SE Bulletin nº 7: Development and production Site Audit

EMVCo SEWG Bulletin 7 Third Edition March 2018 Development & Production Site Audit This bulletin details the EMVCo Security Evaluation Working Group (SEWG) development & production site audit process and its updated guidelines document. Any questions in relation to this bulletin should be directed to the SEWG Secretariat at securityevaluation@emvco.com. Applicability This Bulletin applies to: • EMVCo Evaluation Laboratories and EMVCo Product Providers Related Documents • EMV Security Guidelines, Development and Production Site Audit Guidelines, Version 1.1 Effective Date • 1 March 2018 Background The security evaluation of a chip product (e.g., IC, Platform, or ICC product) includes an onsite audit of its Product Provider’s development, production, and delivery infrastructure. This may include the facility at which the product will be programmed (e.g., in case of a flash memory product). In order to allow reuse of site audit results, the audits shall focus on all onsite processes applicable to EMVCo products (whenever possible with actual product evidence). Development & Production Site Audit process The updated EMVCo development & production site audit process establishes common requirements and guidelines which an EMVCo Recognized Security Evaluation Laboratory ("Evaluation Laboratory") must use to perform an onsite audit on the development site and possibly the production site of a Product Provider. It allows Evaluation Laboratories to reuse existing audit results and reports to avoid duplication of effort and cost, and further reduces inter-Payment System redundancies and inconsistencies in the audit process. If a site audit has never been performed, the Evaluation Laboratory will conduct a site audit as part of the first product evaluation. If a site audit has previously been conducted under a different evaluation scheme, the Evaluation Laboratory will assess the previous audit evidence against EMVCo requirements © 2013 - 2018 EMVCo, LLC ("EMVCo"). All rights reserved. Any and all uses of the EMV Specifications ("Materials") shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at https://www.emvco.com/terms-of-use/. Page 1 to establish the level of reuse that can be applied. The Evaluation Laboratory will also consider any changes to the site since the original audit date and present their findings to EMVCo. Each Product Provider must be registered with EMVCo before an EMVCo site audit report review can be conducted. EMVCo considers a site audit to be valid for a period of five years from the audit completion date, assuming any small changes to the facility post audit have been reviewed by a trusted party and incorporated into the audit findings document. After the five-year period has elapsed, a renewal audit is required. EMVCo and each Payment System reserve the right to request an additional audit at any time. Evaluation Laboratories must use the updated audit process to perform onsite audits on the development and production sites of a Product Provider. Development & Production Site Audit Guidelines The EMVCo Development and Production Site Audit Guidelines document establishes common requirements and guidelines for Evaluation Laboratories on how to perform an EMVCo site audit on the development, production, and delivery infrastructure of a Product Provider. Such site audits include the facility(ies) at which the products will be designed or produced as well as the facility(ies) at which the products will be programmed (e.g., in case of flash memory). For sites only involved in operations that could also be performed in the field (such as OTA personalization or application loading) using the same evaluated product security mechanisms, an audit might not be required. The Development and Production Site Audit Guidelines document will also be helpful for Product Providers preparing for a site audit and is available in the secure section of the EMVCo website. Development & Production Site Audit Report The site audit report must include the audit scope, the implemented security measures (physical, logical and organizational), and the configuration and delivery management of the TOE and its subcomponents. The report must provide the Evaluation Laboratory’s assessment of whether the security measures properly protect the assets related to the product(s) developed. Because the full site audit report contains an Evaluation Laboratory’s intellectual property, only a summary of the site audit report is shared with other laboratories via an EMVCo Shared Audit Report (SAR). For all new and previously audited sites, a SAR is required. For IC, Platform, and ICC products, the full audit report and SAR are submitted to EMVCo. © 2013 - 2018 EMVCo, LLC ("EMVCo"). All rights reserved. Any and all uses of the EMV Specifications ("Materials") shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at https://www.emvco.com/terms-of-use/. Page 2