Visa Mobile. Proximity Payment Testing & Compliance Requirements for MicroSD and Mobile Accessories

Transcription

1 Visa Mobile Proximity Payment Testing & Compliance Requirements for MicroSD and Mobile Accessories Version 3.1 Effective: February 2014 Classification: Visa Public

2

3 Contents Contents 1 Preface Audience Purpose Scope and Assumptions Support and Contact Information Disclaimer Vendor Registration and Licensing Specifications and Requirements Terms and Definitions Abbreviations and Terminology Mobile Testing Overview Products Accepted for Testing Visa Business Requirements Mobile Component Overview MicroSD Mobile Accessory Component Specification and Requirements Security Testing Certification Process, Laboratories and Documentation Certification Process Overview GlobalPlatform Qualification Testing Test Plans and Test Tools Starting the Product Submission Process Submission of Testing Materials Test Laboratories Submission of Testing Materials for Functional Testing Requirements and Recommendation for Product Submission Submission Requirements for microsd with Secure Element and Internal Antenna Submission Requirements for microsd with Secure Element and No Antenna Submission Requirements for microsd with Handset (Antenna within the Handset) Submission Requirements for Mobile Accessory with embedded Secure Element (Antenna within the Mobile Accessory) Submission Requirements for Mobile Accessory with Removable Secure Element (Antenna within the Mobile Accessory) Utilizing Test Results Between Products Testing Over a Contact Interface Compliance Letters Legal Conditions and Restrictions Requesting a Compliance Letter Changes to Products with a Compliance Letter Renewal of Compliance Letters Secure Element Renewals Mobile Accessory Renewals Visa. All Rights Reserved. Visa Public Page 1

4 Contents 6.3 Mobile Products Renewal Process General Conditions and Exceptions Appendix A Revision History Appendix B Testing Requirements for Changes to a Compliant Mobile Product Appendix Structure Renewal Dates Limits to Change Process Paper Process Only Definitions and Acronyms Visa. All Rights Reserved. Visa Public Page 2

5 Preface 1 Preface 1.1 Audience This document is intended for vendors submitting the following mobile proximity payment product configurations to Visa for testing: MicroSD Mobile Accessory 1.2 Purpose This document provides detailed information related to the Visa testing submission process and the testing requirements for mobile proximity payment products. The intent of the document is to identify the forms and documents needed to correctly submit products for testing. The document also identifies testing requirements and process that are applied to the various mobile proximity payment products that a vendor may submit. 1.3 Scope and Assumptions The design of a mobile product with a payment application may vary significantly between vendors and products, so it is necessary to make certain assumptions regarding common functionality in order to perform testing on a mobile product while minimizing the effort and cost of testing. These assumptions include, but are not limited to the following: The mobile product complies with all required EMVCo and Visa contactless specifications and Visa testing requirements. An approved mobile payment applet developed to Visa Mobile Contactless Payment Specification (hence forth referred to as VMPA applet ) will reside on a (Visa) GlobalPlatform compliant secure element physically separated from the low level contactless analog interface component. Based on the product configuration digital functionality may or may not be separated from the secure element. The secure element complies with Visa GlobalPlatform (VGP) or GlobalPlatform (GP) specifications and may be directly connected to the proximity communication antenna (in this case, no separate contactless digital interface component). Products that are not developed to VGP or GP specifications are outside the scope of this document. Testing for compliance does not include testing of the user interface application (commonly referred to as a wallet) Visa. All Rights Reserved. Visa Public Page 3

6 Preface Only microsds, mobile accessories, and combinations thereof are addressed in this document. Vendors with mobile configurations outside of the scope of this document should refer to the Visa mobile testing requirements for handsets and secure elements document from the Visa Technology Partner website at The antenna and low level analog interface components may be powered with the phone battery or independently powered A handset shall be in an operational state. It shall be able to perform a payment transaction without any remote activation of controls. However, it is not necessary for the handset to have an active subscription enabled on a Mobile Network Operator ( MNO) ) since testing is not performed when the handset is connected to the MNO. For testing purposes, it shall be possible to remotely activate the contact and the contactless interface via defined commands sent to a client application residing in the handset. Refer to VMPA Test Tool Interface Requirements (Book 6). This document does not address additional Visa regional business requirements that may be required prior to deployment. 1.4 Support and Contact Information Visa s goals are to provide a formal, standardized process for testing mobile payment products and to enhance communication between all participants in the product testing and compliance process. Approval Services provides a single point of contact for vendors, testing laboratories and Visa personnel. Approval Services Contact Information Contact Method address: Website: Postal address: Delivery address: Contact Information ApprovalServices@visa.com Visa Inc. Approval Services Mailstop M4-2D PO BOX 8999 San Francisco, CA , USA Visa Inc. Approval Services Mailstop M4-2D 900 Metro Center Blvd. Foster City, CA 94404, USA Visa. All Rights Reserved. Visa Public Page 4

7 Preface 1.5 Disclaimer Visa does not warrant any of the information contained in this document and expressly disclaims any warranties of merchantability, fitness for purpose, and non-infringement of intellectual property rights. Visa provides all such information on an as-is basis, with all faults known and unknown. Visa s testing services and policies are subject to change by Visa in its sole discretion at any time without notice to any party. This document does not create any binding obligations on Visa or any third party. Nor does it change any obligations that may exist pursuant to separate written agreements between Visa and other parties. In the absence of a written binding agreement under which Visa has agreed to perform testing services for a mobile payment product manufacturer, no mobile payment product manufacturer should rely on this document to its detriment, nor shall Visa be liable for any such reliance. 1.6 Vendor Registration and Licensing VENDOR REGISTRATION, LICENSING, AND TESTING AGREEMENT EXECUTION Existing Vendor Yes New Vendor Vendor Registers on Visa Technology Partner (VTP) Vendor will be Submitting UICC/microSD/ ese Component for Certification? No Vendor has a Mobile Testing Agreement? No Vendor Completes Mobile Testing Agreement (ASTA) Vendor Given Access to Mobile Content on VTP End Yes Forms, Test Plans (if licensed), Documentation License Visa Mobile Specification on VTP Mandatory License Visa Mobile Software on VTP Mandatory As Needed Visa. All Rights Reserved. Visa Public Page 5

8 Preface All mobile payment product manufacturers must register on the Visa Technology Partner website at and have executed the appropriate testing agreement before they are eligible to submit a product for testing. A vendor that submits a product for Visa compliance testing is not required to license Visa mobile specifications or mobile software from Visa if (i) the product does not include a secure element, or (ii) the product includes a secure element, but the vendor does not and will not have the keys to access the security domain where the Visa-developed mobile applet resides. An example would be a handset-only submission - is a submission in which the handset does not contain a built-in secure element or UICC that is to be included in the compliance recognition from Visa. Secure element suppliers and vendors who will be submitting products with a secure element and have the keys to the security domain where the Visa-developed applet resides must license the applicable Visa mobile specifications and software. Licensing is handled at A Visa-recognized laboratory (hereafter referred to in this document as laboratory ) may only accept mobile payment products for official compliance testing from vendors authorized by Visa. Vendors wishing to perform debug QA testing at a laboratory do not need prior authorization from Visa. The definitions for seeking to become a Visa mobile payment product vendor are described below. Vendor Chip/OS Component Supplier Secure Element Supplier Mobile Product Supplier Definition The entity that supplies Chip/OS packages must have executed the necessary agreements with Visa to allow it to submit chip/os component packages (in an ID1 card format) directly to Visa for testing. The entity that provides the final Secure Element product and takes responsibility for the entire package: operating system, application, embedding of module and, when applies, the inlay/antenna. The entity that manufactures a mobile product capable of hosting the Secure Element and performing a Visa mobile contactless transaction Visa. All Rights Reserved. Visa Public Page 6

9 Preface 1.7 Specifications and Requirements Vendors are responsible for licensing and developing their products to comply with the appropriate specifications and requirements. The major relevant documents are listed in the table below. This list is not exhaustive of all specifications and requirements that may be used in the development of a Visa-compliant mobile payment product. The vendor developing a mobile payment product is ultimately responsible for obtaining all specifications and requirements relevant to the mobile payment product it submits for testing and compliance. Documentation Acronyms Document Acronym [EMV_SEWG] [EMV-CCP] [ETSI-001] [GP-BFC] [GP-CUC] [GP-MG] [MA] [SD-ACC] [SIM-PROF] [VCPS] [VCSP] [VGP-CIR] [VMCPS] [VMG-IUF] [VMG-IUP] [VMG-SCF] [VMG-SCP] [VMPA_MFPR] [VMPA_PROC] [VMPA_TP] [VTKPM] Document Title EMVCo Security Evaluation Process EMV Contactless Communication Protocol Specification v2.1 or higher. Also known as Book D ETSI TS UICC - Contactless Front-end (CLF) Interface; part 1 physical and data link layer characteristics GlobalPlatform Basic Financial Configuration GlobalPlatform Card UICC Configuration v1.0 or higher GlobalPlatform Mapping Guidelines of Existing GP Card Specification implementations or higher on v2.2 or higher Multi-Access Specification for VMPA v1.1 or higher Visa Mobile Proximity Payment Testing & Compliance Requirements microsd and Mobile Accessories SIM Profile Requirements for Functional Testing v1.0 or higher Visa Contactless Payment Specification v2.1.1 or higher Visa Chip Security Program Security Testing Process Visa GlobalPlatform Card Implementation Requirements Visa Mobile Contactless Payment Specification v1.4 or higher with Updates Lists Visa Mobile Gateway. Issuer Update Functional Specification Visa Mobile Gateway. Issuer Update Protocol Specification Visa Mobile Gateway. Secure Channel Functional Specification Visa Mobile Gateway. Secure Channel Protocol Specification Minimum Platform Functional Requirements for VMPA Implementations 1.0 or higher Visa Mobile Payment Application (VMPA) Test Process v1.2 or higher Visa Mobile Contactless Payment Specification Functional Testing Requirements v2.2 or higher Visa Toolkit & Process Message Specification v1.1 or higher Visa. All Rights Reserved. Visa Public Page 7

10 Preface 1.8 Terms and Definitions Term EMV EMVCo Handset microsd Midlet Mobile Device Near Field Communications Secure Element SIM User Interface VMPA VMPA Applet VMPA Core Definition EMV is a global specification for credit and debit payment cards based on chip card technology EMVCo manages, maintains and enhances the EMV Integrated Circuit Card Specifications for chip-based payment cards and acceptance devices, including point of sale (POS) terminals and ATMs. EMVCo also establishes and administers testing and approval processes to evaluate compliance with the EMV Specifications. EMVCo is currently owned by American Express, JCB, MasterCard and Visa. Another term for a mobile device, usually a mobile phone handset. An extended and removable memory card which may integrate a Secure Element. A memory card integrating a Secure Element may be plugged into a mobile handset. The interface that manages the interactions between the handset user and the VMPA applet. Also referred to as Visa Mobile Application or wallet. A portable electronic device with contactless and wide area communication capabilities. Mobile devices include mobile phones and other consumer electronic devices such as suitably equipped PDAs A short range contactless proximity technology based on ISO/IEC 18092, which provides for ISO/IEC compatible communications A tamper resistant module, capable of hosting applications in a secure manner Subscriber Identity Module An application on a UICC for management of mobile telephony authentication and functionality. Input and output components on a mobile device, for example, display, keyboard and touch screen. Visa Mobile Payment Application Visa Mobile Contactless Payment application hosted in the Secure Element A software application developed to [VMCPS] and [MA] that resides on a Secure Element in a mobile device. A version of the VMPA applet that excludes functionality required by removable UICC form factors Visa. All Rights Reserved. Visa Public Page 8

11 Preface 1.9 Abbreviations and Terminology Abbreviation AID APDU API AS ATS CPS DAP DES ETSI GP IC ICCN ICS ISD MSD NFC OS OTA PCN PDA POS QA qvsdc RF SE SIM SWP TTIA UAT UI VCPS VGP VMA VMCPS VMPA VTKPM Terminology Application Identifier Application Protocol Data Unit Application Programming Interface Approval Services Answer to Select Card Personalization Specification Data Authentication Pattern Data Encryption Standard European Telecommunication Standards Institute GlobalPlatform Integrated Circuit Integrated Circuit Certificate Number Implementation Conformance Statement Issuer Security Domain Magnetic Stripe Data (a Visa payment application for contactless cards) Near Field Communications Operating System Over the Air Platform Certificate Number Personal Digital Assistant Point of Sale Quality Assurance Quick VSDC (a Visa payment application for contactless cards) Radio Frequency Secure Element Subscriber Identification Module Single Wire Protocol, defined by [ETSI-001] Test Tool Interface Application User Acceptance Testing User Interface Visa Contactless Payment Specification Visa GlobalPlatform Visa Mobile Application Visa Mobile Contactless Payment Specification Visa Mobile Payment Application Visa Toolkit and Process Message Visa. All Rights Reserved. Visa Public Page 9

12 Mobile Testing Overview 2 Mobile Testing Overview Visa oversees testing of mobile proximity payment products that will be used to conduct Visa paywave payment transactions to ensure that they comply with Visa, GlobalPlatform and EMVCo specifications and requirements. Mobile products subject to such testing include, but are not limited to: MicroSD Mobile Accessories Depending on the configuration of the product submitted the testing process may involve: Analog and Digital (Contactless EMV Level 1) Visa Cross Testing Visa Mobile Payment Application testing (VMPA) Secure Element Platform Functional testing (GP/VGP) Secure Element Platform Security testing (EMV PCN) If the mobile product passes all tests required by Visa, Visa issues a Compliance Letter to the vendor. Visa s compliance recognition applies worldwide unless geographic restrictions are specified in the Compliance Letter. NOTE: The process described in this document does not approve vendors; it only denotes that a tested mobile product is compliant to Visa specifications and requirements. NOTE: A Compliance Letter is not transferable from one vendor s product to another product or from one vendor to another vendor Visa. All Rights Reserved. Visa Public Page 10

13 Mobile Testing Overview 2.1 Products Accepted for Testing This document only covers the following configurations of mobile products for compliance testing: microsd with Secure Element and Internal Antenna microsd with Secure Element and No Antenna Combination of microsd with Handset (Antenna within the Handset) Mobile Accessory with embedded Secure Element (Antenna within the Mobile Accessory) Mobile Accessory with removable Secure Element (Antenna within the Mobile Accessory) Visa will decide in its sole discretion whether to accept alternative configurations of mobile products for testing. Vendors should contact their regional Visa representative to determine if Visa will accept their alternative mobile product configuration. The Vendor must provide a complete description of the alternative mobile product to aid Visa in its decision-making. 2.2 Visa Business Requirements This document addresses Visa s testing requirements for mobile components, however, there are some additional business requirements that may be required prior to any deployment in the Visa system. Vendors should contact their regional Visa representative for details. 2.3 Mobile Component Overview To simplify the description of the testing program we have divided the mobile product into component zones. These component zones identify areas within a mobile product that perform different aspects of proximity Visa paywave mobile payment. The configurations and components within these zones are subject to this testing program. Four zones have been identified and are described in the following sections. Following the zone descriptions are diagrams showing some of the common mobile component configurations of zones, components, and the interfaces between these zones and components. NOTE: There is no Zone B referenced in this section A: Secure Element Component This component known as a Secure Element (SE) could also be identified by various names for the different form factor/product, such as microsd, embedded SE, etc. This component hosts the Visa Proximity Mobile Payment Application, the VMPA applet Visa. All Rights Reserved. Visa Public Page 11

14 Mobile Testing Overview C: Proximity Communication Antenna This component captures and transmits Radio Frequency (electromagnetic field) analog signals with an external device such as a contactless-enabled POS terminal D: Handset Device This component incorporates the previously described components as well as others related to the mobile wireless network. It also hosts the handset part of the Visa Proximity Mobile Payment Application, such as the user interface application (referred to as the wallet) MA: Mobile Accessory This component is an attachment unit to a mobile device with various proprietary methods Interaction between Components Although the mobile phone components must go through testing that is required for Visa, Visa testing focuses on the secure element (hosting the VMPA applet) and the contactless interface components. The tests that are performed and the tests that are out of scope are described in this document. The following diagrams represent three possible arrangements of components in a mobile phone. The diagrams indicate areas tested, areas not tested, and interfaces that may be exercised during testing. The following three diagrams are shown in different colors, which signify the following: Green: indicates the Secure Element component and some of the technologies that may be implemented in that component Red: indicates the Proximity Communication Interface component and some of the technologies that may be implemented in that component Black: indicates the Handset component and some of the technologies that may be implemented in that component. The figures that follow show the component zones A, C, D, and MA that are subjects of the testing and compliance process. These diagrams are simplified models used to represent what is usual and expected in today s mobile payment products. These diagrams are not based on any specific mobile payment product Visa. All Rights Reserved. Visa Public Page 12

15 Mobile Testing Overview Components with a Removable microsd with Internal Antenna D Base band CPU UI OTA Security Implementation SD I/O A SE GP (contactless) Security Review Digital C Analog Components with a Removable microsd with Antenna in the Handset D SD I/O A Secure SE CPU Base band UI OTA Security Implementation Analog C GP (contactless) Security Review Digital Visa. All Rights Reserved. Visa Public Page 13

16 Secure Element Mobile Testing Overview Components with a Mobile Accessory and Removable microsd D CPU CPU Base band Base band I/O A Secure Element GP (contactless) Security Review Digital - UI - OTA - Security Implementation Analog C E MA Components with a Mobile Accessory with Embedded Secure Element D CPU CPU Base band Base band I/O A Secure Element GP (contactless) Security Review Digital - UI - OTA - Security Implementation Analog C E MA Visa. All Rights Reserved. Visa Public Page 14

17 Mobile Testing Overview 2.4 MicroSD A vendor can submit a microsd for testing that is developed according to Visa GlobalPlatform (VGP) or GlobalPlatform (GP) specifications. MicroSDs developed to VGP specifications must be provided in a form factor that is functionally representative of the final form factor and compatible with qualified GlobalPlatform test tools. See Section 3.2 regarding GlobalPlatform Testing. Prior to submitting the microsd for testing the vendor must ensure that the embedded secure elements chip is listed on EMVCo s Approved Chips List and the platform is listed on EMVCo s Approved Platforms List. See Section 2.7 regarding Security Testing. The embedded secure element hosts the approved VMPA applet and Proximity Payment System Environment (PPSE) applications. The proximity communication antenna is used to transmit and receive radio frequency (electromagnetic field) analog signals to and from an external payment device directly to and from the microsd. This allows resident payment applications in the secure element to exchange commands related to payment transactions with an external payment device via the contactless interface. NOTE: The contact interface between the handset and the microsd is beyond the scope of this document. Once successfully tested, the vendor will receive a Compliance Letter for the product. The product can be listed on the either the public or private Visa Approval Services Mobile Compliant Products List, as chosen by the vendor. The public list is published on the Visa Technology Partner Network website. The Visa Compliance Letter will address the product s ability to host an approved VMPA applet and complete a Visa paywave payment transaction. At the very minimum, platforms must support the Visa Minimum Functional Platform Requirements for VMPA Implementations [VMPA_MFPR]. All other functionality (e.g. Single Wire Protocol (SWP) interface) is out of scope of Visa s compliance testing. It is the vendor s responsibility to ensure proper compliance to the respective standards issued by other organizations such as ETSI Visa. All Rights Reserved. Visa Public Page 15

18 Mobile Testing Overview MicroSD with Secure Element and Internal Antenna This configuration consists of a microsd with an embedded secure element and a proximity communication antenna in a single unit. For testing purposes only, a vendor shall be required to supply a handset with a TTIA in order to execute VMPA functionality. For more information refer to Book 6 - VMPA Test Tool Interface Requirements, available to download on the Visa Technology Partner website. Visa approves microsds with a secure element and internal antenna as a standalone component, independent of use in combination with any particular handset(s). However, because the testing necessarily requires use of a reference handset, the Compliance Letter shall state as tested with followed by the handset model name that was provided by the vendor for testing purposes. Visa does not issue Compliance Letters covering other potential combinations of the product with different handset models that were not used in testing, unless and until the vendor submits those specific combinations for testing by Visa and they are found to be compliant with Visa s applicable testing requirements. MicroSD with Secure Element and Internal Antenna Test Type Test Extent Zone Subject to Testing Supporting Specification(s) Analog Applicable A+C [EMV-CCP] Digital Applicable A+C [EMV-CCP] VGP/GP Platform Applicable A [GP-BFC] & [GP-MG] Functional Cross-Testing Applicable A+C Security Testing Full composite security A [VCSP] evaluation (platform and Visa payment applet) Visa Application Testing Applicable A [VMCPS] Visa. All Rights Reserved. Visa Public Page 16

19 Mobile Testing Overview MicroSD with Secure Element and No Antenna This configuration consists of a microsd with an embedded secure element. For testing purposes only, a vendor is required to supply a handset that contains the antenna supporting the contactless communication. In order to perform the Visa Application Testing the vendor shall also provide a Test Tool Interface Application residing on the mobile device. For more information refer to Book 6 - VMPA Test Tool Interface Requirements, available to download on the Visa Technology Partner website. Note: The Compliance Letter will state that the testing did not include timing tests as defined in Visa s specifications. MicroSD with Secure Element and No Antenna Test Type Test Extent Zone Subject to Testing Supporting Specification(s) Analog Not Applicable Digital Applicable A [EMV-CCP] VGP/GP Platform Functional (No Transaction Timing) Applicable A [GP-BFC] & [GP-MG] Cross-Testing Applicable A [VMCPS] Security Testing Full composite security A [VCSP] evaluation (platform and Visa payment applet) Visa Application Testing Applicable A [VMCPS] Visa. All Rights Reserved. Visa Public Page 17

20 Mobile Testing Overview MicroSD with Handset (Antenna within the Handset) This configuration consists of a microsd with an embedded secure element submitted in combination with a handset containing a contactless communication antenna. In order to perform the Visa Application Testing the vendor shall provide a Test Tool Interface Application residing on the mobile device. For more information refer to Book 6 - VMPA Test Tool Interface Requirements, available to download on the Visa Technology Partner website. MicroSD with Handset (Antenna Within the Handset) Test Type Test Extent Zone Subject to Testing Supporting Specification(s) Analog Applicable A+C [EMV-CCP] Digital Applicable A+C [EMV-CCP] VGP/GP Applicable A [GP-BFC] & [GP-MG] Platform Functional Cross-Testing Applicable A+C [VMCPS] Security Full composite security A [VCSP] Testing evaluation (platform and Visa payment applet) Visa Application Testing Applicable A [VMCPS] Visa. All Rights Reserved. Visa Public Page 18

21 Mobile Testing Overview MicroSD with Handset (Antenna Within the Handset) Phone Baseband User Interface Application Secure Element Proximity Payment System Environment VMPA SE Visa. All Rights Reserved. Visa Public Page 19

22 Mobile Testing Overview 2.5 Mobile Accessory A vendor can submit a secure element for testing that is developed according to VGP or GP specifications. Secure Elements developed to Visa GlobalPlatform specifications must be provided in a form factor that is functionally representative of the final form factor and compatible with qualified GlobalPlatform test tools. See Section 3.2 regarding GlobalPlatform testing process. Prior to submitting the secure element for testing the vendor must ensure that the embedded secure element s chip is listed on EMVCo s Approved Chips List and the platform is listed on EMVCo s Approved Platforms List (see Security Testing). The embedded secure element hosts the approved VMPA applet and Proximity Payment System Environment (PPSE) applications. The proximity communication antenna is used to transmit and receive radio frequency (electromagnetic field) analog signals to and from an external payment device directly to and from the secure element. This allows resident payment applications in the secure element to exchange commands related to payment transactions with an external payment device via the contactless interface. NOTE: The attachment interface between the handset and the accessory is beyond the scope of this document. Once successfully tested, the vendor will receive a Compliance Letter for the accessory. The product can be listed on the either the public or private Visa Approval Services Mobile Compliant Products List, as chosen by the vendor. The public list is published on the Visa Technology Partner Network website. The Compliance Letter will address the product s ability to host the VMPA applet and complete a Visa paywave payment transaction. At the very minimum, platforms must support the Visa Minimum Functional Platform Requirements for VMPA Implementations [VMPA_MFPR]. All other functionality (e.g. Single Wire Protocol (SWP) interface) is out of scope of Visa s compliance testing. It is the vendor s responsibility to ensure proper compliance to the respective standards issued by other organizations such as ETSI Visa. All Rights Reserved. Visa Public Page 20

23 Mobile Testing Overview Mobile Accessory with Embedded Secure Element (Antenna within the Accessory) This configuration consists of a mobile accessory with an embedded secure element and a proximity communication antenna in a single unit. A mobile accessory is a unit attached to a mobile device via various proprietary methods. For testing purposes only, a vendor may be required to supply a handset in order to execute Visa s payment functionality. In order to perform the Visa Application Testing the vendor shall provide a Test Tool Interface Application residing on the mobile device. For more information refer to Book 6 - VMPA Test Tool Interface Requirements, available to download on the Visa Technology Partner website. Visa approves the mobile accessory with an embedded SE as a standalone component, independent of use in combination with any particular handset(s). However, because the testing necessarily requires use of a reference handset, the Compliance Letter shall state as tested with followed by the handset model name that was provided by the vendor for testing purposes. Visa does not issue Compliance Letters covering other potential combinations of the product with different handset models that were not used in testing, unless and until the vendor submits those specific combinations for testing by Visa and they are found to be compliant with Visa s applicable testing requirements. Mobile Accessory with Embedded Secure Element (Antenna within the Accessory) Test Type Test Extent Zone Subject to Testing Supporting Specification(s) Analog Applicable A+C [EMV-CCP] Digital Applicable A+C [EMV-CCP] VGP/GP Platform Applicable A [GP-BFC] & [GP-MG] Functional Cross-Testing Applicable A+C [VMCPS] Security Testing Full composite security A [VCSP] evaluation (platform and Visa payment applet) Visa Application Testing Applicable A [VMCPS] Visa. All Rights Reserved. Visa Public Page 21

24 Mobile Testing Overview Mobile Accessory with Removable Secure Element (Antenna within the Accessory) This configuration consists of a mobile accessory with a proximity communication antenna, in combination with a removable secure element, such as a microsd. A mobile accessory is a unit attached to a mobile device via various proprietary methods. For testing purposes only, a vendor is required to supply a handset with a Test Tool Interface Application residing on the mobile device. For more information refer to Book 6 - VMPA Test Tool Interface Requirements, available to download on the Visa Technology Partner website. Visa approves the mobile accessory with a removable SE as a standalone component, independent of use in combination with any particular handset(s). However, because the testing necessarily requires use of a reference handset, the Compliance Letter shall state as tested with followed by the handset model name that was provided by the vendor for testing purposes. Visa does not issue Compliance Letters covering other potential combinations of the product with different handset models that were not used in testing, unless and until the vendor submits those specific combinations for testing by Visa and they are found to be compliant with Visa s applicable testing requirements. Mobile Accessory with Removable Secure Element (Antenna within the Accessory) Test Type Test Extent Zone Subject to Testing Supporting Specification(s) Analog Applicable A+C [EMV-CCP] Digital Applicable A+C [EMV-CCP] VGP/GP Platform Applicable A [GP-BFC] & [GP-MG] Functional Cross-Testing Applicable A+C [VMCPS] Security Testing Full composite security A [VCSP] evaluation (platform and Visa payment applet) Visa Application Testing Applicable A [VMCPS] Visa. All Rights Reserved. Visa Public Page 22

25 Mobile Testing Overview 2.6 Component Specification and Compliance The components described in this document are developed based on specifications defined by various standards bodies such as GlobalPlatform or EMVCo. Visa acknowledges that some of these organizations have developed a compliance program for their respective specification and Visa will incorporate those programs into Visa s compliance process. Among these various compliance programs, certain plans exist that grant testing laboratories the following: The right to perform the tests The authority to provide test results The authority to certify the component 2.7 Security Testing Security testing is required for the secure element hosting the VMPA applet. It is not currently applicable to other components of the mobile handset, including the NFC device containing the contactless interface components. Security testing goes beyond the functional testing to help determine whether the secure element is vulnerable to known attacks, whether or not these are explicitly cited in the specification. Security testing is not exhaustive and focuses on the most likely vulnerabilities as revealed by previously conducted testing, knowledge of the particular application(s), and past experience with similar products. The Visa Chip Security Program (VCSP) seeks to minimize the cost and time spent in performing evaluation work and, where possible, to avoid duplication of effort. A copy of the VCSP process document can be downloaded from the Visa Technology Partner website. The VMPA applet must only be loaded on an EMVCo approved platform. EMVCo issues a platform certificate with a Platform Certificate Number (PCN) for platform products that successfully complete the EMVCo security evaluation process [EMV- SEWG]. Visa will accept new mobile products only if the secure element has successfully completed the EMVCo testing and is posted on the EMVCo Approved Chip and Approved Platform Lists ( The VMPA applet residing on the EMVCo approved platform must successfully complete a Visa composite security evaluation (e.g., platform with VMPA applet) with High as required level of assurance (see [VCSP]) by a Visa recognized security lab. The lab must verify that the final composite product fulfills all the platform requirements as documented in the latest EMVCo Shared Evaluation Report (SER). This document defines what security mechanisms are implemented by the platform and the scope of previously performed security testing. It provides mandatory security requirements and highlights areas of potential concern Visa. All Rights Reserved. Visa Public Page 23

26 Mobile Testing Overview Any pre-loaded or future (post-issuance) application loaded on the secure element must not impact the security of the Visa payment application assets. Each application must pass the byte code verifier and must meet all requirements in the latest platform security guidance documents. If the mobile product is based on an open EMVCo platform product, composite security evaluations of basic applications should comply with the GP Composition Model principles. If the mobile product is a closed platform product and there is a change, then a VCSP delta security evaluation is required. Note: Visa composite security evaluation can be authorized once the EMVCo platform security evaluation has started. In this case, the vendor must acknowledge that starting the composite evaluation prior to EMVCo approval is at own risk and cost. For More Information For detailed information on the EMVCo Platform Security Evaluation process, please see EMVCo Security Evaluation Process document [EMV-SEWG] available at or contact the EMVCo Security Evaluation Secretariat at securityevaluation@emvco.com with any questions about the process. For further information on the Visa chip security testing process [VCSP], please refer to the Visa Chip Security Program Security Testing Process document on the Visa Technology Partner website Visa. All Rights Reserved. Visa Public Page 24

27 Certification Process, Laboratories and Documentation 3 Certification Process, Laboratories and Documentation 3.1 Certification Process Overview PRODUCT SUBMISSION AND COMPLIANCE TESTING PROCESS INITIAL STAGE TESTING STAGE SUBMISSION STAGE REVIEW STAGE Complete Mobile Questionnaire Approval Services Reviews Questionnaire and Determines Testing Requirements Vendor and Laboratories Schedule Test Slot Laboratory Provides Test Results to Vendor Visa Reviews Test Results Vendor Notified of Testing Requirements Vendor Provides Visa Forms & Samples to Laboratories Vendor Authorizes Laboratories to Release Test Results to Visa Test Results Meet Visa s Requirements? No Failure Notification Issued Yes Chosen Laboratories Authorized for Visa Testing Laboratories Perform Authorized Testing Laboratories send Test Results to Visa Compliance Letter Issued To reduce the duplication of testing for vendors, Visa s program utilizes testing and certification programs offered by EMVCo and GlobalPlatform. Depending on the configuration and technical specifications of the mobile product, Visa may require the product to have been certified by those organizations prior to submitting the product to Visa Visa. All Rights Reserved. Visa Public Page 25

28 Certification Process, Laboratories and Documentation The following table shows which areas of testing each organization qualifies: Visa. All Rights Reserved. Visa Public Page 26

29 Certification Process, Laboratories and Documentation EMVCo s certification programs cover chips and platforms used for Secure Elements, whether embedded or removable. Visa s program covers Secure Elements, Handsets, Accessories, and combinations thereof, with different testing requirements for each. See Section 4 for more information. Visa testing may be performed in parallel at the request of the vendor at their own risk. Furthermore, a product being tested by more than one organization may also be performed in parallel (e.g. GlobalPlatform testing and Visa testing), again at the request of the vendor and at their own risk Visa. All Rights Reserved. Visa Public Page 27

30 Certification Process, Laboratories and Documentation 3.2 GlobalPlatform Qualification Testing A vendor can submit a secure element for testing that is developed according to Visa GlobalPlatform (VGP) or GlobalPlatform (GP) specifications. GlobalPlatform manages the platform functional testing for both VGP and GP platforms. Secure Elements developed to Visa GlobalPlatform specifications must be provided in a form factor that is functionally representative of the final form factor and compatible with qualified GlobalPlatform test tools. Secure Elements developed to VGP specifications shall be tested either as a card form factor to Basic Financial Configuration with Mapping Guidelines [GP-BFC] and [GP-MG]. Visa only accepts official GP test results performed by a GP-qualified laboratory. Selftesting results are not accepted as proof of specification compliance. Vendors shall provide a SCO Form and Qualification Letter from GP to Visa in support of their Visa submission process. Visa requires Secure Elements to have a Qualification Letter issued by GlobalPlatform prior to the issuance of the Visa Compliance Letter. Vendors who are unable to receive a Letter of Qualification from GP because their product does not support all mandatory GP requirements may request a Compliance Assessment Report (CAR) from GP. Visa will only review a final GP CAR. As a temporary exception process, vendors who provide a GP CAR to Visa where the product meets Visa s minimum functional platform requirements may be eligible to receive a Compliance Letter from Visa without a Letter of Qualification from GP. Refer to Visa Minimum Platform Functional Requirements for VMPA Implementations [VMPA_MFPR] for technical requirements. More information about the GlobalPlatform compliance testing process can be found on their website at Test Plans and Test Tools Test plans and commercial test tools with associated test scripts are available to assist vendors in quality assurance (QA) testing. These test tools are not intended as a replacement for Visa testing. Successful completion of all the test scripts by the vendor does not imply compliance, nor does it duplicate Visa s full testing process. Visa reserves the right to develop and run additional tests that are not defined as part of the current test plans or tools. Visa testing may include subjecting the product to additional physical and situation-specific tests as needed. Commercial test tools and test scripts are available from test tool suppliers. Vendors must have licensed the Visa mobile specification and software before acquiring the mobile test tools Visa. All Rights Reserved. Visa Public Page 28

31 Certification Process, Laboratories and Documentation Information about Visa test tools can be found at Information about EMVCo test tools can be found at Information about GlobalPlatform test tools can be found at The following Visa test plans are available on the Visa Technology Partner website to licensed users: Visa Mobile Payment Application (VMPA) Visa Toolkit and Process Message (VTKPM) Before requesting a test plan, the following agreements need to be executed with Visa: All applicable Visa Technology License Agreements. Technology licensing is handled at Approval Services Testing Agreement for Mobile Proximity Payment Products (ASTA) or Approval Services Documentation License Agreement Possession and use of these materials is subject in all respects to the terms of the ASTA or documentation license agreement. Test plans and test scripts are subject to enhancements and modifications at any time. Test plan revisions will be accumulated and made available to vendors with new releases as determined by Visa. It is the vendor s responsibility to ensure that they have the most current test plan available. Vendors should contact their tool supplier to obtain any test script updates. Test case updates are published in the query application on the Visa Technology Partner website, available to authorized users only. Visa grants permission to use the test plans solely for purposes of QA testing for use in connection with a Visa payment application. Visa may revoke its permission at any time for any or no reason. Possession and use of these materials is subject in all respects to the terms of the ASTA or documentation license agreement. Test plans and all intellectual property subsisting therein are the property of Visa. THESE MATERIALS ARE PROVIDED ON AN AS IS BASIS WITH ALL FAULTS. VISA DISCLAIMS ALL WARRANTIES PERTAINING TO THESE MATERIALS, EXPRESSED OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR PURPOSES, OR NON INFRINGEMENT Visa. All Rights Reserved. Visa Public Page 29

32 Certification Process, Laboratories and Documentation 3.4 Starting the Product Submission Process Before submitting any mobile product for testing, vendors must execute the current Approval Services Testing Agreement for Mobile Proximity Payments (ASTA) with Approval Services. Additionally, vendors will also need to execute any agreements required by the Laboratory that performs the testing. Once the legal agreements have been executed, vendors are eligible to submit the necessary paperwork to start the testing process. The following table lists the forms required for product testing. All the Visa forms are available on the Visa Technology Partner website. All information must be provided in English. A mobile product questionnaire is required by Approval Services to start the product submission process. If the product submission includes a secure element a VMPA ICS form is also required along with the questionnaire. Documentation Required for Testing and Evaluation Form Approval Services Mobile Questionnaire Exhibit A: Request for Testing Services or Request for Testing Review (addendum to ASTA) Implementation Conformance Statement (ICS) Request for Compliance Form Single Production Batch Confirmation Form Mobile Product Conformance Form Description Information regarding the submission of a mobile product for testing. Allows Visa to determine whether the mobile product is eligible for submission. Establishes Visa s right to review results submitted by the vendor, following testing at a laboratory. Handset-only submissions will use the Request for Testing Review form. All other submissions shall use the Request for Testing Services form. Detailed information regarding the Visa payment application, platform, or interface. A separate statement is required for each: Contactless Interface Analog & Digital VMPA (including VTKPM) Official request for Visa to begin the compliance review for a mobile product tested at a laboratory. Declares that the secure elements supplied to the laboratories and Approval Services are all from the same production batch and are identical. Only required for configurations involving secure elements. Attests that a compliant product has been changed and remains compliant with the Visa specifications, policies and requirements Visa. All Rights Reserved. Visa Public Page 30

33 Certification Process, Laboratories and Documentation Additional Documentation Required for Testing and Evaluation Form GlobalPlatform Letter of Qualification (or Conformance Assessment Report) and SCO Form EMVCo Platform Certificate Description Vendors whose product has gone through GlobalPlatform functional testing shall provide the long version of the LOQ including any Conformance Assessment Report (if applicable) and the SCO Form. See section 3.2. Vendors whose product has gone through EMVCo platform security testing shall provide a copy of the certificate if the platform is not published on EMVCo s Approved Platforms List on their website. 3.5 Submission of Testing Materials Products submitted for testing must be in the final configuration that will be deployed commercially. When providing a handset, the vendor must include all cables and batteries required to operate the handset including detailed operating instructions and how to configure the device for NFC communication. Handsets should be marked to show the location of the zero point. Secure Elements must contain a Visa-approved VMPA applet and PPSE applet, preinstalled and personalized. All debugging code must be removed from the product before it is submitted for testing. Failure to remove this code may cause the product to fail testing. All commands and status words for microsds must be identified in the technical documentation submitted with the microsd for testing. Failure to identify commands and status words in the technical documentation may cause the product to fail testing. Commands that can update the product must be in compliance with the Visa specifications Visa. All Rights Reserved. Visa Public Page 31

34 Certification Process, Laboratories and Documentation 3.6 Test Laboratories Testing will not begin until the laboratory has received all required items. If any required item is incorrect or non-functioning, the test slot may be delayed. Please contact the Laboratory for current pricing and to arrange scheduling of testing. When testing is complete, the Laboratory will provide the vendor with a report outlining the test results. The vendor is required to grant authorization for the Laboratory to provide the test reports to Approval Services. Approval Services will evaluate the test results and provide the vendor with information about the usability of the product in Visa deployments. Testing Available by Visa-Recognized Laboratory Testing Laboratory Contactless EMV Analog & Digital VMPA Security (VCSP) Applus+ Brightsight B.V. CEA-LETI CETECOM ICT Fime Europe ICTK Riscure B.V. Security Research & Consulting Serma Technologies Thales Security Solutions & Services T-Systems GEI TUV Informationstechnik TUV SUD Japan UL Transaction Security Visa. All Rights Reserved. Visa Public Page 32

35 Submission of Testing Materials for Functional Testing 4 Submission of Testing Materials for Functional Testing This section details the materials that the vendor must submit to the laboratory for Visa functional testing. 4.1 Requirements for Product Submission The vendor must provide the following technical documentation in order for the laboratory to conduct functional testing: User guide detailing how to operate the handset/accessory and access the payment application. Presentation of contactless product and location of the zero point. When presenting personalized secure elements beware of the following requirements: EMV CPS personalization is required to personalize the VMPA applet. If the mobile product allows multiple application instances with pre-personalized images, the documentation must also explain how to select among the different applications with specific instruction on how to obtain the application image(s) needed for Visa s testing requirements. The vendor shall use a Visa-approved VMPA applet Secure elements containing a Visa-developed VMPA applet shall be provided as follows: the Visa Library loaded (if VMPA Core is used) the VMPA applet loaded, Container installed and VMPA personalized with images Mobile00, 30 or 35 depending on the test (as defined in [VMPA_TP]) SIM profile configured as described in [SIM-PROF] A Proximity Payment System Environment (PPSE) applet installed and configured. Products should be clearly marked with the Visa Reference Number, the VMPA applet version and build number, and mobile image the VMPA applet was personalized with. When presenting handsets beware of the following requirements: The vendor shall include all cables and batteries required to operate the handset. Handsets should be clearly marked with its assigned Visa Reference Number Visa. All Rights Reserved. Visa Public Page 33

36 Submission of Testing Materials for Functional Testing If providing a handset, the mobile phone shall be configurable in a manner that allows a test environment to be setup for testing. This test environment may be comprised of one of the following: A mechanism or test application residing on the handset (zone D) which allows the phone to remain on for multiple transactions avoiding any enduser intervention in order to perform in batch mode: contactless analog, contactless digital, GlobalPlatform functional, and VMPA testing A test configuration of the contactless analog and digital interface components avoiding any interference of any other proprietary contactless application/protocol in order to perform in batch mode: contactless analog, contactless digital, GlobalPlatform functional, Cross Testing, and VMPA testing. A Test Tool Interface Application is required on the handset if VMPA testing is required. The microsd shall be able to perform contactless transactions with the handset switched on. Visa does not require the microsd to be able to perform contactless transactions with the handset switched off; however, if this functionality is implemented, it must be stated in the accompanying documentation. When sending samples to Visa for cross testing, the shipper is responsible for completing and providing all required US Customs forms, including FCC Form 740. The shipper shall be liable for any and all costs associated with releasing an impounded shipment seized by US Customs due to missing or incomplete paperwork. Please note: Testing will not begin until the laboratory has received all required items. If any required item is incorrect or non-functioning, the test slot may be delayed. Vendors have six months from the date Approval Services authorized the laboratory testing to submit all test results to Approval Services for review. The number of samples stated is the minimum required. Additional samples may be required or provided upon request. Under special conditions Approval Services may authorize a vendor s request to perform parallel testing (i.e. testing of more than one component at the same time). When a vendor is testing more than one component in parallel, the vendor shall provide additional samples as described in the table above for each component being tested in parallel. The vendor should contact Approval Services to determine if parallel testing is appropriate and accept the risks involved. Vendors shall indicate, either directly on the product samples or on the shipping documentation, the Visa Reference Number of the product(s) being tested and contained in the shipment Visa. All Rights Reserved. Visa Public Page 34

37 Submission of Testing Materials for Functional Testing VMPA shall be personalized according to the submitted VMPA ICS form. The ICS form shall accurately represent the personalization of the samples. After testing is complete, the Laboratory and/or Visa will retain the tested components for any subsequent testing that may be required. 4.2 Submission Requirements for microsd with Secure Element and Internal Antenna The vendor is required to provide the following items for functional testing: Test Description Labs Number of Samples Required for Testing Personalization Profile EMV Contactless Level 1 Testing Analog and Digital External Lab 1 Handset 6 microsds GlobalPlatform Platform Testing VMPA Testing 3 microsds Type A with Mobile00 AND 3 microsds Type B with Mobile00 OR 6 microsds Type A&B with Mobile00 VMPA is pre-installed and personalized. External Lab Refer to GlobalPlatform Refer to GlobalPlatform VMPA Testing External Lab 1 Handset with TTIA 8 microsds Cross Testing Cross Testing Visa Lab 3 Handset (more than 1 Handset allows for testing in parallel) 4 microsds 6 microsds with Mobile00 2 microsds with Mobile30 The type (A, B and A&B) is not important for this test, so is left to vendor discretion. 4 microsds Type A&B with Mobile00. NOTE: Visa reserves the right to conduct additional testing on any products that have gone through the testing and compliance process Visa. All Rights Reserved. Visa Public Page 35

38 Submission of Testing Materials for Functional Testing 4.3 Submission Requirements for microsd with Secure Element and No Antenna The vendor is required to provide the following items for functional testing: Test Description Labs Number of Samples Required for Testing Personalization Profile EMV Contactless Level 1 Testing Digital External Lab 1 Handset 6 microsds 1 Handset sleeve with microsd slot and built-in antenna. GlobalPlatform Platform Testing VMPA Testing 3 microsds Type A with Mobile00 AND 3 microsds Type B with Mobile00. OR 6 microsds Type A&B with Mobile00 VMPA is pre-installed and personalized. External Lab Refer to GlobalPlatform Refer to GlobalPlatform VMPA Testing External Lab 1 Handset with TTIA 8 microsds 1 Handset sleeve with microsd slot and built-in antenna. Cross Testing Cross Testing Visa Lab 3 Handsets (more than 1 Handset allows for testing in parallel) 4 microsds 3 Handset sleeves with microsd slot and built-in antenna. 6 microsds with Mobile00 2 microsds with Mobile30 VMPA is pre-installed and personalized. The type (A, B and A&B) is not important for this test, so is left to vendor discretion. 4 microsds Type A&B with Mobile00. NOTE: Visa reserves the right to conduct additional testing on any products that have gone through the testing and compliance process Visa. All Rights Reserved. Visa Public Page 36

39 Submission of Testing Materials for Functional Testing 4.4 Submission Requirements for microsd with Handset (Antenna within the Handset) The vendor is required to provide the following items for functional testing: Test Description Labs Number of Samples Required for Testing Personalization Profile EMV Contactless Level 1 Testing Analog and Digital External Lab 1 Handset 6 microsds GlobalPlatform Platform Testing VMPA Testing 3 microsds Type A with Mobile00 AND 3 microsds Type B with Mobile00 OR 6 microsds Type A&B with Mobile00 VMPA is pre-installed and personalized. External Lab Refer to GlobalPlatform Refer to GlobalPlatform VMPA Testing External Lab 1 Handset with TTIA 8 microsds Cross Testing Cross Testing Visa Lab 3 Handsets (more than 1 Handset allows for testing in parallel) 4 microsds 6 microsds with Mobile00 2 microsds with Mobile30 The type (A, B and A&B) is not important for this test, so is left to vendor discretion. 4 microsds Type A&B with Mobile00. NOTE: Visa reserves the right to conduct additional testing on any products that have gone through the testing and compliance process Visa. All Rights Reserved. Visa Public Page 37

40 Submission of Testing Materials for Functional Testing 4.5 Submission Requirements for Mobile Accessory with embedded Secure Element (Antenna within the Mobile Accessory) The vendor is required to provide the following items for functional testing: Test Description Labs Number of Samples Required for Testing Personalization Profile EMV Contactless Level 1 Testing Analog and Digital External Lab 2 Handsets 2 Accessories GlobalPlatform Platform Testing VMPA Testing 1 Accessory Type A with Mobile00 AND 1 Accessory Type B with Mobile00 OR 2 Accessory Type A&B with Mobile00 VMPA is pre-installed and personalized. External Lab Refer to GlobalPlatform Refer to GlobalPlatform VMPA Testing External Lab 1 Handset with TTIA 2 Accessories Cross Testing Cross Testing Visa Lab 2 Handsets 2 Accessories VMPA is pre-installed and personalized with Mobile00 on one accessory, and Mobile30 on the other. The type (A, B and A &B) is not important for this test, so is left to vendor discretion. 2 Accessories Type A&B with Mobile00. VMPA is pre-installed and personalized. NOTE: Visa reserves the right to conduct additional testing on any products that have gone through the testing and compliance process Visa. All Rights Reserved. Visa Public Page 38

41 Submission of Testing Materials for Functional Testing 4.6 Submission Requirements for Mobile Accessory with Removable Secure Element (Antenna within the Mobile Accessory) The vendor is required to provide the following items for functional testing: Test Description Labs Number of Samples Required for Testing Personalization Profile EMV Contactless Level 1 Testing Analog and Digital External Lab 1 Handset 1 Accessory 6 microsds GlobalPlatform Platform Testing VMPA Testing 3 microsds Type A with Mobile00 AND 3 microsds Type B with Mobile00 OR 6 microsds Type A with Mobile00 VMPA is pre-installed and personalized. External Lab Refer to GlobalPlatform Refer to GlobalPlatform VMPA Testing External Lab 1 Handset with TTIA 1 Accessory 8 microsds Cross Testing Cross Testing Visa Lab 3 Handsets (more than 1 Handset allows for testing in parallel) 3 Accessories 4 microsds 6 microsds with Mobile00 2 microsds with Mobile30 The type (A, B and A&B) is not important for this test, so is left to vendor discretion. 4 microsds Type A&B with Mobile00. VMPA is pre-installed and personalized. NOTE: Visa reserves the right to conduct additional testing on any products that have gone through the testing and compliance process Visa. All Rights Reserved. Visa Public Page 39

42 Submission of Testing Materials for Functional Testing 4.7 Utilizing Test Results Between Products Vendors that have executed the ASTA may have the opportunity to leverage functional test reports from previously certified components. A product that uses shared test results may require reduced testing. If Visa discovers a defect in a previously certified product, all vendors involved in the sharing consent to Visa's communication of all relevant information to each affected vendor and its customers, including an explanation of the nature of the defect and products at issue. Shared test results are only permitted under and are subject to the following conditions: NOTE: All vendors involved in the sharing have signed the appropriate agreements allowing results to be shared. The components being leveraged have been tested and certified by Visa with no issues. The components being leveraged are not already sharing test results from another product. A product using shared results will be tied to the original product The new product will receive the same expiration date as the product from which the results are shared. If for any reason the original product is not renewed, any product sharing testing results will not be renewed either. If the original product is revoked, then all products sharing testing results will be revoked. If the original product is modified and/or updated, then all products sharing testing results may require additional testing. If a product is submitted for full testing it receives an independent certification and its expiration date is not tied to any other product Visa. All Rights Reserved. Visa Public Page 40

43 Submission of Testing Materials for Functional Testing 4.8 Testing Over a Contact Interface When Approval Services tests the microsd or mobile accessory with embedded Secure Element over the contact interface, Visa tests the GlobalPlatform content management and personalization functionality to ensure that the component is able to handle all APDU commands destined for the Secure Element via the contact interface. Visa also tests the Visa-approved VMPA applet to ensure its adherence to EMVCo Common Personalization commands and the Issuer Update commands that are involved with any OTA connectivity, as well as the Consumer Device commands, such as Passcode Verification over the contact interface. The vendor submitting a microsd or mobile accessory with embedded Secure Element must provide the tester a means to issue APDU commands over the contact interface to the product. The vendor shall provide a means so that the Visa Test Script Execution Tool is able to establish a PCSC connection to the product. Alternatively, the vendor may provide a means so that the Visa Test Script Execution Tool is able to establish a TCP/IP connection to the product. Please refer to VMPA Test Tool Interface Application Requirements (Book 6) for detailed information Visa. All Rights Reserved. Visa Public Page 41