Bulletin nº 15: SBMP Evaluation Review Fees

EMVCo Security Evaluation Bulletin 15 – Software-Based Mobile Payment Third Edition - July 2024 Software-Based Mobile Payment – Evaluation Review Fees This bulletin defines the EMVCo policy for SBMP evaluation review fees. This third edition updates the applicable fees. This bulletin is available to EMVCo SBMP product providers. Any questions in relation to this bulletin should be directed to the EMVCo Security Evaluation Secretariat at sbmpsecurity@emvco.com. Applicability This Bulletin applies to: • EMVCo SBMP Product Providers Related Documents • EMVCo SBMP Security Evaluation Process • EMVCo SBMP Product Registration Questionnaire Effective Date • 1st July 2024 © 2020-2024 EMVCo, LLC. EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 1 Review Fee Structure In December 2018, EMVCo was pleased to announce that the EMVCo Security Evaluation Process for Software-Based Mobile Payments (SBMP) products became operational. The process is based on a 'component' and 'integration' evaluation model. This allows components to be evaluated either independently or together in order to assess the security of the overall solution. As of August 2019, Mobile Applications and Software Development Kits (SDK) have been integrated into the SBMP Security Evaluation Process. The following SBMP security evaluation categories are therefore defined within the certification program: • Trusted Execution Environments (hardware-based TEE, TPM, eSE, etc. or software-only vTEE) • Mechanisms for providing a CDCVM (e.g., biometrics) • Software Protection Tools, e.g. cryptographic libraries using, for example, White Box Cryptography (WBC), software libraries and techniques providing obfuscation, Application/OS tamper detection mechanisms • Attestation mechanisms • Software Development Kits (SDK) • Mobile Applications In August 2023, EMVCo was pleased to announce that the EMVCo Security Evaluation Process for Software-Based Mobile Payment (SBMP) products also included Multi-Factor Authentication implementations (authenticators and back-end). Fee Structure For several years, EMVCo’s fees have remained flat while we continued to absorb various cost increases, due to the current economic situation. To ensure we can continue providing effective services, we are implementing a fee increase. This change will help us cover our running costs and maintain the usual standard of service provided. For all security evaluation reports submitted to EMVCo on or after January 1st, 2025, the following fees shall be paid to EMVCo by the Product Provider: © 2020-2024 EMVCo, LLC. EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 2 Security Evaluation Fee Structure New Product Evaluation $5,700 per evaluation Derivative* Evaluation $600 per evaluation Delta** Evaluation $2,850 per evaluation Renewal Evaluation $5,700 per certificate * Covers additional report review as per the EMVCo Member Specific Report process (i.e. for a product intended for more than 1 payment system) OR when the Product Provider declares that changes have NO SECURITY impact on a product that has already been evaluated in earlier version(s). A Derivative evaluation fee shall apply for each derivative report. ** When the Product Provider declares that changes have a SECURITY impact on a product that has already been evaluated in earlier version(s), a Delta evaluation fee shall apply for each delta report. Site Audit Review Fee Structure Development or Production Site Audit $3,400 per Site Audit Report Note 1: The evaluation review fee invoice will be issued by the EMVCo Security Evaluation Secretariat. Note 2: The EMVCo SBMP Security Evaluation Process is an evolving process in relation to new attack techniques and technology. Security Evaluation Certificates are issued for one year, then a product can remain on the EMVCo Evaluated Products list if it passes an annual security review, unless the certificate is withdrawn or the product is superseded by newer products. Note 3: Each Product Provider must be registered with EMVCo following the usual registration process before any report review can be conducted. Details of the EMVCo SBMP Security Evaluation Process are available from www.emvco.com. © 2020-2024 EMVCo, LLC. EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 3 Legal Notice This document summarizes EMVCo’s present plans for evaluation services and related policies and is subject to change by EMVCo at any time. This document does not create any binding obligations upon EMVCo or any third party regarding the subject matter of this document, which obligations will exist, if at all, only to the extent set forth in separate written agreements executed by EMVCo or such third parties. In the absence of such a written agreement, no product provider, test laboratory or any other third party should rely on this document, and EMVCo shall not be liable for any such reliance. No product provider, test laboratory or other third party may refer to a product, service or facility as EMVCo approved, in form or in substance, nor otherwise state or imply that EMVCo (or any agent of EMVCo) has in whole or part approved a product provider, test laboratory or other third party or its products, services, or facilities, except to the extent and subject to the terms, conditions and restrictions expressly set forth in a written agreement with EMVCo, or in an approval letter, compliance certificate or similar document issued by EMVCo. All other references to EMVCo approval are strictly prohibited by EMVCo. Under no circumstances should EMVCo approvals, when granted, be construed to imply any endorsement or warranty regarding the security, functionality, quality, or performance of any particular product or service, and no party shall state or imply anything to the contrary. EMVCo specifically disclaims any and all representations and warranties with respect to products that have received evaluations or approvals, and to the evaluation process generally, including, without limitation, any implied warranties of merchantability, fitness for purpose or non-infringement. All warranties, rights and remedies relating to products and services that have undergone evaluation by EMVCo are provided solely by the parties selling or otherwise providing such products or services, and not by EMVCo, and EMVCo will have no liability whatsoever in connection with such products and services. This document is provided "AS IS" without warranties of any kind, and EMVCo neither assumes nor accepts any liability for any errors or omissions contained in this document. EMVCO DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT, AS TO THIS DOCUMENT. EMVCo makes no representations or warranties with respect to intellectual property rights of any third parties in or in relation to this document. EMVCo undertakes no responsibility to determine whether any implementation of this document may violate, infringe, or otherwise exercise the patent, copyright, trademark, trade secret, know-how, or other intellectual property rights of third parties, and thus any person who implements any part of this document should consult an intellectual property attorney before any such implementation. Without limiting the foregoing, this document may provide for the use of public key encryption and other technology, which may be the subject matter of patents in several countries. Any party seeking to implement this document is solely responsible for determining whether its activities require a license to any such technology, including for patents on public key encryption technology. EMVCo shall not be liable under any theory for any party's infringement of any intellectual property rights in connection with this document. © 2020-2024 EMVCo, LLC. EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 4