval Secretariat will invoice the product provider. After confirmation from the Financial Secretariat that all the required fees have been paid, it will assemble all the reports into one Request for Approval package. It is the Product Provider’s responsibility to ensure that all required items are received by EMVCo. The Request for Approval will not be reviewed until payment of all required fees and all 2 Test reports are discussed in detail in section 4.12. ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 required items have been received. Page 26 / 70 3.4 General Rules for a Test Session The following rules must be followed by the laboratory performing the Level 2 evaluation: • The Product Provider must not be present during the testing of the Product. • Products must be tested against the currently supported Test Cases version(s), and with an EMVCo qualified Test Tool. • No modifications are allowed to the CMP Product (as defined in section 2.3.1). If any modifications are made to the CMP Product during the test session, the session must end and the Product Provider must initiate a new submission including a new ICS. • If any modification is made to the ICS during the test session (without any modification to the Product), the modified ICS must be sent to EMVCo. The modified ICS is reviewed by EMVCo and if acceptable retains the validity period of the original EMVCo-accepted ICS. Note: Modification of the ICS is subject to a fee (See Section 3.6). 3.5 Submitting a Request for Approval Form A Request for Approval form, completed in its entirety, must be submitted after testing is complete, as discussed in section 4.10. Product Providers may submit a preliminary Request for Approval form during the Testing Phase, at any point after EMVCo notifies the laboratory that the ICS is acceptable (as discussed in section 4.7). If the form is submitted early, EMVCo will invoice the Product Provider and the Product Provider can pay the administrative fees before test reports are available. Given that test reports are not reviewed until EMVCo has received payment of all fees, early payment avoids delays during the Approval Phase. 3.6 Fee Structure EMVCo will charge fees to cover the administrative expenses incurred by EMVCo in managing the Type Approval process. This process includes, but is not limited to: • review of audit and test reports • updates to the Type Approval documentation, specifications, and Test Cases • maintenance of the EMVCo website, including lists of approved Products, EMVCo Recognised Laboratories, and EMVCo Qualified Auditors The following fees shall be paid to EMVCo by a CMP Secure Element Product Provider: • CMP SE Request for Approval fee for a review of a Request for Approval for a CMP Secure Element Product ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 27 / 70 • CMP SE Request for Renewal fee for a review of a Request for Renewal for a CMP Secure Element Product • Combined Requests for Approvals fee for a combined review of two Requests for Approvals (one for the CMP Secure Element Product and one for the PPSE Applet Product. See Section 3.2.3) • Combined Requests for Renewal fee for a combined review of two Requests for Renewal (CMP Product and PPSE Applet Product. See Section 3.2.3). • Please refer to SEWG Bulletin #3 on the EMVCo website for additional fees related to security evaluation of CMP Secure Element Products The following fees shall be paid to EMVCo by a CMP PPSE Applet Product Provider: • CMP PPSE Request for Approval fee for a review of a Request for Approval for a CMP PPSE Applet Product • CMP PPSE Request for Renewal fee for a review of a Request for Renewal for a CMP PPSE Applet Product The following fees shall be paid to EMVCo by a CMP Secure Element Product Provider or a CMP PPSE Applet Product Provider: • Letter of Compliance re-issuance fee for a re-issuance of a Letter of Compliance requested by the Product Provider • ICS Replacement fee. One free ICS replacement is allowed during the ICS life cycle. Any subsequent ICS replacement requested is charged to the Product Provider: o Same submission process applies as for initial ICS submission (Laboratory submits the changed ICS). o This applies to any change in the ICS after the official approval of the ICS by EMVCo. o After the start of the test session of the Product, ICS replacements (following the rules of the previous bullet) are only allowed for administrative information update (such as name of product) but are not allowed for technical information update. o ICS replacement is not allowed after Test Report submission to EMVCo The following fee shall be paid to EMVCo by the laboratory: • ICS decline fee if an incomplete and/or inconsistent ICS is submitted to EMVCo for review (as Laboratory is responsible of reviewing the ICS provided by the Product Provider). ICS decline process applies to the initial ICS submission and also to any other ICS replacement (charged or not charged to the Product Provider) • Test report decline fee if an incomplete and/or inconsistent test report is submitted to EMVCo for review Note 1: The amount of each fee is published in the Mobile Type Approval bulletin 21 available on EMVCo Website. Please check the EMVCo website for the latest fee amounts. ©2016-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Contactless Mobile Payment Type Approval Administrative Process v1.7 Page 28 / 70 Note 2: Payers are responsible for any bank charges associated with remittance. Each paying entity must work with its own bank to ensure that EMVCo receives the full amount of the fee. The Request for Approval will not be reviewed until complete payment has been received. Note 3: The testing fees charged by the EMVCo Recognised Laboratory to execute test cases are not included and are the responsibility of the Product Provider. Note 4: Check separate SEWG bulletin for details on the fees charged for security review. 3.7 EMVCo Service Levels The service level for the issuance of a Letter of Co