PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Tracked metadata: Sourced from EMVCo's public document index. PCI Watch records each document's details and its extracted text so changes can be tracked over time; the document PDF itself is hosted by EMVCo.
View on EMVCo.com →

EMVCo Certificate Issuance, Renewal, and Extension Process

v2.2 Security Evaluation Process & Bulletins
ChipContact CardChip & Platform
Extracted document text

EMVCo's index flattens the document's layout, so this text is best used for searching and comparing versions rather than reading end-to-end.

EMV® Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process Version 2.2 January 2026 © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 2 / 28 Legal Notice This document is subject to change by EMVCo at any time. This document does not create any binding obligations upon EMVCo or any third party regarding the subject matter of this document, which obligations will exist, if at all, only to the extent set forth in separate written agreements executed by EMVCo or such third parties. In the absence of such a written agreement, no product provider, test laboratory or any other third party should rely on this document, and EMVCo shall not be liable for any such reliance. No product provider, test laboratory or other third party may refer to a product, service or facility as EMVCo approved, in form or in substance, nor otherwise state or imply that EMVCo (or any agent of EMVCo) has in whole or part approved a product provider, test laboratory or other third party or its products, services, or facilities, except to the extent and subject to the terms, conditions and restrictions expressly set forth in a written agreement with EMVCo, or in an approval letter, compliance certificate or similar document issued by EMVCo. All other references to EMVCo approval are strictly prohibited by EMVCo. Under no circumstances should EMVCo approvals, when granted, be construed to imply any endorsement or warranty regarding the security, functionality, quality, or performance of any particular product or service, and no party shall state or imply anything to the contrary. EMVCo specifically disclaims any and all representations and warranties with respect to products that have received evaluations or approvals, and to the evaluation process generally, including, without limitation, any implied warranties of merchantability, fitness for purpose or noninfringement. All warranties, rights and remedies relating to products and services that have undergone evaluation by EMVCo are provided solely by the parties selling or otherwise providing such products or services, and not by EMVCo, and EMVCo will have no liability whatsoever in connection with such products and services. This document is provided "AS IS" without warranties of any kind, and EMVCo neither assumes nor accepts any liability for any errors or omissions contained in this document. EMVCO DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT, AS TO THIS DOCUMENT. EMVCo makes no representations or warranties with respect to intellectual property rights of any third parties in or in relation to this document. EMVCo undertakes no responsibility to determine whether any implementation of this document may violate, infringe, or otherwise exercise the patent, copyright, trademark, trade secret, know-how, or other intellectual property rights of third parties, and thus any person who implements any part of this document should consult an intellectual property attorney before any such implementation. Without limiting the foregoing, this document may provide for the use of public key encryption and other technology, which may be the subject matter of patents in several countries. Any party seeking to implement this document is solely responsible for determining whether its activities require a license to any such technology, including for patents on public key encryption technology. EMVCo shall not be liable under any theory for any party's infringement of any intellectual property rights in connection with this document. © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 3 / 28 Version History Version v1.0 Date March 2014 Initial release. Description v2.0 June 2016 This release clarifies when product renewal activities and report submission shall be performed and includes the Fast Track report review process for minor product changes. Introduces the principles of the new extension of expired certificates process. v2.1 February This release updates the product policy after certificate 2018 expiry allowing changes. v2.2 January 2026 This release extends the certificates’ life cycle to ten years and references latest document versions. © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 4 / 28 Contents 1 Executive Summary ...................................................................................................... 6 1.1 Terminology............................................................................................................ 7 1.2 References ............................................................................................................. 8 2 Overview of Security Evaluation Process ................................................................... 9 3 EMVCo IC Certification ............................................................................................... 10 4 EMVCo Platform Certification .................................................................................... 12 5 EMVCo Card Certification ........................................................................................... 14 5.1 Renewal Principles ............................................................................................... 14 5.2 Time in the Field ................................................................................................... 15 5.3 Life Cycle Management ........................................................................................ 15 5.4 Reuse of Evaluation Evidence .............................................................................. 16 6 Alignment of IC and Platform Life Cycle ................................................................... 17 7 Application Life Cycle ................................................................................................. 18 7.1 Options for Application Level Renewal ................................................................. 20 7.2 How the Options May Arise .................................................................................. 22 8 Changes to Existing Products.................................................................................... 27 8.1 IC Changes .......................................................................................................... 27 8.2 Platform Changes................................................................................................. 27 8.3 Secure Application Changes ................................................................................ 28 8.4 Changes With No Security Impact ........................................................................ 28 © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 5 / 28 Figures Figure 1 – EMVCo IC Certification Timeline ........................................................................ 10 Figure 2 – EMVCo Platform Certification Timeline .............................................................. 13 Figure 3 – EMVCo Card Certification Timeline .................................................................... 15 Figure 4 – EMVCo IC and Platform Relationship................................................................. 17 Figure 5 – Ideal EMVCo Risk Management Scenario.......................................................... 18 Figure 6 – Payment Application Renewal after Platform Expiration ..................................... 18 Figure 7 – Worst Case Payment Application Renewal ........................................................ 18 Figure 8 – Payment Application Renewal with discontinued ICCN ...................................... 19 Figure 9 – Relationships Described in Example 1 ............................................................... 23 Figure 10 – Relationships Described in Example 2 ............................................................. 24 Figure 11 – Relationships Described in Example 3 ............................................................. 25 © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 6 / 28 1 Executive Summary EMVCo acts as the security certification entity for Integrated Circuit (IC), Platform, and common IC Card (ICC) products. The EMVCo security evaluation process focuses on aspects of chip product implementations that may have a security impact. This document clarifies the EMVCo security certificate issuance and renewal practice as well as the maximum time that an approved product can stay on the EMVCo Approved Products list. In particular, it focuses on the issuance and renewal date of payment applications on EMVCo Approved Platform products. It further describes the principles of the process for extension of expired IC and Platform certificates. Note: This document does not distinguish between the different form factors of a secure element (SE) and assumes that the EMVCo security evaluation process applies equally to each use case. © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 1.1 Terminology The following terms and abbreviations have been used in this document. Page 7 / 28 Card product CCN CPA IC IC product ICC ICCN JHAS JIL OS Payment Application PCN Platform product RTE SE SER SEWG An EMVCo chip-based payment product, regardless of form factor. Card Certificate Number Common Payment Application Integrated Circuit A specific integrated circuit with associated firmware or software libraries that allow access to the security functions of the IC. Integrated Circuit Card Integrated Circuit Certificate Number JIL Hardware Attack Subgroup Joint Interpretation Library Operating System Often referred to as CCD or CPA and considered the target of evaluation, but can be other application types including non-payment related products. Platform Certificate Number The Integrated Circuit (IC) hardware with its dedicated software, Operating System (OS), Run Time Environment (RTE), and Platform environment on which one or more applications (e.g. CPA) can be executed. Run Time Environment Secure Element Shared Evaluation Report Security Evaluation Working Group © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 SIA USIM Security Impact Analysis Universal Subscriber Identity Module Page 8 / 28 1.2 References Throughout this document, the following references have been used. These references include the most current versions at the time of this document’s writing. For future use, the most current versions should be referenced. Reference [PROC] [BL10] [JIL AM] [JIL AP] Document Title EMVCo Security Evaluation Process EMVCo SEWG – No Security Impact – Fast Track Review Process JIL Attack Methods for Smartcards and Similar Devices JIL Application of Attack Potential to Smart Cards Version 5.5 – Jan 2026 1.0 – Jun 2014 2.5 – May 2022 3.2.1 – Feb 2024 © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 9 / 28 2 Overview of Security Evaluation Process The EMVCo security evaluation process, described in EMVCo Security Evaluation Process [PROC], is designed around industry best practices for open and transparent security assessments. It allows vendors to reuse existing test results and evaluation reports to avoid duplication of effort and cost. The process aligns payment system processes and reduces inter-payment system redundancies and inconsistencies in security testing. The EMVCo evaluation seeks to determine whether the security features provided by the chip product are appropriately implemented. Testing further examines the interaction between the chip, operating system, and application to evaluate whether sensitive and secret information, as well as payment assets, are adequately protected by the final product. The EMVCo security evaluation process encompasses: EMVCo IC certification Testing Integrated Circuit (IC) hardware EMVCo Platform certification Testing a Platform (IC + OS) based on an approved IC product EMVCo ICC certification Testing a payment application on an approved Platform product (e.g. ICC, USIM, SE) Each certification step builds upon the prior steps and will be discussed in the following sections, along with the EMVCo notion of time in the field, reuse policy, and life cycle management. © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 10 / 28 3 EMVCo IC Certification An IC product is defined as the basic chip hardware without an operating system or application. When a product provider successfully completes the EMVCo security evaluation process for a new IC, the product will receive a unique IC certificate with an IC Certificate Number (ICCN). The product will be placed on the EMVCo Approved Products list for one year from its assigned issue date. Product providers seeking renewal for an IC product must comply with current security guidelines. The product provider sends the appropriate material (samples, up-to-date guidance documentation, etc.) to the selected security evaluation laboratory, which conducts the renewal evaluation as described in [PROC]. These activities shall be performed no earlier than six months prior to the expiry date. Upon completion of the evaluation, the laboratory may submit a renewal report to be examined by the EMVCo Security Evaluation Secretariat. The renewal report shall be submitted no earlier than four months prior to the expiry date. A successful EMVCo renewal review will result in a one-year extension to the product approval. The original issue date is maintained so that the age of the IC is visible; the current expiry date is updated; and a comparison of the two dates indicates the number of renewals that have been performed successfully. The one-year extension is based on the EMVCo reuse of evaluation evidence policy, which is an important part of the EMVCo security evaluation process. The EMVCo IC product certification life cycle is a maximum of ten years. The limit on the product life cycle protects against potential vulnerabilities introduced by age. Once a product is released, attackers begin to gain experience with attack techniques that will exceed the scope of the original product evaluation. Therefore, to minimize risk, an IC product will be removed from the EMVCo Approved IC Products list when the certificate is withdrawn, when the product is superseded by newer products, or when ten years have passed since the IC product’s assigned issue date, whichever comes first. Figure 1 illustrates the IC renewal timeline. The green dot corresponds to full initial security evaluation for the new product and blue dots correspond to renewal security evaluations of the product. Figure 1 – EMVCo IC Certification Timeline New IC product 1 YEAR Renewal 1 YEAR Renewal 1 YEAR ICCN issued 1 YEAR 1 YEAR … 1 YEAR 10 years 1 YEAR Renewal 1 YEAR 1 YEAR Renewal 1 YEAR ICCN expired © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 11 / 28 The red dot indicates that the product has expired and the corresponding ICCN has been removed from the EMVCo Approved Products list. This does not mean that the IC is no longer secure, but simply that the IC product certification has expired. No new composite product can be built upon the IC. However, existing approved card products based on this IC can still be renewed up to a maximum of ten years (see Figure 3) as long as the final product meets the composite security evaluation requirements. When a composite product is to be renewed on an expired IC, it is likely that no fresh evidence is available for the IC level. The extension process is intended to avoid this situation by enabling the security evaluation laboratory to conduct an evaluation to provide fresh evidence to composite evaluations whenever needed. Product providers seeking an extension for an expired IC product must comply with current security guidelines. After completing the extension evaluation, the security evaluation laboratory may submit a report to be examined by the EMVCo Security Evaluation Secretariat. A successful review will result in the private issuance of an Extension Recognition Letter to the vendor for the expired product. It is permissible to exclude from the extension scope some library(ies) that were covered by the original certificate, such as the crypto library if no composite product uses it. This will be indicated in the Extension Recognition Letter and shall also be detailed in the Shared Evaluation Report. Note that if the IC product provider does not perform such extension work and refuses to provide full design information to the composite product evaluation laboratory, composite product renewals using this IC will NOT be granted, as fresh ‘white box’ evidence is not available for all the product layers. Once an IC certificate has expired, it is still allowed to update the IC security guidance, as composite products may already comply with the updated guidance. IC security or functional updates are also allowed as necessary. Such updates shall give rise to a delta evaluation by the laboratory who may submit a report, either together with an extension evaluation or separately. A successful review will result in the private issuance of an expired certificate to the vendor for the expired updated product. © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 12 / 28 4 EMVCo Platform Certification EMVCo evaluates the security features of Platform products, building upon the approved IC hardware with its dedicated software. The Operating System (OS) and Platform environment on which one or more applications (e.g. CPA) can be executed is fully evaluated, taking into account the IC security guidance and IC Shared Evaluation Report (SER for IC) evidence, thus confirming the composition between the previously evaluated IC and the Platform. EMVCo issues a Platform certificate with a Platform Certificate Number (PCN) for Platform products that successfully complete the EMVCo security evaluation process. A Platform evaluation report can only be EMVCo approved when the IC is on the EMVCo Approved IC Products list. Therefore, the PCN can only be granted if the underlying IC has a valid ICCN. When EMVCo issues the Platform certificate, the product is placed on the EMVCo Approved Platform Products list for one year from its assigned issue date. Product providers seeking renewal for a Platform product must comply with current security guidelines. In order for a Platform renewal to be possible, the underlying ICCN must be valid at the Platform certificate’s anniversary date (current Platform expiry date). The renewal evaluation shall be performed no earlier than six months prior to the expiry date. Upon completion of the evaluation, the security evaluation laboratory will submit a renewal report to be examined by the EMVCo Security Evaluation Secretariat. The renewal report shall be submitted no earlier than four months prior to the expiry date. A successful EMVCo renewal review will result in a one-year extension to the product approval. The original issue date is maintained so that the age of the Platform is visible; the current expiry date is updated; and a comparison of the two dates indicates the number of renewals that have been successfully performed. The one-year extension is based on the EMVCo reuse of evaluation evidence policy and aligns testing evidence for the Platform products with the underlying IC product. The EMVCo Platform product certification life cycle is a maximum of ten years. The limit on the product life cycle protects against potential vulnerabilities introduced by age. A Platform product will be removed from the EMVCo Approved Platform Products list when the certificate is withdrawn, when the product is superseded by newer products, or when ten years have passed since the Platform product’s assigned issue date, whichever comes first. The important difference between the ICCN life cycle and the PCN life cycle is that a PCN can only be granted when the IC has a valid ICCN. If a PCN is granted on an IC that has already been on the EMVCo Approved IC Products list for one or more years, the PCN life cycle is shortened accordingly. Figure 2 illustrates the Platform renewal timeline. The green dot corresponds to full initial security evaluation for the new product and blue dots correspond to renewal security evaluations of the product. © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 13 / 28 Figure 2 – EMVCo Platform Certification Timeline New Platform product Renewal 1 YEAR 1 YEAR Renewal 1 YEAR PCN issued 1 YEAR 1 YEAR … 1 YEAR 10 years 1 YEAR Renewal 1 YEAR 1 YEAR Renewal 1 YEAR PCN expired The red dot indicates that the product has expired and the corresponding PCN has been removed from the EMVCo Approved Products list. This does not mean that the Platform is no longer secure, but simply that the Platform product certificate has expired. No new payment application can be built upon this Platform. However, existing approved products based on this Platform can still be renewed within the five years following the expiry date of the underlying ICCN, and as long as the final product meets the composite security evaluation requirements. Note that a product renewal based on a Platform that has an expired PCN may incur additional work to validate the Platform and possibly the IC within the EMVCo reuse of evaluation evidence policy. In such a case, it is likely that no fresh evidence is available for the underlying level(s). The extension process is intended to avoid this situation by enabling the product owner to provide fresh evidence to composite evaluations whenever needed. Product providers seeking an extension for an expired Platform product must comply with current security guidelines. After completing the extension evaluation, the security evaluation laboratory will submit a report to be examined by the EMVCo Security Evaluation Secretariat. A successful review will result in the private issuance of an Extension Recognition Letter to the vendor for the expired product. It is permissible to exclude from the extension scope some library(ies) that were covered by the original certificate, such as the Platform crypto library if no composite product uses it. This will be indicated in the Extension Recognition Letter and shall also be detailed in the Shared Evaluation Report. Note that if the Platform provider does not perform such extension work and refuses to provide full design information to the product evaluation laboratory, composite product renewals using this Platform will NOT be granted, as fresh ‘white box’ evidence is not available for all the product layers. Once a Platform certificate has expired, it is still allowed to update the Platform security guidance, as composite products may already comply with the updated guidance. Platform security or functional updates are also allowed as necessary. Such updates shall give rise to a delta evaluation by the laboratory who may submit a report, either together with an extension evaluation or separately. A successful review will result in the private issuance of an expired certificate to the vendor for the expired updated product. © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 14 / 28 5 EMVCo Card Certification A new card product can be submitted for approval once the underlying IC and/or Platform have successfully completed the EMVCo security evaluation process and are on the EMVCo Approved Products list. EMVCo issues a Card Certificate with a Card Certificate Number (CCN) for card products that have successfully completed the EMVCo security evaluation process. The CCN represents the composite product security and must be submitted when requesting the EMVCo Letter of Approval. When EMVCo issues a Letter of Approval, the product will be placed on the EMVCo Approved Card Products list. It will remain there until the certificate is withdrawn, the product is superseded by newer products, or three years have passed since the product’s assigned issue date, whichever comes first. 5.1 Renewal Principles Product providers seeking renewal for a card product must comply with current security guidelines. The product provider sends the appropriate material (samples, up-to-date guidance documentation, etc.) to the selected security evaluation laboratory, which performs the renewal evaluation as described in [PROC], taking into account the latest identified threats and attacks as well as EMVCo security guidelines. These activities shall be performed no earlier than six months prior to the expiry date. Upon completion of the evaluation, the security evaluation laboratory will submit a renewal report to be examined by the EMVCo Security Evaluation Secretariat. The renewal report shall be submitted no earlier than four months prior to the expiry date. If approved, a renewal certificate will be issued with an extension to the expiry date, as per Figure 3 below. The EMVCo card product certification life cycle can be extended to a maximum of ten years. However, the following restrictions apply: - No card renewal activities are allowed after five years from the maximum 10-year ICCN expiry date. - In the case where the IC certification life cycle was discontinued before the ten years have passed, either due to an issue with the IC or the IC manufacturer not being willing to perform renewals or extensions, no card renewal activities are allowed after five years from the actual ICCN expiry date. The limit on the product life cycle protects against potential vulnerabilities introduced by age. If a card product obtains the maximum ten years approval, new cards may be issued into the field for ten years. An issuer can issue this product as long as it is still on the EMVCo Approved Products list (that is, the product has a valid CCN) regardless of whether the IC or Platform has expired. © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 15 / 28 Figure 3 illustrates the EMVCo CPA/CCD Card renewal timeline. The green dot corresponds to full initial security evaluation for the new product and blue dots correspond to renewal security evaluations of the product. Figure 3 – EMVCo Card Certification Timeline New Card product 3 YEARS CCN issued Renewal 3 YEARS 10 years Renewal 2 YEARS Renewal 2 YEARS CCN expired The red dot indicates that the card product certificate has expired and that the corresponding CCN has been removed from the EMVCo Approved Products list. Once a card product certificate has expired, issuance of the product is no longer permitted. 5.2 Time in the Field EMVCo limits the number of times that a product may receive a renewal certificate to protect against potential vulnerabilities introduced by age or time in the field. For example, an EMVCo product certification life cycle is a maximum of ten years. Time in the field allows an attacker to gain experience with attack techniques that exceed the scope of the original product evaluation. Product age is currently not considered as a component in the JIL Hardware Attack Subgroup (JHAS) security evaluation rating. Note: It is industry best practice that new products should not be developed on underlying products that are approaching end of life. 5.3 Life Cycle Management The current EMVCo security evaluation process does not enforce a full life cycle management process on the approved card product while in the field. Notwithstanding the validity period of an EMVCo certificate, the life cycle management of approved card products in the field, including the expiration date of cards, is the responsibility of the payment systems. © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 16 / 28 5.4 Reuse of Evaluation Evidence Reuse of evaluation evidence is an important part of the EMVCo security evaluation process. While reuse of evaluation evidence is allowed, it must always be based on current, state of the art benchmarks. Annually, EMVCo discusses the reuse requirements with its recognised security laboratories and agrees on the expected frequency of updating each set of tests derived from [JIL AM]. After many years, this has provided EMVCo with insight into how long reused evaluation evidence can be considered current for each type of testing (e.g. side channel, fault injection, and reverse engineering). Since 2009, EMVCo has maintained a guidance document that describes the expectation of how often penetration tests are updated and how this impacts the reuse of security evaluation evidence. Based on current EMVCo guidance, significant parts of the penetration testing need to be updated after 12 months, and virtually all penetration tests need to be updated after 24 months. This reuse policy is one major reason why EMVCo aligned its Platform renewal policy with its IC renewal policy. Note: A renewal evaluation carries no guarantee of a successful outcome. Technology, skills, and attack techniques evolve rapidly; for each renewal, the IC and/or Platform must demonstrate that they are not vulnerable. © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 17 / 28 6 Alignment of IC and Platform Life Cycle As security degrades over time, product flaws are more likely to be found. Generally, this leads to updated and stricter product security guidance documents – even for products that are already used in the field. In the worst-case scenario, issued products may need to be recalled from the field, which is not only a tedious exercise but is expensive and negatively impacts the product’s brand. The EMVCo security evaluation process follows a risk-based approach. Therefore, it focuses on having newer products in the field that are fit for purpose, and tries to avoid the need and cost of removing old products in the field that cannot stand the test of time. To mitigate this risk and so support the advancement of testing requirements over time, EMVCo has aligned Platform certification with its IC certification process. Some examples of the Platform and IC life cycle relationship are illustrated in Figure 4. Figure 4 – EMVCo IC and Platform Relationship IC: Platform: Maximum Platform life of ten years is possible 10 years IC: Platform: 10 years Platform life of three years is possible 3 years © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 18 / 28 7 Application Life Cycle The life cycle of the application is not fully governed by the Platform or IC life cycle. Application approval requires that the underlying Platform is currently approved when the application level evaluation is performed. Figure 5 shows the ideal situation, from a security test effort perspective, for developing new card products on an EMVCo Approved Platform product. The card product is developed on a Platform that was approved shortly after its underlying IC was approved, and card product renewal is not sought beyond the expiration of the Platform. IC: Platform: Sec app: Figure 5 – Ideal EMVCo Risk Management Scenario Ideal renewal test effort (Full reuse of Platform/IC evidence) Although Figure 5 illustrates the ideal situation, Figure 6 illustrates a situation that still allows new card products to be issued after the Platform is no longer certified. Product issuance is permitted as long as the payment application is on the EMVCo Approved Products list. The application provider must expend more testing effort for the last renewal. Figure 6 – Payment Application Renewal after Platform Expiration IC: Platform: Sec app: Increased renewal test effort (additional Platform/IC testing in last renewal) This additional test effort can be avoided at the application provider level if the IC and Platform products regularly undergo the extension process to provide fresh ‘white box’ test evidence. Figure 7 illustrates a card product approved on the last day of Platform certification, which allows the card product to be issued for three years. After three years, a considerable amount of additional Platform and IC testing would be required for product renewal. This is considered a “worst case situation”. Note that in any case, due to the 5-year limit after ICCN expiry, no further card product renewal is allowed. IC: Platform: Sec app: Figure 7 – Worst Case Payment Application Renewal Worst case renewal test effort (additional Platform/IC testing) © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 19 / 28 Similarly, in the case where the underlying ICCN was discontinued before the end of its 10year life cycle, the 5-year limit after actual ICCN expiry applies for the card product (see 5.1). The CCN life cycle is shortened accordingly: Figure 8 – Payment Application Renewal with discontinued ICCN IC: Platform: Sec app: 5 years No further card renewal activities allowed at this point as no refresh activities were performed at IC level Worst case renewal test effort (additional Platform/IC testing) © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 20 / 28 7.1 Options for Application Level Renewal This section describes the options for conducting application level renewals if requested after the IC and/or Platform certifications expire (as illustrated from Figure 6 to Figure 8). Note that in all options and examples described below, the card life cycle restrictions detailed above apply. Option 1: IC Manufacturer and Platform Provider Refresh Evidence • The IC manufacturer refreshes the evidence for the IC. For the example in Figure 7, the IC manufacturer may need to renew testing submitted several years earlier. If the IC refresh evaluation is successful, EMVCo does not extend the approval but issues an Extension Recognition Letter, and full reuse of the refreshed evidence is permitted for the Platform evaluation. • The Platform provider refreshes the evidence for the Platform. For the example in Figure 7, the Platform provider may need to renew testing submitted several years earlier. If the Platform refresh evaluation is successful, EMVCo does not extend the Platform approval but issues an Extension Recognition Letter, and full reuse of the refreshed evidence is permitted for the application level evaluation. • The application provider can reuse all the evidence as per the EMVCo process and conduct the application level renewal evaluation. Option 2: Only Platform Provider Refreshes Evidence • The IC manufacturer does not refresh the evidence for the IC. For the example in Figure 7, this does not prevent the refresh evaluation of the Platform, it simply passes the responsibility to the composite evaluation. • The Platform provider refreshes the evidence for the Platform through the extension process. The security evaluation laboratory must consider additional testing to validate that the IC satisfies the EMVCo reuse policy. If the Platform refresh evaluation is successful, EMVCo does not extend the Platform approval but issues an Extension Recognition Letter, and full reuse of the refreshed evidence is permitted for the application level evaluation. • The application provider can reuse all the evidence as per the EMVCo process and conduct the application level renewal evaluation. © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 21 / 28 Option 3: Neither IC Manufacturer nor Platform Provider Refreshes Evidence • The IC manufacturer does not refresh the evidence for the IC. For the example in Figure 7, this does not prevent the refresh evaluation of the Platform; it simply passes the responsibility to the composite evaluation. • The Platform provider does not refresh the evidence for the Platform. For the example in Figure 7, this does not prevent the renewal of the card product; it simply passes the responsibility to the composite evaluation. • The security evaluation laboratory must consider additional testing to validate that the IC and Platform product satisfy the EMVCo reuse policy and conduct the usual application level renewal evaluation. If new vulnerabilities are discovered whilst refreshing evidence, they must be addressed. This may require the IC manufacturer or Platform provider to issue a guidance update. This may require rework to the card product at the application level. This possibility may discourage IC manufacturers and Platform providers from taking on the refreshing of evidence, choosing instead to encourage migration to their current/new products. © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 22 / 28 7.2 How the Options May Arise The IC manufacturer, Platform provider, and application developer could be three separate companies; thus, the three options discussed above cover various situations. An example for each option is explained below. Example 1: How Option 1 may arise • The IC manufacturer has several customers wishing to renew their platform/card products on a particular IC. The IC manufacturer may choose to conduct the refresh evaluation in goodwill to avoid their customers having to perform a similar level of testing multiple times. • Evaluation work performed • Report may be submitted for EMVCo review • If it is, and if EMVCo agrees that the work is fit for reuse, then an Extension Recognition Letter is issued • The Platform provider has several customers wishing to renew their card products on a particular Platform. The Platform provider may choose to conduct the refresh evaluation in goodwill to avoid their customers having to perform a similar level of testing multiple times. • Evaluation work performed • Report may be submitted for EMVCo review • If it is, and if EMVCo agrees that the work is fit for reuse, then an Extension Recognition Letter is issued • The card product providers can reuse all the refreshed evidence as input to the application level evaluation, thus achieving big financial savings and avoiding the complication of evaluating the IC and Platform multiple times. • Renewal evaluation work performed (includes lower level refresh evidence) • Submitted for EMVCo review • If EMVCo agrees that the work meets the evaluation requirements, then an EMVCo renewal certificate is issued © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Figure 9 – Relationships Described in Example 1 Page 23 / 28 © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 24 / 28 Example 2: How Option 2 may arise • The IC manufacturer has one customer wishing to renew their platform product on a particular IC. The IC manufacturer is promoting their new products and does not wish to incur the costs of refreshing the IC evidence. However, the IC manufacturer agrees to provide full design information to the security evaluation laboratory conducting the Platform refresh evaluation. • IC evaluation work NOT performed • No input or comment required from EMVCo • The Platform provider has several customers wishing to renew their card products on a particular Platform. The Platform provider may choose to conduct the refresh evaluation in goodwill to avoid their customers having to perform a similar level of testing multiple times; however, the Platform provider will need to refresh the IC evidence as part of their Platform evaluation, and the security evaluation laboratory conducting the Platform refresh evaluation will need access to the full IC design information. • Refresh evaluation work performed • Report may be submitted for EMVCo review • If it is, and if EMVCo agrees that the work is fit for reuse, then an Extension Recognition Letter is issued • The card product providers can reuse all the refreshed evidence as input to the application level evaluation, thus achieving big financial savings and avoiding the complication of evaluating the IC and Platform multiple times. • Renewal evaluation work performed (includes lower level refresh evidence) • Submitted for EMVCo review • If EMVCo agrees that the work meets the evaluation requirements, then an EMVCo renewal certificate is issued Figure 10 – Relationships Described in Example 2 © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 25 / 28 Example 3: How Option 3 may arise • The IC manufacturer has one customer wishing to renew their Platform product on a particular IC. The IC manufacturer is promoting their new products and does not wish to incur the costs of refreshing the IC evidence. However, the IC manufacturer agrees to provide full design information to the security evaluation laboratory conducting the card product renewal. • Evaluation work NOT performed • No input or comment required from EMVCo • The Platform provider has one customer wishing to renew one card product on a particular Platform. The Platform provider is promoting their new products and does not wish to incur the costs of refreshing the Platform evidence. However, the Platform provider agrees to provide full design information to the security evaluation laboratory conducting the card product renewal. • Evaluation work NOT performed • No input or comment required from EMVCo • The card product provider must refresh the IC and Platform evidence whilst conducting their application level evaluation, and the security evaluation laboratory conducting the renewal evaluation will need access to the full IC and Platform design information. • Renewal evaluation work performed (includes additional work for lower levels) • Submitted for EMVCo review • If EMVCo agrees that the work meets the evaluation requirements, then an EMVCo renewal certificate is issued Figure 11 – Relationships Described in Example 3 Notes If the IC and Platform providers are not the card product provider, any vulnerability discovered in the extension evaluation is likely to require a fix at the application level, as this is the only remaining option for the application developer when the IC and Platform have expired, as in these examples. © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 26 / 28 It may appear that Option 3 is the most difficult path; however, if the evaluation at the application level is to cover the product in its open configuration with the payment application loaded, Option 3 can dramatically reduce the evaluation scope. Evaluating a Platform in the absence of an application requires all the security functions to be considered, whereas evaluating an open product with the payment application present can reduce the testing workload by limiting security functions in scope to the functions that are used by the application, resulting in reduced effort and so reduced cost. © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 27 / 28 8 Changes to Existing Products Any change to approved products at the IC, Platform, or Card level must be reviewed by the EMVCo security evaluation laboratory. 8.1 IC Changes If the IC is changed or the IC security guidance is updated, an EMVCo delta security review is required in order for the product to remain on the EMVCo Approved IC Products list. However, this would not directly impact approved Platform products or approved card products as long as the existing approved product remains the same and the original evaluation evidence remains valid. If the IC is changed in response to a security vulnerability, each payment system must decide what action to take. If the updated IC will be used by existing approved Platform or card products, a delta security review is required to confirm that the changes did not negatively impact the security of the product. 8.2 Platform Changes If the Platform is changed or the Platform guidance is updated, an EMVCo delta security review is required in order for the product to remain on the EMVCo Approved Platform Products list. The updated Platform would impact the security evaluation of new card products, as they would use the updated Platform. Similarly, the security evaluation of existing approved card products would be impacted when the renewal evaluation was due and the updated Platform was to be used. Existing approved card products would remain valid as long as the product issued remained the same as originally evaluated; that is, existing CPA on the original Platform (not updated) can continue to be issued as normal. Note that a delta security review does not affect the issue date that accompanies EMVCo approvals. Because the Platform product is not being fully evaluated, it maintains the original issue date. If the Platform was changed in response to a security vulnerability, each payment system must decide what action to take. If the only changes made to the Platform are to improve its security, it would make sense to use this update for existing approved card products; in this case, the security evaluation laboratory must perform a simple delta security review to confirm that the update does not lower the security of the card product. Note that EMVCo does not require that the updated Platform be used in any existing card product; the responsibility for that decision rests with the payment system. © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV Certificate Issuance Process EMVCo Certificate Issuance, Renewal, and Extension Process v2.2 Page 28 / 28 8.3 Secure Application Changes Any change to the secure application requires an EMVCo delta security review by a security evaluation laboratory. If the secure application was changed in response to a security vulnerability, each payment system must decide what action to take. 8.4 Changes With No Security Impact In cases where the security evaluation laboratory’s Security Impact Analysis (SIA) report concludes that the changes made to the product are minor and have no security impact (and no additional testing has therefore been performed), the laboratory shall clearly indicate this conclusion when sending the SIA to the EMVCo Security Evaluation Secretariat. If all prior administrative requirements are fulfilled, the report will be eligible for the Fast Track report review process (review to be performed by the Security Evaluation Secretariat within one working week of receipt of the report). Please refer to SEWG Bulletin 10 [BL10] for more detailed information on this process. © 2016-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries.