For chipset, platform and ICC vendors who would like to acquire payment industry certification in a smooth and flexible manner while actively working on improving their competitive advantages with security.
Riscure is accredited by the EMVCo consortium to perform IC and platform evaluations as well as Crypto Library assessments. Additionally building on top of vast experience acquired on System-on-Chip evaluations, Riscure is also the go-to lab for EMVCo evaluations of other form factors and technologies such as embedded or integrated secure elements.
Furthermore, all major payment scheme like VISA, Mastercard, Discover, American Express, and Cartes Bancaires accredit Riscure to conduct Integrated Circuit Card (ICC) evaluations.
Having in mind the usual market outreach payment products aim to make, Riscure offers efficient bundling of EMVCo program with other well-recognized standards, like Common Criteria.
To ensure least risk in the certification program and most optimal time to market, Riscure offers a wide array of developer supporting services intended to ensure the product’s quality and readiness of associated evidences. This results in more streamlined evaluation campaign with strict adherence to scheme requirements as pre-evaluation and official certification work are fully separated.
Any additional needs identified in our partnerships can be fulfilled with security training programs and security testing tools we offer.
The EMVCo or any other payment scheme evaluation starts with a Vulnerability Analysis during which design and implementation information is studied and potential vulnerabilities are identified and assessed. This results in a selection of tests for a penetration test campaign that aims at verifying whether the product resists against an attacker with a high attack potential.
The products can be evaluated on three different layers:
- Integrated Circuit (IC) evaluation
The evaluation of the IC includes all chip hardware as well as any software crypto libraries in the chip. Although this can be done through a dedicated EMVCo IC evaluation, vendors often choose Common Criteria certification for this stage, because most Smart Card chips can also be used in other domains, like governmental applications that require this certification. EMVCo recognizes the results of CC tests in their IC certification process so that both evaluations can be conducted together with minimum overhead.
This stage focuses on the Operating System as well as the chip. It is a composite evaluation, building upon the results of an IC evaluation. The scope includes all generic software, including cryptographic algorithms and other security mechanisms.
- Integrated Circuit Card (ICC) evaluation
This evaluation covers a complete product, including the platform and application(s). It is a composite evaluation that reuses chip evaluation, and potentially platform evaluation results. Riscure has the capacity and the capability to fully separate pre-evaluation and certification work. During a pre-evaluation you can prepare your product for the certification and thereby control risks very early in the development process.
Upon request we can support you in the investigation for security risks for your product outside of the scope mandated by EMVCo. We anticipate developments in terms of attack potential and threats in the field, and can creatively challenge the security of your product and uncover potential areas of concern so that you can stay ahead of attackers and properly plan the product roadmap for the future.