EMVCo SBMP Security Evaluation Process

EMV® Security Guidelines EMVCo SBMP Security Evaluation Process Version 2.0 May 2026 © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 2 / 29 Legal Notice This document is subject to change by EMVCo at any time. This document does not create any binding obligations upon EMVCo or any third party regarding the subject matter of this document, which obligations will exist, if at all, only to the extent set forth in separate written agreements executed by EMVCo or such third parties. In the absence of such a written agreement, no product provider, test laboratory or any other third party should rely on this document, and EMVCo shall not be liable for any such reliance. No product provider, test laboratory or other third party may refer to a product, service or facility as EMVCo approved, in form or in substance, nor otherwise state or imply that EMVCo (or any agent of EMVCo) has in whole or part approved a product provider, test laboratory or other third party or its products, services, or facilities, except to the extent and subject to the terms, conditions and restrictions expressly set forth in a written agreement with EMVCo, or in an approval letter, compliance certificate or similar document issued by EMVCo. All other references to EMVCo approval are strictly prohibited by EMVCo. Under no circumstances should EMVCo approvals, when granted, be construed to imply any endorsement or warranty regarding the security, functionality, quality, or performance of any particular product or service, and no party shall state or imply anything to the contrary. EMVCo specifically disclaims any and all representations and warranties with respect to products that have received evaluations or approvals, and to the evaluation process generally, including, without limitation, any implied warranties of merchantability, fitness for purpose or noninfringement. All warranties, rights and remedies relating to products and services that have undergone evaluation by EMVCo are provided solely by the parties selling or otherwise providing such products or services, and not by EMVCo, and EMVCo will have no liability whatsoever in connection with such products and services. This document is provided "AS IS" without warranties of any kind, and EMVCo neither assumes nor accepts any liability for any errors or omissions contained in this document. EMVCO DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT, AS TO THIS DOCUMENT. EMVCo makes no representations or warranties with respect to intellectual property rights of any third parties in or in relation to this document. EMVCo undertakes no responsibility to determine whether any implementation of this document may violate, infringe, or otherwise exercise the patent, copyright, trademark, trade secret, know-how, or other intellectual property rights of third parties, and thus any person who implements any part of this document should consult an intellectual property attorney before any such implementation. Without limiting the foregoing, this document may provide for the use of public key encryption and other technology, which may be the subject matter of patents in several countries. Any party seeking to implement this document is solely responsible for determining whether its activities require a license to any such technology, including for patents on public key encryption technology. EMVCo shall not be liable under any theory for any party's infringement of any intellectual property rights in connection with this document. © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 3 / 29 Version V1.0 Version History Date January 2018 Description Initial release of the security evaluation process for SBMP products. V1.1 February 2018 Update to reference EMVCo Software-Based Mobile Payment Security Guidelines for TEE-based Mobile Payment and wording update for renewal policy. V1.2 July 2019 Update to simplify the list of SBMP components in scope and to refine the reports submission process. V1.3 April 2020 Updated language for security evaluation certificate issuance and renewals. V1.4 December 2020 Update to remove the Restricted Evaluation Certificate language and the reference to SBMP Task Force. V1.5 March 2021 Updates to Evaluation Certificate numbering policy and new language for Delta and Derivative evaluations. V1.6 March 2022 Clarification on minimum features for security evaluations in §2.2.3. V1.7 August 2023 Removal of evaluation certificate 3-year issuance period, update to add MFA component and reference EMVCo MFA Security Requirements. V1.8 July 2024 Streamlining renewal evaluation process for lineal products in §2.2.3. V1.9 January 2026 Introduction of Evaluation Certificate categories for SDK and MPA components. V2.0 May 2026 Introduction of preliminary attack classification. © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 4 / 29 Contents 1 Scope...................................................................................................................................6 1.1 Audience .....................................................................................................................6 1.2 Overview .....................................................................................................................7 1.3 Related Information ....................................................................................................7 1.4 Support........................................................................................................................8 2 Overview .............................................................................................................................9 2.1 Background .................................................................................................................9 2.2 EMVCo Security Evaluation .......................................................................................9 2.2.1 2.2.2 2.2.3 The Role of EMVCo in the Security Evaluation Process .............................10 Development and Production Site Audit ......................................................10 SBMP Product Security Evaluation ..............................................................11 2.3 Security Assessment ................................................................................................12 2.4 Risk Management .....................................................................................................14 3 Security Evaluation Process ..........................................................................................16 3.1 Security Evaluation Roles and Responsibilities .......................................................17 3.1.1 3.1.2 3.1.3 3.1.4 3.1.5 Maintain Security Requirements and Guidelines .........................................17 Design Product .............................................................................................17 Test Product..................................................................................................17 Review Evaluation Report(s) ........................................................................17 Security Monitoring .......................................................................................18 3.2 Evaluation Certificates ..............................................................................................18 3.3 Security Evaluation Process .....................................................................................19 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 3.3.6 3.3.7 3.3.8 3.3.9 Sign EMVCo Agreement ..............................................................................20 Complete EMVCo Registration Questionnaire.............................................20 Initial Discussion ...........................................................................................20 Product Design .............................................................................................20 Select Laboratory and Decide Evaluation Details ........................................21 Assess Product and Product Provider Infrastructure ...................................21 Submit Reports .............................................................................................23 Validate Laboratory Evaluation Reports.......................................................24 Issue EMVCo Evaluation Certificate ............................................................24 3.4 Change and Renewal Evaluation Process ...............................................................26 3.4.1 3.4.2 3.4.3 Send EMVCo Registration Questionnaire ....................................................26 Perform Re-evaluation with Laboratory........................................................26 Update Product Evaluation Certificate .........................................................26 Annex A Glossary ........................................................................................................27 © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 5 / 29 Figures Figure 1: EMVCo SBMP Security Evaluation Overview ........................................................16 Figure 2: EMVCo SBMP Security Evaluation Process ..........................................................19 © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 6 / 29 1 Scope This document describes the EMVCo Security Evaluation Process requirements and procedures for the evaluation of Software-Based Mobile Payment (SBMP) product solutions comprising software and related hardware components. Registration SBMP product solution providers (Product Providers) shall follow the registration process described in this document to register their products in order to be listed on the EMVCo website. Security Evaluation Product Providers shall follow the process outlined in this document in order to obtain and maintain security evaluation certificates for their products. 1.1 Audience This document is intended for: • Product, component, and solution providers – To enable them to gain confidence that their SBMP product, components, and/or solutions have gone through a security evaluation • Laboratories – To give them a better understanding of the process followed by Product Providers, and to provide them with details on their role in the evaluation process • Issuers – To provide them with valuable and practical information relating to the general security performance characteristics and the ‘suitability of use’ of SBMP product solutions © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 7 / 29 1.2 Overview This document includes the following sections: Chapter 1 – Scope provides a high-level overview of this document, including references to related information. Chapter 2 – Overview provides a high-level description of the EMVCo Security Evaluation Process for SBMP product solutions and its rationale. Chapter 3 – Security Evaluation Process provides a description of the overall EMVCo Security Evaluation Process for SBMP product solutions, leading to issuance of an EMVCo Evaluation Certificate. Annex A – Glossary includes all abbreviations and definitions. 1.3 Related Information Throughout this document, the following references have been used. These references include the most current versions at the time of this document’s writing. For future use, the most current versions should be referenced. Reference Document Title Version [SBMP Reqs] EMVCo Software-Based Mobile Payment Security Requirements 1.5 – Jan 2025 [CDCVM Reqs] EMVCo Consumer Device Cardholder Verification Method Security Requirements 1.0 – Sep 2018 [MFA Reqs] EMVCo Multi-Factor Authentication solutions for Payments Security Requirements 1.0 – Jun 2023 [SBMP Reqs Labs] EMVCo Security Evaluation Laboratory Requirements for SBMP 2.4 – Jan 2026 [SBMP Methodo] EMVCo Software-Based Mobile Payment Security Evaluation Methodology 2.1 – May 2026 [SBMP TEE] EMVCo Software-Based Mobile Payment Security Guidelines for TEE-based Mobile Payment 1.0 – Jan 2018 [SBMP SPT] EMVCo Software-Based Mobile Payment Security Guidelines for Software Protection Tools 1.0 – Jan 2019 [SBMP Attestation] EMVCo Software-Based Mobile Payment Security Guidelines for Attestation 1.0 – Jul 2018 © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 8 / 29 Reference [BL15] [BL17] Document Title EMVCo Security Evaluation Bulletin 15 – Software-Based Mobile Payment – Evaluation Review Fees Version 2 – Oct 2021 EMV Security Evaluation Bulletin 17 – SoftwareBased Mobile Payment – Evaluation and Testing Deliverables 2 – Jul 2025 1.4 Support For help and support, contact the EMVCo Security Evaluation Secretariat at sbmpsecurity@emvco.com. © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 9 / 29 2 Overview This chapter provides a high-level description of the EMVCo Security Evaluation Process for SBMP product solutions and its rationale. 2.1 Background EMVCo acts as the security assessment entity for SBMP products intended for use in payment solutions issued by EMVCo Members. EMVCo oversees and administers the common security evaluation process and maintains security guidelines ([SBMP Attestation], [SBMP SPT] and [SBMP TEE]) and security requirements ([SBMP Reqs], [CDCVM Reqs] and [MFA Reqs]). The EMVCo security guidelines support product, component, and solution providers in developing and testing their products, and test laboratories in performing security evaluations. The EMVCo Security Evaluation Process evaluates the security features of the different components that can be integrated within an SBMP solution. The following SBMP security evaluation categories are used within the certification program: a) Trusted Execution Environments (hardware-based TEE, TPM, eSE, etc. or software-only vTEE) b) Mechanisms for providing a CDCVM (e.g. biometrics) c) Multi-Factor Authentication implementations (authenticators and back-end) d) Software Protection Tools, e.g. cryptographic libraries using, for example, White Box Cryptography (WBC), software libraries and techniques providing obfuscation, Application/OS tamper detection mechanisms e) Attestation mechanisms f) Software Development Kits (SDKs) g) Mobile Payment Applications (MPAs) The EMVCo Security Evaluation Process also takes into account the security of the SBMP solution design, development, and delivery processes. 2.2 EMVCo Security Evaluation The EMVCo Security Evaluation Process is based on a set of published EMVCo documents (requirements and security guidelines) made available to solution providers and security evaluation laboratories for the development and security evaluation of their products. © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 10 / 29 The EMVCo Integration Model is a new security evaluation approach that reflects the structure of the SBMP industry, taking into account the dynamic relationships between the component providers, consumer devices, and mobile solution providers. This includes third-party libraries, SDKs, hardware platform product components, remote controls, and server controls. Additionally, this also includes their development and management processes. This flexibility allows EMVCo to minimise evaluation time and financial burden on Product Providers. 2.2.1 The Role of EMVCo in the Security Evaluation Process EMVCo has established a common security evaluation methodology that assists Product Providers in promoting the continuous improvement of security standards in the implementation of their products. The methodology used in the evaluation process leverages a program of research targeted at the leading edge of attack methodology through regular Laboratory and special interest workgroup meetings. In addition, EMVCo supports the work of the subgroups or initiatives working on specific security topics to maintain a common set of current threats and attacks. This process benefits all stakeholders by defining a flexible, state of the art, common security evaluation methodology that is recognised by all stakeholders, thus saving time and avoiding the duplication of effort when evaluating SBMP products and their development environments. Product Providers are responsible for ensuring that the security evaluation of their products is performed. EMVCo does not, however, guarantee or provide any warranties for any Product Provider’s product, component, or solution, and the security evaluation process does not relieve stakeholders of the need to make their own investigations to ensure the security or fitness for purpose of any products. No product implementation can be 100% secure, but the EMVCo Security Evaluation Process provides stakeholders with additional information to assist in their risk analysis of choosing the right solution. The security evaluations are performed by EMVCo recognised, independent security evaluation laboratories and funded by Product Providers. Upon successful completion of an EMVCo security evaluation for an SBMP product, the EMVCo Security Evaluation Secretariat issues an EMVCo Evaluation Certificate. 2.2.2 Development and Production Site Audit The security evaluation of an SBMP product may also include an onsite audit of the Product Provider’s development, production, and delivery infrastructure, depending on the product nature and assets involved. © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 11 / 29 2.2.3 SBMP Product Security Evaluation The EMVCo SBMP Security Evaluation Process considers the security of the product and its components and is intended to provide a thorough assessment as to whether the security functions are designed to effectively deal with known software and hardware attack methods. The EMVCo SBMP Security Evaluation Process covers one or more of the components constituting the product, listed in section 2.1, as follows: • Trusted Execution Environments (hardware-based TEE, TPM, eSE, etc. or software-only vTEE) • Mechanisms for providing a CDCVM (e.g. biometrics) • Multi-Factor Authentication implementations (authenticators and back-end) • Software Protection Tools, e.g. cryptographic libraries using, for example, White Box Cryptography (WBC), software libraries and techniques providing obfuscation, Application/OS tamper detection mechanisms • Device attestation mechanisms • Software Development Kits (SDKs) • Mobile Payment Applications (MPAs) Each of these components must be uniquely identified. Note EMVCo will not issue an EMVCo Evaluation Certificate for products or components providing no security features and/or protecting no assets (typically a functional SDK only). As a minimum, some of the following security requirements listed in [SBMP Reqs] should be met by the evaluated product or component itself and not deferred to another component: MASEC-REQ-2.1, MA-SEC-REQ-2.3, MA-SEC-REQ-2.4 and MA-SEC-REQ-2.5. © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 12 / 29 SBMP products or components are often developed in a line structure. The first evaluation is performed on an initial ‘parent’ product which then constitutes the basis for the evaluation of the product line. Typically, the evaluation of a lineal product can reuse the work originally performed on the parent. Renewal evaluations can then cover the whole product or component line together, which allows an easier follow-up and transparency of the relationship between the parent and lineal products. Evidence from the evaluation of a new product in the same line structure may be re-used for the renewal of previously evaluated products. In such case, the annual review of these products might be included within this new product evaluation. However, products introducing new major security related functionalities, such as cryptographic functions or protection mechanisms, leading to a more thorough testing, are excluded from the current line structure and considered as new. Any change to a previously evaluated product may require a Security Impact Analysis (SIA) and a re-evaluation may need to be performed before an EMVCo Evaluation Certificate can be issued for a changed product. Depending on whether the Product Provider declares that changes to earlier evaluated version(s) have a SECURITY impact or NOT, the product evaluation will be respectively treated as a ‘Delta’ or as a ‘Derivative’ evaluation (see also [BL15]). For Derivative evaluations (i.e., changes made to the product have no security impact, therefore no additional testing is performed), a Fast Track report review process will be applied. An evaluated SBMP product is granted a Security Evaluation Certificate issued for one year. Beyond that period, Product Providers may seek to renew their Security Evaluation Certificate for their product to remain on the EMVCo Evaluated Products list, unless the certificate is withdrawn, or the product is superseded by newer products from the Product Provider. In order for the Security Evaluation Certificate to be renewed, the product will need to pass an annual security review. Products must comply with current security guidelines to have their certificates renewed. Note As soon as an evaluated component or product has been used within a solution issued in the field, only security guidance updates are allowed in the corresponding Evaluation Certificate. 2.3 Security Assessment The EMVCo Security Evaluation Process strives for a thorough assessment of the security functions for risk management of SBMP products at all stages of the development process. The evaluation methodology balances ‘black box’ and ‘white box’ testing, performing a security analysis that considers all viable attacks on a product in order to derive a set of penetration tests based on individual product characteristics. © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 13 / 29 EMVCo recognises external evaluation laboratories to perform security evaluations using the relevant EMV Security Guidelines and externally developed testing tools. EMVCo may leverage previous work performed by the Product Provider. EMVCo recognises the methodology used in some formal evaluation schemes but will accept only relevant evaluation reports as evidence of such evaluation. The EMVCo Security Evaluation Process reflects a partnership with Product Providers and is designed to minimise the cost and time spent in performing evaluation work and to avoid duplication of effort. Evaluations that are based on a core family of devices can use delta evaluations to manage product migration. Associated design and production processes are evaluated once, and paperwork overhead is reduced. The EMVCo Security Evaluation Secretariat supports the common process with a research program that seeks optimal awareness of threats and defences whilst maintaining confidential relationships with laboratories and Product Providers through regular Laboratory and special interest workgroup meetings. Once all steps of the EMVCo Security Evaluation Process (see Chapter 3) have been fulfilled, an EMVCo Evaluation Certificate can be issued for a product. The certificate includes: • A number that identifies a single evaluation path from Product Providers through manufacturer to issuer • A date that reflects the version of the EMVCo security guidelines at the time of evaluation Product Providers must present their EMVCo Evaluation Certificate Number to issuers as proof that their product has been evaluated via the EMVCo Security Evaluation Process. Note Note Users (Product Providers, issuers, mobile handset providers, etc.) should always check both the status and the date of any EMVCo Evaluation Certificate. EMVCo reserves the right not to issue an EMVCo Evaluation Certificate if an evaluation report is inconclusive or fails to demonstrate sufficient compliance to the EMVCo SBMP security evaluation methodology. An EMVCo evaluated SBMP product is granted an EMVCo Evaluation Certificate with an issue date and is placed on the corresponding EMVCo Evaluated Products list for one year. Each Evaluation Certificate has a unique SECN (SBMP Evaluation Certificate Number). The older a product is, the greater the array of attacks it may be subject to; therefore, EMVCo evaluated SBMP products undergo annual security assessments following the initial assessment. A product can remain on the EMVCo Evaluated Products list if it passes an annual security review, unless the certificate is withdrawn or the product is superseded by newer products. © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 14 / 29 2.4 Risk Management The finance industry is a risk management business that has to constantly monitor vulnerabilities and threats. A secure system must implement defences at all levels, and issuers should develop separate strategies for prevention, detection, and recovery. There are essentially two motivations for an attacker: publicity and reward. Incident management procedures should be planned for each, and appropriate security measures should be taken to limit the likely rewards that an attacker may achieve for their efforts. Fraud migrates to the lowest level of defences in a system, and the security features of the payment application should provide a number of risk management measures. The EMVCo Security Evaluation Process supplements these efforts by making product Security Evaluation a necessary part of the Product Provider’s design and development process. When selling a product for which an EMVCo Evaluation Certificate has been issued, a Product Provider should be able to explain the testing that has been carried out to fulfil the SBMP Security Evaluation Methodology ([SBMP Methodo]). The level of testing continuously increases to reflect state of the art attack potential. Consequently, new products should offer a higher level of protection against the latest threats. However, no testing can anticipate all potential future attacks. Security, by definition, is an ongoing process – attack and defence follow one another in a continual race. EMVCo endeavours to be always one step ahead of the attacker. Issuers should constantly bear in mind that there is no such thing as perfect security. Longlived assets require higher assurance than ephemeral or short-lived assets due to their persistence in the Consumer Device. However, attacks on short-lived or ephemeral assets could be more viable for an attacker than one on a master key that might be blocked by a counter after a few unsuccessful transactions. The EMVCo Security Evaluation Process aims to identify vulnerabilities in these terms so as to be usable for risk analysis. A test plan is derived from the vulnerability analysis performed by the evaluation Laboratory and tests are then performed accordingly. The result of testing each attack scenario provides assurance about whether it is possible to compromise a TOE asset with a particular attack technique. Attacks identified by the evaluator can be broken down into: • Full attack: The identified attack gives rise to a fraudulent transaction in the field, • Partial attack: The identified attack is insufficient by itself to give rise to a fraudulent transaction. • Preliminary attack: The identified attack does not have any assets in scope. This attack only provides an opportunity for further attacks to take place. © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 15 / 29 For example, many attacks require root privileges to succeed. However, the process for rooting the device is not considered a partial attack as by itself, it does not target any payment assets, therefore it is considered a preliminary attack. To reflect the evaluation results and conditions in Evaluation Certificates, EMVCo has defined three categories (for SDK and MPA components), as follows: • Category 1: Products showing no partial/full attacks. • Category 2: Products showing partial attacks – including special consideration – and/or full attack(s) rated Low up to High according to our attack rating methodology defined in [SBMP Methodo]. • Category 3: All other products with limited compliance (e.g. a non-privileged state was used for the evaluation). © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 16 / 29 3 Security Evaluation Process This chapter describes the EMVCo Security Evaluation Process leading to the issuance of an EMVCo Evaluation Certificate. Figure 1 depicts an overview of EMVCo Security Evaluation. Figure 1: EMVCo SBMP Security Evaluation Overview © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 17 / 29 3.1 Security Evaluation Roles and Responsibilities The following sections describe the EMVCo Security Evaluation sub-processes: • Maintain Security Requirements and Guidelines • Design Product • Test Product • Review Evaluation Report(s) • Security Monitoring 3.1.1 Maintain Security Requirements and Guidelines EMVCo maintains a set of security requirements and guidelines documents (listed in section 1.3) that provide security guidance and define generic security requirements for the design of SBMP products. These documents are not intended to be exhaustive but rather informative, supporting Product Providers in the development of their products and supporting laboratories as they assist in the evaluation of such products within the framework of the EMVCo Security Evaluation Process. The security requirements and guidelines present the basic principles of Software-Based Mobile Payment security to ensure that every Product Provider has the same understanding of the threats in this environment. They provide rules and recommendations for protection against these threats and then refine them step by step, up to specific points related to individual security features. 3.1.2 Design Product The Product Provider designs its products in accordance with the applicable security requirements and guidelines. The requirements and guidelines draw a comprehensive picture of means to secure SBMP product implementations. A developer may decide not to follow a guideline. In this case, the developer has to demonstrate either that the product provides an equivalent assurance level through another means, or that the guideline is not applicable to the product. 3.1.3 Test Product The EMVCo Recognised Laboratory selected by the Product Provider receives the product design as well as test products, and assesses the product (and, where considered necessary, the related processes) independently to determine whether the Product Provider has sufficiently taken threats and attacks into account. Refer to section 3.3.6 for further details on the ‘Test Product’ process. 3.1.4 Review Evaluation Report(s) Upon completion of the evaluation, the Laboratory prepares the evaluation report package. © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 18 / 29 As security features of evaluated components or Mobile Applications may include technology/IP belonging to one or more EMVCo Members, the Laboratory report(s) submission process is further detailed in section 3.3.7. Refer to section 3.3.8 for further details on the ‘Review Evaluation Report(s)’ process. 3.1.5 Security Monitoring The EMVCo Security Evaluation Secretariat operates an ongoing process to check Evaluated Products against newly identified attacks and risks by: • Continuously monitoring threats and security developments within the Software-Based Mobile Payment product market. • Conducting research and development – both alone and with security evaluation laboratories – to identify new threats, attacks, and security evaluation methodologies. Where it considers this necessary (and where it is able to do so given confidentiality restrictions) the EMVCo Security Evaluation Secretariat may inform Product Providers about newly discovered vulnerabilities of their Evaluated Products, thus enabling Product Providers to minimise consequent risks and support their customers’ risk management. This may also include the withdrawal of an EMVCo Evaluation Certificate. 3.2 Evaluation Certificates Following a successful product Security Evaluation, EMVCo issues an EMVCo Evaluation Certificate for the product. Evaluation Certificates confirm that the Product Provider’s product(s) identified on the Evaluation Certificate have undergone the appropriate security evaluation. If the Evaluated Product includes several components, the (unique) Evaluation Certificate includes references for each of these components and is valid for the integrated product. © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 19 / 29 3.3 Security Evaluation Process The following sections describe the actions within the EMVCo Security Evaluation Process, as shown in Figure 2. Figure 2: EMVCo SBMP Security Evaluation Process © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 20 / 29 3.3.1 Sign EMVCo Agreement EMVCo and the Product Provider sign an EMVCo agreement covering the EMVCo Security Evaluation Process, including confidentiality and other aspects. This step results in both the Product Provider and the EMVCo Security Evaluation Secretariat receiving a signed version of the agreement. 3.3.2 Complete EMVCo Registration Questionnaire The Product Provider completes an EMVCo questionnaire defining details of the product intended for evaluation and related administrative information. This step results in the Product Provider providing the EMVCo Security Evaluation Secretariat with the necessary completed EMVCo Registration Questionnaire. 3.3.3 Initial Discussion Initial discussions between the Product Provider and the EMVCo Security Evaluation Secretariat are conducted to develop a common understanding of the evaluation process and the underlying information required. The Product Provider should obtain the relevant EMVCo security guidelines and use them to identify any necessary additional product requirements. If available, the Product Provider should submit evidence of any security evaluations already carried out on the product. This will enable the EMVCo Security Evaluation Secretariat’s staff to resolve any questions and concerns in advance. If needed, a conference call or meeting can be organised. 3.3.4 Product Design The Product Provider finalises the design of the product (if not completed prior to initiation of the EMVCo Security Evaluation Process) or updates the product in response to the requirements derived from the relevant security guidelines. This phase may also include conducting (or amending) a self- or third-party evaluation of the security performance of the product and the underlying development and production processes. This step results in the Product Provider producing design documentation and test products. © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 21 / 29 3.3.5 Select Laboratory and Decide Evaluation Details After the EMVCo Security Evaluation Secretariat reviews any security evaluations of the product performed by the Product Provider or a third party, the Product Provider and the EMVCo Security Evaluation Secretariat agree on precise details of the EMVCo evaluation, including: • A list of mandatory evaluations: The EMVCo Security Evaluation Secretariat will take into account the needs of the Product Provider, as well as any previous evaluation work, but reserves the final decision about the minimum set of evaluation work considered necessary within the EMVCo Security Evaluation Process. • The Laboratory(ies) to be used: EMVCo recognises a number of Laboratories and can discuss them with the Product Provider. The Product Provider and the EMVCo Security Evaluation Secretariat will often reach this agreement as part of the initial discussions (discussed in section 3.3.3), provided that they agree that the product has already reached sufficient maturity to prepare the evaluation. This step results in the issue of purchase orders to the laboratories. Where necessary, Product Providers can agree to appropriate Non-Disclosure Agreements (NDAs) with the laboratories at this stage. 3.3.6 Assess Product and Product Provider Infrastructure The evaluation of the product includes a threat and vulnerability assessment of identified security assets. The EMVCo Security Evaluation Process considers security assets to be categorised as follows: • Assets used during payment processing: o Card Profiles o Payment System public keys and Issuer public keys o Private and secret payment keys or payment session keys and related parameters (static and dynamic) o Risk management data • Assets and sensitive information: o Cryptographic keys and related parameters (static and dynamic) o Items used for communications processing and to secure transport to the Mobile Application • Cardholder data or card image data • Consumer authentication • Source code / binary © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 22 / 29 The vulnerability analysis should, at minimum, include currently known attacks (threats), which at present include: • Bypass of mobile payment platform security controls • Reverse engineering of SBMP product source code • Modification/Alteration of SBMP product code • Exploitation of interfaces between SBMP product components • Extraction of assets in runtime These attacks are expected to use techniques such as: • Static analysis (disassembly, decompilation, de-obfuscation) • Code modification (bypass security mechanisms, inject malicious code) • Dynamic analysis (exploitation of debugging features, unprotected lifecycle phases, hooking) • Perturbation attacks • Differential Fault Analysis (using single or multiple faults) • Side channel analysis • Attacks on RNG • Software attacks (protocol, man-in-the-middle, replay, relay, downgrade attacks, unknown key share / impersonation, certificate misuse) • Logical attacks (application segregation, IPC exploitation, fuzzing) The laboratories perform the required evaluations and provide evaluation reports documenting the results. An evaluation may include physical testing of test products, assessment of the design documentation, or auditing of the Product Provider’s development and production processes (see section 2.2.2) to ensure that social engineering, coercion, and bribery threats are addressed. Laboratories are to construct evaluation reports as follows: • Detail the product, its components, and the list of its security features included in the scope of evaluation. • Describe the development and production life cycle of each of the product components, including the list of the development and manufacturing sites if applicable. • Include a complete vulnerability analysis against the threats discussed in [SBMP Reqs] and the other applicable EMVCo security requirements or guidelines documents (listed in section 1.3), detailing any residual vulnerabilities. • Base the conclusions of the evaluation on guidance provided in [SBMP Methodo]. © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 23 / 29 • Provide sufficient reporting of penetration testing to prove that the tests were completed in line with EMVCo SBMP security evaluation methodology. • For SDK and MPA components, provide sufficient detail on the conditions of the evaluation and the results obtained, as well as the resulting suggested certificate category. 3.3.7 Submit Reports The Laboratory prepares an evaluation report package that must include the following: • The main EMVCo Evaluation Report, plus annex reports if applicable • The applicable Shared Evaluation Report, as per the template defined and made available to laboratories by EMVCo • The corresponding product Registration Questionnaire • The associated product security guidance document(s) from the Product Provider The Laboratory should get the questionnaire from the Product Provider and ensure that the information it contains is still up to date. If this is not the case, Laboratory staff should advise the Product Provider to update the questionnaire, so that the final version delivered to EMVCo accurately reflects the information in the report. Security features of components or Mobile Applications evaluated within the EMVCo Security Evaluation Process may include technology/IP belonging to one or more EMVCo Members. Two distinct report submission processes are therefore defined to be followed by Laboratories: EMVCo Member specific reports These are reports containing EMVCo Member specific technology/IP. The Laboratory encrypts this specific evaluation report package to the concerned EMVCo Member and to the EMVCo Security Evaluation Secretariat and submits it to the concerned EMVCo Member only. The EMVCo Member can then decide to transfer the report to the EMVCo Security Evaluation Secretariat for review if they wish so. EMVCo common reports These reports do not feature any EMVCo Member specific technology/IP. The Laboratory encrypts this common evaluation report package to the EMVCo Security Evaluation Secretariat and to the EMVCo Members allowed to receive a copy by the Product Provider, and submits it to the EMVCo Security Evaluation Secretariat only. The Laboratory must explicitly indicate the list of the EMVCo Members allowed to receive a copy. The Security Evaluation Secretariat then reviews the report and will be in charge of transferring the report package to the identified EMVCo Members. Note In both cases, the Laboratory is responsible for ensuring that the report does not feature any technology/IP issues with regard to its distribution list. © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 24 / 29 3.3.8 Validate Laboratory Evaluation Reports The EMVCo Security Evaluation Secretariat reviews the EMVCo Evaluation Report(s) from the Laboratory. Based on the review, the EMVCo Security Evaluation Secretariat may require further evidence to be provided, in which case the process continues, going back to the ‘Select Laboratory and Decide Evaluation Details’ step described in section 3.3.5. If the EMVCo Security Evaluation Secretariat considers that the evaluation fulfils the EMVCo SBMP security evaluation methodology, the Secretariat prepares an EMVCo Summary Report and, if vulnerabilities have been discovered, their ratings will be detailed as part of the EMVCo Summary Report. Note EMVCo reserves final authority over the contents of the EMVCo Summary Report. The EMVCo Summary Report is submitted to EMVCo SEWG for final approval. 3.3.9 Issue EMVCo Evaluation Certificate If the EMVCo Summary Report prepared by the EMVCo Security Evaluation Secretariat concludes that the evaluation fulfils the EMVCo SBMP security evaluation methodology and is approved, EMVCo will issue the Product Provider an EMVCo Evaluation Certificate for that product. Each Evaluation Certificate will contain a four-digit reference number uniquely identifying the product (including all its components) that has been evaluated, using the following convention: SECNxxxx – SBMP Evaluation Certificate Number. Products or components from the same line will be granted the certificate number of the parent product and identified through an extension to this number. From the parent SECNxxxx, the extended SECN number format for lineal products is defined as follows: SECNxxxx.yy, where: - xxxx is the four digit number assigned to the parent product, thus representing the “root” number. - yy is a two digit number assigned to the evaluated lineal product. This number will start from 01 for the first product and increment by 1 for each new evaluated product based on the same parent. For SDK and MPA components, the category assigned to the product (as defined in §2.4), based on the laboratory’s evaluation report, will be identified on the Evaluation Certificate. A list of all public1 Evaluated Products and their associated Evaluation Certificates is available from the EMVCo website: www.emvco.com. 1 The product provider may request that its product not be listed. © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 25 / 29 Note EMVCo reserves the right not to issue an EMVCo Evaluation Certificate if an evaluation report is inconclusive or fails to demonstrate sufficient compliance to the EMVCo SBMP security evaluation methodology. © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 26 / 29 3.4 Change and Renewal Evaluation Process This section summarises the steps to be followed for the change or renewal of a previously issued EMVCo Evaluation Certificate. 3.4.1 Send EMVCo Registration Questionnaire The Product Provider first needs to send the EMVCo Security Evaluation Secretariat an up-to-date version of the product Registration Questionnaire, checking either the ‘Change evaluation’ or ‘Renewal evaluation’ checkbox and indicating the original Evaluation Certificate reference. On receipt of the questionnaire, EMVCo will generate a new invoice as defined in [BL15] and described in section 3.3.2. 3.4.2 Perform Re-evaluation with Laboratory The Product Provider sends the appropriate material (test products, up-to-date guidance documentation, etc.) to the selected security evaluation laboratory. The Laboratory conducts the re-evaluation process, refreshing the activities described in section 3.3.6 and taking into account the latest identified threats and attacks, as well as EMVCo security guidelines if applicable. For a renewal evaluation, these activities shall be performed no earlier than six months prior to the certificate’s annual review date. Note If a different Laboratory is used for the re-evaluation, the newly selected Laboratory will have to conduct a full evaluation. 3.4.3 Update Product Evaluation Certificate Upon completion of the re-evaluation, the Laboratory will deliver a change or renewal report following the same report submission process as detailed in section 3.3.7. When the report is received by the EMVCo Security Evaluation Secretariat, the review will be performed as detailed in sections 3.3.8 and 3.3.9. For a renewal evaluation, the report shall be submitted no earlier than four months prior to the certificate’s annual review date. If the EMVCo Summary Report is approved by the EMVCo SEWG, an updated or renewed Evaluation Certificate (or a new certificate if the product was already issued in the field) will be issued and its listing on the EMVCo website will be extended in the case of a renewal. This process can be repeated as required. For product lines, involving Delta or Derivative evaluations, the issued EMVCo SBMP Evaluation Certificate(s) will be aligned on the parent product’s certificate (i.e. with the same issue date). © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Annex A Glossary The following terms are relevant to the testing process: Page 27 / 29 Term Delta Evaluation Definition Evaluation of a product where changes have a SECURITY impact on a product that has already been evaluated in earlier version(s). Derivative Evaluation Evaluation of a product where changes have NO SECURITY impact on a product that has already been evaluated in earlier version(s). EMVCo The organization that manages the EMV Specifications and their related testing processes. EMVCo Evaluation Certificate A certificate issued by EMVCo when an SBMP product, component, or solution completes a security evaluation that fulfils the EMVCo SBMP security evaluation methodology. EMVCo Members The EMVCo members are American Express, Discover, JCB, Mastercard, UnionPay and Visa. EMVCo Security Evaluation Secretariat A third-party company contracted with by EMVCo to administer the EMVCo Security Evaluation Process. EMVCo Summary Report A report prepared by the EMVCo Security Evaluation Secretariat, based on its review of the EMVCo Evaluation Report and associated documents. Ephemeral asset Data existing in memory only for the brief period necessary to process the data. eSE Embedded Secure Element Evaluated Product A product that has been issued an EMVCo Evaluation Certificate. Evaluation Any activity intended to verify the conformance of a selected product or process to a given requirement under a given set of conditions. © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 28 / 29 Term Evaluation report Definition Document provided by a Laboratory containing the test results and conclusions for an SBMP product and/or one or more of its components. Laboratory A facility that performs security evaluation testing. Long-lived asset Data existing in memory for the period necessary to make use of the data over multiple sessions. MPA Mobile Payment Application Mobile Application One instance of a complete product ready to be deployed to end users by a particular issuer. Multi-Factor Authentication Authentication that involves the verification of two or more distinct authentication factors to prove the identity of a user. It can be performed using one authenticator or a combination of authenticators. Payment System For the purpose of this document, one of the following companies: American Express, Discover, JCB, MasterCard, UnionPay, or Visa. Product Provider The entity that submits an SBMP product, component, or solution to EMVCo for evaluation. SBMP Software-Based Mobile Payment SBMP Evaluation Certificate Number (SECN) A unique four-digit reference number that identifies the EMVCo Evaluation Certificate of an SBMP product, component, or solution. SDK Software Development Kit Security Impact Analysis (SIA) Analysis of the impact of product changes on the product’s security level; created by the Product Provider and supplied to the EMVCo Security Evaluation Secretariat. Short-lived asset Data existing in memory for the period necessary to make use of the data over a session. © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® Security Guidelines EMVCo SBMP Security Evaluation Process v2.0 Page 29 / 29 Term Software-Based Mobile Payment (SBMP) TEE Test product TPM Definition Payment transactions where the consumer device is a mobile device such as a mobile phone. Applies to all types of Operating Systems and known consumer device architectures, including: • Hardware support such as TEE, TPM, and eSE • Server-side controls such as remote device attestation Trusted Execution Environment A representative of a specific product provided to a laboratory for testing. Trusted Platform Module © 2018-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries.