TTA Bulletin nº 199: Contact Terminal Level 2 Type Approval Specific Approval and Restricted Renewal Rules

EMV® Terminal Type Approval Bulletin No. 199 Seventh Edition, June 2026 Contact Terminal Level 2 Type Approval Specific Approval and Restricted Renewal Rules SB272 - Update of Date Management Requirements Current Date management beyond January 2038 Default value of TAC SB308 - Contact Features Sunsetting - Phase 1 Applicability This Bulletin applies to: • All Contact Terminal Level 2 Type Approval Related Documents • Specification Bulletin No. 272 – Update of Date Management Requirements – 2nd Edition • Specification Bulletin No. 308 - EMV® Contact Chip Features Sunsetting – Phase 1 - 2nd Edition Effective Date • Immediate Description 1/ The SB272 - Update of Date Management Requirements, Specification Bulletin took effect in February 2023. This applicability is reflected in Contact Level 2 Application Kernel approval with the following rules: • Any new Kernel submitted for approval must implement the SB 272. • For Kernels already approved, the following specific rules apply: – If a Product Provider wants to submit an additional Configuration while the SB272 is not supported, the new configuration will be accepted. Tests that may be stated as fail in the test report submitted by the Laboratories are: • 2CC.147.00 to 2CC.157.00. © 2018 - 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. • 2CM.095.01. • Other Tests depending on the Tool implementation. – if a Product Provider applies for a renewal of a Letter of Approval for a Kernel not implementing the SB272, a Restricted Letter of Approval will be granted (without additional external audit) provided the Kernel passes all other applicable tests. Tests that may be stated as fail in the test report submitted by the Laboratories are : • 2CC.147.00 to 2CC.157.00. • 2CM.095.01. • Other Tests depending on the Tool implementation. The LoA validity will be set to January 1st, 2028 (4 years after the SB272 testing availability) – In both cases, the LoA will contain a note reflecting the fact that the SB272 is not supported. 2/ Current Date management above Year 2038: Some Kernel Implementation may not support transaction date beyond January 2038. This issue is accepted for the time being during any approval (initial Submission, Renewal or Additional Configuration). Note that a remark will be added to the Letter of Approval. Laboratories shall submit the test report with the related test cases stated as failed, and in comment of each failed test cases a reference to the present Bulletin 199 shall be added. 3 / Default value of TAC: In Level 2 Contact kernels ICS version 44c and 44d, it has been clarified that when the TAC Default is not present in the Product the default values supported by the Product is a TAC with all bits set to zero. So if the TAC default not present is supported by the Product, the tests 2CJ.167.01 and 2CJ.168.01 using a default value (zero) must be run. Any new Kernel submitted for approval shall follow strictly the EMV specification and so the current testing. Some previous implementations may not support the setting of the default value to zero therefore the following rules apply: • When adding a new configuration to or attempting a renewal of Kernel approved before March 2025, the following rules apply: If in the initial ICS the answer to the question ' Can the Terminal Action Codes be deleted or disabled?’ is 'yes' AND if the Product does not support the default value set to zero THEN the test cases 2CJ.167.01 and 2CJ.168.01 results are set to NA with a reference to the present Bulletin 199. 4 / The SB308 - EMV® Contact Chip Features Sunsetting – Phase 1 - 2nd Edition, Specification Bulletin scheduled to take effect in July 2026. This applicability is reflected in Contact Level 2 Application Kernel approval with the following rules: • The migration period described in the section 5.1, 5.2 and 5.3 of the Contact Level 2 Administrative Process - version 2.14.r for the introduction of the Contact Level 2 - Test Cases document - version 4.4d is extended to 6 months. • LoAs issued for Products not supporting SB308 during the migration period will have a Validity Date of July 1st, 2030 with no option for renewal. • Restricted Renewals related to SB308 not supported during renewal or additional configuration submissions will be performed without additional external audit. • Case of Unattended Configurations still supporting Offline Plaintext PIN: – Products implementing 308: As stated in SB308, Product Providers can keep on applying for LoAs covering Unattended configurations still supporting Offline Plaintext PIN for specific needs and © 2018 - 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. under the condition that an identical configuration without the Plaintext Pin is also supported. Product submission shall follow the below rules: • A dual Configuration model, with a Primary and a Secondary Unattended Configurations as below: o The Primary Unattended Configuration must not support the Offline Plaintext PIN. o The Secondary Unattended Configuration is strictly identical to the Primary Unattended Configuration except for Offline Plaintext PIN support. o The Secondary Unattended Configuration can be submitted at the same time as the Primary Unattended Configuration or later and an additional configuration. o When submitting a Secondary Unattended Configuration, the associated Primary Unattended Configuration number shall be provided in the ICS. – Product not implementing SB308: After the migration period, the same rules above for Product implementing SB308 applies. • • If required by the Implementation, Unattended Terminal with Offline Plaintext PIN Configurations can be submitted for New Product supporting SB308 under the below rules: 1. Always submitted in a Dual-configurations model with: 2. A Primary Configuration: Unattended Terminal with Offline Plaintext PIN not supported. 3. A Secondary Configuration: an optional Unattended Terminal with Offline Plaintext PIN supported. 4. Primary and Secondary Configurations shall be: – Strictly identical excluding the support of the Offline Plaintext PIN – Submitted at the same time 5. Unattended Terminal with Offline Plaintext PIN Configurations will have a maximum Validity Date of December 31st, 2033. Standard LoA validity rules apply for other configurations of the Product. © 2018 - 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Legal Notice This document is subject to change by EMVCo at any time. This document does not create any binding obligations upon EMVCo or any third party regarding the subject matter of this document, which obligations will exist, if at all, only to the extent set forth in separate written agreements executed by EMVCo or such third parties. In the absence of such a written agreement, no product provider, test laboratory or any other third party should rely on this document, and EMVCo shall not be liable for any such reliance. No product provider, test laboratory or other third party may refer to a product, service or facility as EMVCo approved, in form or in substance, nor otherwise state or imply that EMVCo (or any agent of EMVCo) has in whole or part approved a product provider, test laboratory or other third party or its products, services, or facilities, except to the extent and subject to the terms, conditions and restrictions expressly set forth in a written agreement with EMVCo, or in an approval letter, compliance certificate or similar document issued by EMVCo. All other references to EMVCo approval are strictly prohibited by EMVCo. Under no circumstances should EMVCo approvals, when granted, be construed to imply any endorsement or warranty regarding the security, functionality, quality, or performance of any particular product or service, and no party shall state or imply anything to the contrary. EMVCo specifically disclaims any and all representations and warranties with respect to products that have received evaluations or approvals, and to the evaluation process generally, including, without limitation, any implied warranties of merchantability, fitness for purpose or non-infringement. All warranties, rights and remedies relating to products and services that have undergone evaluation by EMVCo are provided solely by the parties selling or otherwise providing such products or services, and not by EMVCo, and EMVCo will have no liability whatsoever in connection with such products and services. This document is provided "AS IS" without warranties of any kind, and EMVCo neither assumes nor accepts any liability for any errors or omissions contained in this document. EMVCO DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON- INFRINGEMENT, AS TO THIS DOCUMENT. EMVCo makes no representations or warranties with respect to intellectual property rights of any third parties in or in relation to this document. EMVCo undertakes no responsibility to determine whether any implementation of this document may violate, infringe, or otherwise exercise the patent, copyright, trademark, trade secret, know-how, or other intellectual property rights of third parties, and thus any person who implements any part of this document should consult an intellectual property attorney before any such implementation. Without limiting the foregoing, this document may provide for the use of public key encryption and other technology, which may be the subject matter of patents in several countries. Any party seeking to implement this document is solely responsible for determining whether its activities require a license to any such technology, including for patents on public key encryption technology. EMVCo shall not be liable under any theory for any party's infringement of any intellectual property rights in connection with this document. © 2018 - 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries.