SB n°308 Contact Features Sunsetting P1

EMV® Specification Bulletin No. 308 Second Edition May 2026 EMV® Contact Chip Features Sunsetting – Phase 1 Applicability This Specification Bulletin applies to: • EMV Integrated Circuit Card Specifications for Payment Systems, Book 1/2/3/4, v.4.4 Related Documents • GB 60 2nd edition dated 30 July 2024 Effective Date • 1 July 2026 (Background of the 2nd edition) As announced in General Bulletin 60 2nd edition, EMVCo is sunsetting selected EMV Contact features in two phases to enhance security, improve usability, and remove obsolete elements. Phase 1 was implemented in January 2025 by Specification Bulletin 308 1st edition. This specification bulletin introduces the further updates to the Specification Bulletin 308 to provide stakeholders with flexibility to sunset plaintext PIN. Details of the updates are provided in the following pages, and in this 2nd edition the only updates are in the section related to offline plaintext PIN (and a minor update in the Unused Tags section). The changes made in the 1st edition are shown in blue, and the changes between the 1st and 2nd editions are shown in red. © 2025-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 1 (Details of the change) Description General Bulletin 60 2nd edition published on 30 July 2024 outlined the features to be sunsetted from the specifications with the aim of collectively improving security, optimising the usability of the specifications, simplifying editorial understanding, and removing obsolete or unused features. This bulletin provides information on how the Phase 1 sunset features listed below will be removed from the specification. Features to be sunsetted from the specification in Phase 1: ⚫ Offline plaintext PIN (unattended) ⚫ Combination CVMs ⚫ TDOL ⚫ Unused Tags ➢ ‘9F04’ (Amount, Other (Binary)) ➢ ‘9F3A’ (Amount, Reference Currency) ➢ ‘9F3B’ (Application Reference Currency) ➢ ‘9F43’ (Application Reference Currency Exponent) ➢ ‘81’ (Amount, Binary) ➢ ‘97’ (Transaction Certificate Data Object List (TDOL)) ➢ ‘98’ (Transaction Certificate (TC) Hash Value) © 2025-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 2 Details of the Change < Offline Plaintext PIN (unattended)> [Changes to Book 3] • Section 6.5.12.2, Table 24: ➢ Add following footnote to the second item (“Plaintext PIN, format as defined below”) as below: 4 Plaintext PIN is not allowed for Unattended terminals unless required to meet region-specific guidance from payment system(s). • Section 10.5.1: ➢ Add a footnote to the first sentence: 15 Plaintext PIN is not allowed for Unattended terminals unless required to meet region-specific guidance from payment system(s). ➢ Insert the following sentence after the first sentence: Plaintext PIN is not supported in Unattended terminals (Terminal Type = 'x4', 'x5', or 'x6') unless required to meet region-specific guidance from payment system(s). • Section 10.5.1C3 in Annex C, Table 43 (“CVM Codes”), bit 6 to 1: ➢ Add the following footnote to the second item (“Plaintext PIN verification performed by ICC”): 27 Plaintext PIN is not allowed for Unattended terminals unless required to meet region-specific guidance from payment system(s). [Changes to Book 4] • Section 6.4 ➢ Insert following sentence before the first sentence: Plaintext PIN shall not be supported in Unattended terminals (Terminal Type = 'x4', 'x5', or 'x6') unless required to meet region-specific guidance from payment system(s). • Section 10 ➢ Insert the following paragraph at the end of Section 10. In the context of this section, an "application" is a terminal configuration associated to an AID. The specific values of AID are determined by each payment system, and the matching logic follows the same logic as defined in Book 1 section 12.3.1. There © 2025-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 3 are two exceptions: Certification Authority Public Key Index and Certification Authority Public Key are associated to a RID (instead of to an AID). • Section 10.1 ➢ Add the following sentence at the beginning of the section. Application Independent Data are applicable to all AIDs. • Section 10.1.2 ➢ Update the section as below: 10.1.2 Transaction Related Data The following data elements are application independent and may be specific to each device constituting the terminal, such as a host concentrating a cluster of devices (see Figure 2 for an example): • Additional Terminal Capabilities • Terminal Capabilities • Terminal Type The terminal shall be constructed in such a way that these data objects cannot be modified unintentionally or by unauthorised access. These data objects may be varied on a transaction by transaction basis which means that for each transaction, the terminal may invoke a different value for these data objects based on certain characteristics and parameters of the transaction (selection criteria). Support of this functionality is optional for the terminal. The implementation of this functionality is left to the discretion of the terminal manufacturer and is outside the scope of EMV. • Section 10.2 ➢ Add the following sentence at the beginning of the section. Application dependent data are associated to an AID. • Section 10.2, Table 7 ➢ Update the notes of the Terminal Capabilities as below: Data Elements Terminal Capabilities 8 Notes If the terminal supports XDA or ECC ODE for any application, the terminal shall support an independently configurable Terminal Capabilities value for each application. If the requirements for some Payment Systems are identical, the terminal may share a single set of Terminal Capabilities for such Payment Systems. © 2025-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 4 ➢ Add following footnote to Terminal Capabilities: 8 This data object may be varied on a transaction-by-transaction basis which means that for each transaction, the terminal may invoke a different value for this data object based on transaction context (such as transaction amount or Payment System application). • Annex A, A2, Table 26: ➢ Add following footnote to the first item (“Plaintext PIN for ICC verification”): 21 Plaintext PIN is not allowed for Unattended terminals unless required to meet region-specific guidance from payment system(s). © 2025-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 5 < Combination CVMs> [Changes to Book 3] • Section 10.5.4 ➢ Delete the entire section but retain the section header as below to keep the sequence of the following sections unchanged. 10.5.4 Section has been deleted • Figure 8 ➢ Delete the description “For Combination CVMs, both CVMs must be supported.” under the note. ➢ Delete the description “Z in Part 5 – Combo. CVM” from the box after the decision box “Is CVM Code Supported?”. • Figure 9 ➢ Delete the descriptions “Plaintext PIN verification performed by ICC and Signature” and “Enciphered PIN verification performed by ICC and Signature” under the note 1. • Figure 12 ➢ Delete the entire flow of the Combination CVMs. • Annex C3, Table 43 (“CVM Codes”): In the table, change “Plaintext PIN verification performed by ICC and signature” and “Enciphered PIN verification performed by ICC and signature” to “RFU” © 2025-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 6 [Changes to Book 4] • Section 6.3.4: ➢ Among the four bullet points, delete the third bullet point related to Combined CVM. ⚫ For Combination CVMs, both CVM codes must be supported. • Section 6.3.4.5, Table 2: ➢ Delete the last two entries relating to Combined CVM: © 2025-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 7 [Changes to Book 1 and Book 2] • Section 4.1: ➢ Delete the entry of the TDOL. [Changes to Book 3] • Section 4.1: ➢ Delete the entry of the TDOL. • Section 5.4: ➢ Delete the third bullet point regarding the TDOL. ⚫ The Transaction Certificate Data Object List (TDOL) used to generate a TC Hash Value • Section 9.2.2: ➢ Delete the entire section but retain the section header as below to keep the sequence of the following sections unchanged. 9.2.2 Section has been deleted • Annex A1, Table 37: ➢ Delete the entries of the Default TDOL, TDOL, and TC Hash Value. • Annex A2, Table 38: ➢ Delete the entries of the TDOL and TC Hash Value. • Annex C5, Table 46, TVR Byte 5: ➢ For bit 8, change the value to 0 and the meaning to “RFU”. © 2025-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 8 • Common Core Definitions, 9.2.2 Transaction Certificate Data: ➢ Delete the entire section. • Common Core Definitions, Annex A Data Elements Dictionary: ➢ Delete the description above the Table CCD 6 and the Table CCD 6. [Changes to Book 4] • Section 4.1: ➢ Delete the entry of the TDOL. • Section 10.2, Table 7: ➢ Delete the entry of the Default TDOL from the table. • Section 12.1: ➢ Delete “and the TDOL” from the footnote 10. 10 At a minimum, all data listed in the Card Risk Management Data Object Lists and the TDOL shall be available at the point of transaction. © 2025-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 9 [Changes to Book 3] • Annex A1, Table 37 and Annex A2, Table 38: ➢ Delete following entries from the tables. ‘9F04’ (Amount, Other (Binary)) ‘9F3A’ (Amount, Reference Currency) ‘9F3B’ (Application Reference Currency) ‘9F43’ (Application Reference Currency Exponent) ‘81’ (Amount, Binary) ‘97’ (Transaction Certificate Data Object List (TDOL)) ‘98’ (Transaction Certificate (TC) Hash Value) [Changes to Book 4] • Annex C Example Data Element Conversion: ➢ Delete ‘or 81’ from the entry of Amount, Authorised. ➢ Delete ‘9F04 or’ from the entry of Amount, Other. © 2025-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 10 Legal Notice The EMV® Specifications are provided “AS IS” without warranties of any kind, and EMVCo neither assumes nor accepts any liability for any errors or omissions contained in these Specifications. EMVCO DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT, AS TO THESE SPECIFICATIONS. EMVCo makes no representations or warranties with respect to intellectual property rights of any third parties in or in relation to the Specifications. EMVCo undertakes no responsibility to determine whether any implementation of the EMV® Specifications may violate, infringe, or otherwise exercise the patent, copyright, trademark, trade secret, know-how, or other intellectual property rights of third parties, and thus any person who implements any part of the EMV® Specifications should consult an intellectual property attorney before any such implementation. Without limiting the foregoing, the Specifications may provide for the use of public key encryption and other technology, which may be the subject matter of patents in several countries. Any party seeking to implement these Specifications is solely responsible for determining whether its activities require a license to any such technology, including for patents on public key encryption technology. EMVCo shall not be liable under any theory for any party’s infringement of any intellectual property rights in connection with the EMV® Specifications © 2025-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 11