Home Payment Cards

Payment Cards

Certification services for Payment Card and USIM

The global financial schemes Visa, MasterCard, JCB, American Express, China UnionPay and Discover are united in the EMVCo consortium that standardizes certification of Payment IC Cards and USIMs. Riscure is an accredited EMVCo certification lab that offers evaluation services for ICCs and USIM platform as well as mobile payment solutions under the Software Based Mobile Payment requirements. Riscure is also accredited to evaluate the security of MasterCard M/Chip and PayPass, Visa VSDC and VMPA, EMVCo CPA payment applications. For mobile payment solutions and platforms this includes Integrated Secure Elements, TEE platforms and operating systems, cloud based payment SDKs, etc.

Why Riscure?

Experience

Riscure analysts have been successfully performing security testing – with side channel attack techniques such as DPA – of banking cards since the late 90’s. With this extensive experience we work efficiently towards EMVCo, Visa and MasterCard certification. Riscure has been a JHAS member since its establishment; we are always up to date with the latest test requirements and maintain close (business) relationships with the schemes.

 

Time to market

Projects start by tailoring the evaluation process to your timelines and arranging clear and effective communication with your company throughout the project. Since Riscure is the world’s leading test-tool vendor, we have the benefit of an ample supply of the best test equipment. We are capable of running multiple activities in parallel to accelerate the evaluation process, thus extensive evaluation projects can be executed in a relatively short time. Our experience in performing security evaluations minimizes lead time, and we are generally able to serve our customers within one month following an evaluation request.

 
 

Highly insightful results

Instead of just delivering a report, we help vendors take the necessary actions to meet their Time-to-Market goals. Our service is focused on providing quality input to your development process. Through customer-focused mindset, we aim to deliver you the best value possible.

 
 

The EMVco evaluation model

The EMVCo evaluation model is risk-based, starting with a vulnerability analysis during which design and implementation information is studied. It results in a selection of tests, representing the greatest threats to the product. Penetration testing is used to verify whether the product resists the selected attacks. The products are evaluated in three stages:

 

Integrated Circuit (IC) evaluation

The evaluation of the IC includes all chip hardware as well as any software crypto libraries in the chip. Although this can be done through a dedicated EMVCo IC evaluation, vendors often use CC (Common Criteria) certification for this stage. As most Smart Card chips have multiple application domains, if some of them require this formal certification, it makes sense to seek CC certification. EMVCo recognizes the results of CC tests in their IC certification process.

 
 

Platform evaluation

This stage focuses on the Operating System as well as the chip. It is a composite evaluation, building upon the results of an IC evaluation. The scope includes all generic software, including cryptographic algorithms and other security mechanisms.

 
 
 

Integrated Circuit Card (ICC) evaluation

It covers a complete product, including the platform and application(s). This is a composite evaluation that reuses chip evaluation, and potentially platform evaluation results.

 
 
 
  • Contact us

  • Pascal van Gimst

  • Vice President Global Services Sales and Business Development