Chip Card Testing and Approval Requirements
advertisement
Chip Card Products Testing and Approval Requirements Version 6.7 June 2016 Visa Public Chip Card Products Testing and Approval Requirements Contents SECTION 1: ........................................................................................................................................................................................... 5 ABOUT THIS GUIDE .......................................................................................................................................................................... 5 SECTION 2: TESTING OVERVIEW ............................................................................................................................................ 7 PRODUCTS CURRENTLY ACCEPTED FOR TESTING ............................................................................................................................................ 9 SECTION 3: AGREEMENTS AND LICENSES........................................................................................................................ 10 APPROVAL SERVICES TESTING AGREEMENT (ASTA) ....................................................................................................................................10 SECTION 4: IC SECURITY EVALUATIONS ........................................................................................................................... 11 FOR MORE .............................................................................................................................................................................................................11 INFORMATION .......................................................................................................................................................................................................11 SECTION 5: TEST DOCUMENTATION AND TOOLS ........................................................................................................ 12 TEST PLANS............................................................................................................................................................................................................12 ENHANCEMENTS AND MODIFICATIONS ..........................................................................................................................................................13 SECTION 6: FORMS AND SCHEDULING ............................................................................................................................. 14 APPROVAL SERVICES QUESTIONNAIRE ............................................................................................................................................................14 SCHEDULING..........................................................................................................................................................................................................16 REQUIRED FORMS FOR TESTING .......................................................................................................................................................................17 SECTION 7: SUBMIT TESTING MATERIALS ....................................................................................................................... 18 NUMBER OF SAMPLES REQUIRED FOR TESTING ............................................................................................................................................18 CROSS–TESTING SAMPLES ................................................................................................................................................................................19 INFORMATION PRINTED ON SAMPLES .............................................................................................................................................................20 PRODUCT REQUIREMENTS ..................................................................................................................................................................................20 PERSONALIZATION REQUIREMENTS .................................................................................................................................................................21 QUALITY ASSURANCE TESTING..........................................................................................................................................................................23 SECTION 8: FUNCTIONAL TESTING ..................................................................................................................................... 24 SHARING OF TEST RESULTS ................................................................................................................................................................................25 TEST RESULTS ........................................................................................................................................................................................................26 DISPOSITION OF PRODUCTS AFTER TESTING .................................................................................................................................................26 EMV LEVEL 1 TESTING ........................................................................................................................................................................................27 CONTACTLESS TYPE A AND TYPE B INTERFACE TESTING ............................................................................................................................27 VISA SMART DEBIT/CREDIT APPLICATION TESTING......................................................................................................................................27 QVSDC/MSD TESTING ......................................................................................................................................................................................27 CROSS-TESTING....................................................................................................................................................................................................28 GLOBALPLATFORM TESTING ..............................................................................................................................................................................29 JAVACARD-S TESTING.........................................................................................................................................................................................29 CHANGES ALLOWED TO APPROVED PRODUCTS............................................................................................................................................30 SECTION 9: SECURITY TESTING............................................................................................................................................. 31 IMPACT ASSESSMENT LETTER (IAL) ..................................................................................................................................................................31 June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 2 of 57 SECURITY TESTING PROCESS ..............................................................................................................................................................................32 FOR MORE INFORMATION .................................................................................................................................................................................33 SECTION 10: APPROVAL PROCESS .................................................................................................................................... 34 LEGAL CONDITIONS AND RESTRICTIONS .........................................................................................................................................................34 REQUESTING AN APPROVAL...............................................................................................................................................................................35 SECTION 11: CARD LIFECYCLE MANAGEMENT POLICY AND RENEWAL POLICY ........................................... 36 CARD LIFECYCLE MANAGEMENT POLICY.........................................................................................................................................................36 RENEWAL POLICY .................................................................................................................................................................................................37 RENEWAL PROCESS ..............................................................................................................................................................................................38 APPENDIX A: SPECIFICATIONS AND REQUIREMENTS ............................................................................................. A-1 APPENDIX B: TESTING REQUIREMENTS ......................................................................................................................... B-1 APPENDIX STRUCTURE ...................................................................................................................................................................................... B-1 RENEWAL DATES ................................................................................................................................................................................................ B-1 LIMITS TO CHANGE PROCESS .......................................................................................................................................................................... B-1 PAPER PROCESS ONLY ...................................................................................................................................................................................... B-1 B.1 STATIC NATIVE BASE PRODUCTS .................................................................................................................................................... B-2 B.2 CHANGES TO A STATIC NATIVE BASE PRODUCT.......................................................................................................................... B-3 B.3 GLOBALPLATFORM BASE PRODUCT ............................................................................................................................................... B-7 B.4 CHANGES TO A VISA GLOBALPLATFORM / GLOBALPLATFORM BASE PRODUCT .................................................................. B-9 APPENDIX C: TESTING LABORATORIES.......................................................................................................................... C-1 APPENDIX D: GLOSSARY ....................................................................................................................................................... D-1 APPENDIX E: DOCUMENT HISTORY ................................................................................................................................ E-6 June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 3 of 57 Tables Table 1: Approval Services Contact Information ........................................................ 5 Table 2: Questionnaire Submission and Testing Authorization Process ................. 14 Table 3: Forms Required Before Testing ................................................................... 17 Table 4: Forms Required After Testing ..................................................................... 17 Table 5: Submission Requirements ........................................................................... 18 Table 6: Requirements ............................................................................................... 20 Table 7: Overview of Functional Testing................................................................... 24 Table 8: Security Testing Process .............................................................................. 32 Table 9: Testing for Static Native Contact Only Base Products .............................. B-2 Table 10: Testing for Static Native Dual Interface Base Products .......................... B-2 Table 11: Testing for Static Native Contactless Only Base Products ...................... B-2 Table 12: Testing for Changes to a Static Native Base Product .............................. B-3 Table 13: Testing for GlobalPlatform Contact Only Base Product ......................... B-7 Table 14: Testing for GlobalPlatform Dual Interface Base Product........................ B-7 Table 15: Testing for GlobalPlatform Contactless Only Base Product ................... B-8 Table 16: Testing for Changes to a Visa GlobalPlatform/GlobalPlatform Base Product…….. B-9 Figures Figure 1 Testing Overview ............................................................................................ 8 June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 4 of 57 Chip Card Products Testing and Approval Requirements Section 1: About This Guide Purpose of Document This document provides information to product manufacturers, chip suppliers, Visa-Recognized Laboratories, and Visa staff to support the testing process that is required for chip card products that carry the Visa brand. Specifications and Requirements Product manufacturers are responsible for developing products to be compliant with the current and appropriate Visa specifications and requirements. Any organization wishing to obtain Visa specifications and requirements must sign a technology license agreement. Appendix A provides information about selected specifications and requirements. Support and Contact Information Visa’s goal is to provide a formal standardized process for testing chip card products and to enhance communication between all participants in the product testing and approval process. Visa Approval Services (hereafter referred to as Approval Services) provides a single point of contact, both for Vendors and for Visa personnel, on the testing and approval process. Table 1: Approval Services Contact Information Email address ApprovalServices@visa.com Visa Technology Partner Website https://technologypartner.visa.com US Postal Address Visa Inc. Approval Services Mailstop M4-2D 900 Metro Center Blvd Foster City, CA 94404 United States of America (for sending executed legal agreements) Singapore Postal Address (for sending samples for cross testing) June 2016 Visa Inc. Approval Services Mailstop SP10-B1 10 Eunos Road 8, #07-01 Singapore Post Centre 408600 Singapore © 2013 - 2016 Visa. All Rights Reserved. Page 5 of 57 Chip Card Products Testing and Approval Requirements Disclaimer June 2016 Visa’s testing services and polices are subject to change at any time in Visa’s sole discretion, with or without notice. This document does not create any binding obligations on Visa regarding Visa testing services or product approval. Any such obligations, to the extent they exist at all, are pursuant to separate written agreements between Visa and the party submitting products for testing and approval. In the absence of a fully-executed written agreement under which Visa has agreed to perform testing services for you or your company you should not rely on this document, nor shall Visa be liable for any such reliance (detrimental or otherwise). © 2013 - 2016 Visa. All Rights Reserved. Page 6 of 57 Chip Card Products Testing and Approval Requirements Section 2: Testing Overview This section provides an overview of the Visa testing and approval process for chip card products. Visa oversees testing of products that carry the Visa brand to ensure compliance to Visa specifications and requirements. The testing process includes (where applicable) the following: • Testing of basic electrical and protocol characteristics of the contact interface • Testing of radio frequency and protocol of the contactless interface • Testing of Visa payment applications • Security testing of the final product If the product successfully passes all required testing, Visa issues a letter of approval or letter of compliance. The approval or compliance recognition applies internationally unless specified in the letter. Note: The process described in this document does not approve Vendors; it only approves products. Approval is not transferrable from one product to another or from one Vendor to another. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 7 of 57 Chip Card Products Testing and Approval Requirements Figure 1 Testing Overview Note: The applicability and scope of functional and security testing is dependent of the configuration of product being submitted and the circumstance of the submission, e.g. whether a new product or a derivative. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 8 of 57 Chip Card Products Testing and Approval Requirements Products Currently Accepted for Testing Visa accepts the following types of chip card products for testing • Contact card supporting Visa Smart Debit/Credit (VSDC) • Contactless card (including fobs and micro-tags) supporting MSD and qVSDC • Dual interface card supporting VSDC and MSD/qVSDC For the purpose of this document the term “card” shall be used regardless of actual form factor. Alternative Form Factors Alternative form factors may be accepted for testing. Vendors should contact Approval Services to determine if the alternative form factor is acceptable. A complete description of the form factor must be provided as there may be weight and size restrictions. Alternative form factors submitted to Approval Services for type approval testing, where possible, will be subject to the same test requirements as standard ID1 card products. If a Vendor’s product uses materials other than plastic, it should contact Approval Services for guidance prior to submission. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 9 of 57 Chip Card Products Testing and Approval Requirements Section 3: Agreements and Licenses A company wishing to submit chip card products developed to Visa specifications must obtain the appropriate licenses and execute the necessary agreements prior to submitting the product to Visa for testing. Visa will not accept any product for testing until the required licenses and agreements have been signed. Visa technology can be licensed through the Visa Technology Partner website. Approval Services Before testing can begin the Vendor must execute an Approval Services Testing Agreement Testing Agreement with Visa. This agreement defines the terms and conditions governing the testing and approval of the Vendor’s product. (ASTA) June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 10 of 57 Chip Card Products Testing and Approval Requirements Section 4: IC Security Evaluations Chip hardware is defined as the basic ‘Chip’ or ‘IC’ product without an operating system or application. The security of the chip hardware is evaluated by EMVCo. The EMVCo IC security evaluation process considers the security of chip products and aims to provide a high level of assurance that the chip is designed to resist known attack methods. Visa leverages the EMVCo process to minimize cost and time spent in performing evaluation work and to avoid duplication of effort. EMVCo issues an IC certificate with an IC Certificate Number (ICCN) when a chip has successfully completed the EMVCo IC security evaluation process. EMVCo approved ‘IC’ products are listed on the EMVCo website at www.emvco.com. Requirement: Visa will only accept new products for security testing if the chip has successfully completed the EMVCo IC security evaluation process and the chip is listed on the EMVCo approved chips list. For More Information For detailed information on the EMVCo ‘IC’ security evaluation process, please see EMV Security Guidelines – EMVCo Security Evaluation Process [EMV1] available at www.emvco.com, or contact the EMVCo Security Evaluation Secretariat at securityevaluation@emvco.com with any questions. For further information on how the EMVCo security evaluation process ties in with the Visa Chip Security Program, please contact Approval Services. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 11 of 57 Chip Card Products Testing and Approval Requirements Section 5: Test Documentation and Tools Test plans and commercial test tools with associated test scripts are available to assist Vendors in conducting quality assurance (QA) testing prior to submitting the product for official testing. Successful completion of all the test scripts by the Vendor does not imply approval, nor does it depict Visa’s full testing process. Rather, it provides the Vendor with insight into the product testing process. Visa reserves the right to develop and run additional tests that are not part of the current test plan. Visa testing may include subjecting the product to additional physical and situation-specific tests as needed. Test Plans Vendors must sign the Approval Services Testing Agreement, discussed in Section 6, to gain access to test plans on the Visa Technology Partner website. Visa grants Vendors who have signed the required agreements permission to use the test plans solely for purposes of developing and testing products for a Visa application. Visa may revoke its permission at any time. Possession and use of these materials is subject in all respects to the terms and the continued effectiveness of the Approval Services Testing Agreement. These materials are provided on an “as is” basis “with all faults.” Visa disclaims all warranties pertaining to these materials, expressed or implied, including the implied warranties of merchantability, fitness for purposes, or non-infringement. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 12 of 57 Chip Card Products Testing and Approval Requirements Commercial Test Tools and Test Scripts Commercial test tools and test scripts are available from Test Tool Vendors. Test Tool Vendor contact information is published on the Visa Technology Partner website. Enhancements and Test plans and test scripts are subject to enhancements and modifications at any time. Unpublished test plan revisions are made Modifications available through Approval Services’ knowledge base on the Visa Technology Partner website (requires logging on to the site). Test plan revisions will be accumulated and published as new test plans as determined by Visa. It is the Vendor’s responsibility to ensure that they have the most current test plans and test scripts available. Vendors should contact their tool supplier to obtain any test script updates. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 13 of 57 Chip Card Products Testing and Approval Requirements Section 6: Forms and Scheduling All necessary forms for testing are available on the Visa Technology Partner website. Vendors should download and complete the latest version of the forms and submit their product and forms directly to the laboratory they have chosen to perform the testing. This section discusses the forms that are required for each product tested, as well as requirements for scheduling. Approval Services Questionnaire Vendors must submit an Approval Services Questionnaire for each product. The questionnaire is used to determine whether the product is eligible for testing and approval. Table 2: Questionnaire Submission and Testing Authorization Process Vendors (with an executed ASTA) • Download and complete the applicable Approval Services questionnaire. • Send the completed questionnaire to Approval Services. Approval Services • Reviews the questionnaire: • If the product is not acceptable, advises the Vendor. • If the product is acceptable issues a unique Visa reference number. • If testing is required: June 2016 © 2013 - 2016 Visa. All Rights Reserved. o Requests Impact Assessment Letter (IAL) from Security Lab (if applicable) o Authorizes functional testing providing the testing requirements to the Vendor and Laboratory(s) as specified in the questionnaire (if applicable) Page 14 of 57 Chip Card Products Testing and Approval Requirements Vendor • Schedules testing and completes all required forms as described in topics “Scheduling” through “Required Forms for Testing” below. Security Laboratory • Provides an Impact Assessment Letter to the Vendor and Approval Services. Functional Laboratory • Schedules testing and requests forms from the Vendor. It may be necessary to contact more than one Laboratory, depending on the characteristics of the product, the scope of testing, and the testing available at various Laboratories. For a current list of Visa testing offered by a Laboratory, go to the Approval Services section on Visa Technology Partner website. Note: If any problems occur during functional or security testing that would not allow the product to successfully complete testing, the following will occur: • Official testing will stop. • The Vendor is responsible for all costs incurred with the Laboratory(s). • The problem is corrected and the product questionnaire resubmitted. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 15 of 57 Chip Card Products Testing and Approval Requirements Scheduling The Vendor and the Laboratory(s) are responsible for scheduling testing once the Vendor has received confirmation of the testing requirements from Approval Services and testing authorized. Visa does not participate in and is not responsible for any scheduling between the Laboratories and Vendors. Security testing can take longer than functional testing. It is the Vendor’s choice when to start security and functional testing. A Vendor has six months from the date Approval Services authorizes the testing to submit all test results to Approval Services for review. Products Supporting T=0 and T=1 If a product supports both T=0 and T=1 protocols, the product must be submitted separately for each protocol, and each protocol will be tested independently. Note: If the T=0 protocol is submitted for testing prior to T=1, protocol application testing will not be required for the T=1 protocol. Products Supporting Type A and Type B If a contactless product supports both Type A and Type B, the product must be submitted separately for each contactless type and each will be tested independently. Products Supporting Multiple EEPROM or Flash Sizes If a product supports multiple EEPROM or Flash sizes, it can be submitted with multiple EEPROM or Flash sizes declared in the same questionnaire. Approval Services assigns a single Visa reference number and the product is listed on the approved products list showing multiple memory sizes. Note: The multiple EEPROM or Flash sizes must be covered by the EMVCo IC security evaluation and must be listed for the ICCN. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 16 of 57 Chip Card Products Testing and Approval Requirements Required Forms for Testing will not begin until the Laboratory has received all of the forms listed in Table 3 from the Vendor. Testing Note: Some forms may be combined as a single document. These forms must be submitted with each product submission; namely, if a product fails testing, a new version of each form must be completed and submitted when the product is resubmitted for testing. Forms Required Before Testing Begins Table 3: Forms Required Before Testing Form Description Implementation Conformance Statement(s) The Vendor must provide detailed information regarding the Visa payment application, platform, or interface. A separate statement is required for each interface, platform, and Visa application. Exhibit A: Request for Testing Services Form (addendum to ASTA) Establishes Visa’s right to review testing results submitted by the Vendor, following testing at a Laboratory. Single Production Batch Form An attestation from the Vendor that all samples submitted for testing (initial test samples or replacement samples), regardless of the Laboratory to which they are being sent, are from the same production batch. The Vendor is required to complete this form for each Laboratory performing functional testing. Forms Required After Testing Table 4: Forms Required After Testing June 2016 Form Description Request for Approval Form Vendor must send the completed form to the Laboratory. This form is an official request to release test reports to Visa so that Visa can begin the review and approval process for a product tested at the Laboratory. © 2013 - 2016 Visa. All Rights Reserved. Page 17 of 57 Chip Card Products Testing and Approval Requirements Section 7: Submit Testing Materials This section discusses the materials that the Vendor must provide for functional testing (note that these are in addition to the forms discussed in Section 6). Number of Samples Required for Testing The Vendor is required to provide product samples to the Laboratories for testing as described in Table 5. Note: A product that supports more than one Visa payment application requires a full set of samples for each Visa payment application. For dual interface products, a full set of samples must be provided for each interface. Table 5: Submission Requirements Visa Payment Application / Platform / Testing Number of Samples Required EMV Contact Level 1 See the Visa Contact and Contactless Personalization Requirement for Analog/Digital, Security Testing, and Cross Testing document on Visa Technology Partner website. EMV Contactless Level 1 June 2016 Visa Smart Debit/Credit See the VSDC personalization requirements in the VSDC test plan, on Visa Technology Partner website. Visa Contactless Payment See the qVSDC/MSD personalization requirements in the VCPS test plan on Visa Technology Partner website. JavaCard-S See VSDC and/or VCPS personalization requirements in the VSDC and/or VCPS test plan, on Visa Technology Partner website. © 2013 - 2016 Visa. All Rights Reserved. Page 18 of 57 Chip Card Products Testing and Approval Requirements Visa Payment Application / Platform / Testing Number of Samples Required Chip Card Cross-Testing Forty (40) cards for cross-testing. See the Visa Contact and Contactless Personalization Requirement for Analogue/Digital, Security Testing, and Cross Testing document on Visa Technology Partner website. Refer to the VCPS 2.1.2b Test Plan documents, available on the Visa Technology Partner website. Fifteen (15) cards for Performance Testing. See Section 9: CrossTesting. Cross–Testing Samples Card samples for cross-testing should be sent to Approval Services’ Singapore location. See Support and Contact Information section at the beginning of this document for shipping addresses. Note: Either the Vendor or laboratory can send the samples as long as they are from the same batch and a Single Production Batch Form is provided. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 19 of 57 Chip Card Products Testing and Approval Requirements Cards: Information Printed on Samples The following must be printed on all card samples submitted for testing: • Visa reference number (VTF number) • Chip model number • Contactless interface Type A or Type B (if applicable) • Transmission protocol (T=0 or T=1) • Unique serial number per card • List of applications on the card (abbreviations are acceptable) • Card Image Number Note: Paste-on labels are not acceptable. Test cards are not required to have a magnetic stripe for the testing process. Product Requirements Laboratories will accept chip card products for testing only in their final configuration as they will be supplied to Visa clients. A product submitted for testing shall be in the state described in Table 6. Table 6: Requirements June 2016 Requirement Description Chip The chip must be embedded and bonded to the product’s body. Commands Commands that can update the product must be in compliance with the Visa specifications for the application(s) in the product. Documentation When providing technical documentation, all commands and status words must be identified. Failure to identify commands and status words in the technical documentation may cause the product to fail testing. Debugging code All debugging code must be removed from the product before it is submitted for testing. Failure to remove this code may cause the product to fail testing. © 2013 - 2016 Visa. All Rights Reserved. Page 20 of 57 Chip Card Products Testing and Approval Requirements Requirement Description Personalization Static native and Javacard-S products personalized for testing must be in their personalized/locked state. ATR values (contact only) • After the card is put into an initialized state, the Answer to Reset (ATR) values (except for historical bytes) cannot be changed. • A product may not contain both T=0 and T=1 protocols within the same Answer to Reset (ATR). Personalization Requirements ATS values (contactless only) For Type A contactless products, the Answer to Select (ATS) values on the product submitted for testing must be those identified in the Implementation Conformance Statement (ICS). Answer to REQB Command For Type B contactless products, the values of bytes 10, 11, and 12 in the “Answer to REQB Command” on the product submitted for testing must be those identified in the Implementation Conformance Statement (ICS). Antenna Schematic (contactless only) A schematic of the antenna must be provided for all contactless and dual interface products. In this section personalization refers to the personalization of samples for Visa functional and security testing purposes only. Static Native Cards The Vendor must supply cards that are personalized. Personalization of test data will differ for each Visa application being tested. The functionality of the Visa application must not be affected by personalization. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 21 of 57 Chip Card Products Testing and Approval Requirements GlobalPlatform Cards GlobalPlatform cards must contain a Visa Smart Debit/Credit (VSDC) payment applet. To obtain information regarding licensing for a Visadeveloped payment applet, contact Approval Services. Each submission must conform to the latest version of GlobalPlatform Test Card Preparation Requirements, which is available from Visa Technology Partner website. Visa discourages extensions of the GlobalPlatform Application Programming Interface (API) and does not test extensions, if implemented. Visa Contact Cards Contact cards must be supplied in a personalized state for contact level 1 and/or application testing (VSDC). Personalization of test data will differ for each Visa application that is tested (VSDC). The functionality of the Visa application must not be affected by personalization. Product personalization requirements are available on the Visa Technology Partner website. Each submission must conform to the latest version of personalization requirements for the application supported. Visa Contactless Cards Contactless cards must be supplied in a personalized state for contactless level 1, and/or application testing (MSD/qVSDC). Personalization of test data will differ for each Visa application that is tested. The functionality of the Visa application must not be affected by personalization. Personalization requirements for MSD and qVSDC are available on the Visa Technology Partner website. Each submission must conform to the latest version of personalization requirements for the application supported. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 22 of 57 Chip Card Products Testing and Approval Requirements Quality Assurance Testing June 2016 Laboratories performing functional testing may offer quality assurance testing that can be completed prior to submitting a product for official testing. However, quality assurance testing is not part of Visa’s official testing and approval process and QA test results are not accepted for review. © 2013 - 2016 Visa. All Rights Reserved. Page 23 of 57 Chip Card Products Testing and Approval Requirements Section 8: Functional Testing Laboratories test various functions and applications supported by Visa. Such testing includes the electrical aspects of the chip protocol and communications of the product, as well as functionality of the applications. Testing is dependent on the technology supported by the product. Table 7 provides an overview. For a detailed list of required testing, see Appendix B. Table 7: Overview of Functional Testing Functional Testing Contact Product EMV Contact Level 1 (Electrical & Protocol) – T=0 or T=1 Visa Payment Application (VSDC) Contactless Product Type A or Type B Interface (Analogue and Digital) Visa Payment Application (qVSDC, and/or MSD) Cross-testing Dual Interface Product EMV Contact Level 1 (Electrical & Protocol) Type A or Type B Interface (Analogue and Digital) Visa Payment Application (VSDC, qVSDC, and/or MSD) Cross-testing June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 24 of 57 Chip Card Products Testing and Approval Requirements Sharing of Test Results Vendors have the opportunity to leverage functional test reports from approved products. A product that shares test results may be eligible for reduced testing. If Visa discovers a defect in a product that other products have shared test results from, all Vendors involved in the sharing agree that Visa can communicate all relevant information to each affected Vendor and its customers, including an explanation of the nature of the defect and products at issue. Shared test results are permitted only if: • All Vendors involved in the sharing have an ASTA. • The product being leveraged from has been tested and approved with no issues or comments. • The product being leveraged from is not already sharing test results from another product. A product using shared results will be tied to the original approved product as follows: • The product will receive the same expiration date as the product from which the results are shared. • If for any reason the original product is not renewed, any product sharing testing results cannot be renewed either. • If the original product is revoked, then all products sharing testing results will be revoked. • If the original product is modified and/or updated, then all products sharing testing results may require additional testing. • The questionnaire being submitted should indicate that the product is seeking to share test results and provide the VTF number of the approved product. Note: If a product is submitted for full testing, it will receive an independent approval, and its expiration date is not tied to any other product. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 25 of 57 Chip Card Products Testing and Approval Requirements Test Results When functional testing is complete, the Laboratory will provide the Vendor with a report outlining the test results. There are two possible outcomes from functional testing: Product Fails Testing In the instance where a product fails testing, the Laboratory will send a report to the Vendor identifying the reasons for the failures. If the Vendor intends to resubmit the product, the Vendor must do the following: • Correct the discrepancies • Submit a new questionnaire to Approval Services • Prepare new versions of the forms listed in Section 6 • Contact the Laboratory for a new test date • Provide new samples to the Laboratory for testing Product Passes Testing When a product passes testing, the Laboratory sends a final report to the Vendor. The Vendor determines whether it wishes to submit the results of application testing to Visa. If so, the Vendor completes and signs the Request for Approval form and submits it to the Laboratory, thus authorizing the Laboratory to send an electronic copy of the results to Approval Services for review. Test results should be submitted to Approval Services for evaluation as soon as possible but no later than 90 days from the date testing is completed by the Laboratory. Test results older than 90 days are considered expired and cannot be submitted for evaluation. Application re-testing is required to create a current test report if the validity period is exceeded and evaluation by Approval Services is desired. Disposition of Products After Testing After functional testing is complete, the Laboratory will do as follows: • Retain the remaining samples for any subsequent testing that may be required. • For an approved product, the Laboratory will keep the samples for six years. Note: Visa reserves the right to conduct additional testing on any products that have gone through the testing and approval process. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 26 of 57 Chip Card Products Testing and Approval Requirements EMV Level 1 Testing All Visa contact and dual interface chip card products must support and comply with EMV Level 1 requirements. Vendors are required to provide an Implementation Conformance Statement (ICS) that provides the hexadecimal values returned by the chip card in response to Answer to Reset (ATR), SELECT command, and GET PROCESSING OPTIONS. Data provided by the Vendor is used to check the data returned by the card during testing. EMV Level 1 ensures a level of interoperability for cards and acceptance devices. Testing is comprised of the following: • Electrical characteristics • Transmission protocol T=0 or T=1 • Answer to Reset (ATR) 3 volt and 5 volt Note: Laboratories utilize the EMVCo Contact Level 1 ICS and test plan. Contactless Type A This testing ensures a level of interoperability between contactless products and acceptance devices. Testing includes the following: and Type B • Analogue testing: This ensures that the magnetic field Interface Testing characteristics are able to carry the communication. • Digital testing: This ensures that the timing, anti-collision, and protocol characteristics are able to carry the communication. Note: Laboratories utilize the EMVCo Contactless Level 1 ICS and test plan. Application testing ensures that the application processes the Visa Smart transactions correctly, in accordance with the relevant specifications. Debit/Credit Application Testing qVSDC/MSD Testing June 2016 Cards compliant with Visa Contactless Payment Specification version 2.0.2 and all subsequent versions support the qVSDC/MSD application. MSD and qVSDC application paths are for contactless use only and shall not be used through a contact interface. Testing of the application ensures that each path in the application (whether qVSDC or MSD) processes transactions correctly. © 2013 - 2016 Visa. All Rights Reserved. Page 27 of 57 Chip Card Products Testing and Approval Requirements Cross-Testing Visa performs interoperability testing (also referred to as Cross-Testing) to ensure that contactless products and devices are interoperable with each other. Cross-Testing is a part of the official testing process, and the performance during this testing will be part of final approval consideration. Products that fail to communicate with multiple devices may not be eligible for approval. Note: Visa is not permitted to disclose information about the terminals used for Cross-Testing to Vendors. ICC Key Sizes Effective 01 September 2016, contactless and dual interface cards will be required to support a minimum ICC key size of 1152 bits and still meet the same contactless performance requirement of ≤ 400 milliseconds. New products submitted on or after September 1 2016, and any derivatives of products submitted after September 1, must meet the performance requirement using the minimum ICC key size of 1152 bits to be eligible to receive an approval or compliance letter. New, and derivatives of, products submitted before September 1 2016 are not subject to these performance requirements, including renewals. Approval letters will note the ICC key sizes (768, 896, 1024, 1152, and 1408 bits) for which the product was unable to meet the performance requirement. Performance Testing Profiles VCPS Image 1_008 VCPS Image 1_079 VCPS Image 1_076 VCPS Image 1_000 VCPS Image 1_078 Vendors need to provide three samples for all of the above profiles. Samples cannot be shared for contactless level 1 and cross testing. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 28 of 57 Chip Card Products Testing and Approval Requirements GlobalPlatform Testing Products that have been developed to Visa GlobalPlatform (VGP) Specifications are required to be tested by GlobalPlatform (GP). GlobalPlatform manages the platform functional testing for both VGP and GP platforms. Refer to Visa Bulletin #AS1204116 on the Visa Technology Partner website for more details. Visa only accepts official GP test results performed by a GP-qualified Laboratory. Self-testing results are not accepted as proof of specification compliance. Vendors shall provide an SCO Form and Qualification Letter from GP to Visa in support of their submission. Visa requires the SCO and Qualification Letter prior to issuing an approval or compliance letter. More information about the GlobalPlatform compliance testing process can be found on its website at http://www.globalplatform.org. JavaCard-S Testing A JavaCard-S product is based on both GlobalPlatform and JavaCard-S requirements. Because JavaCard-S requirements do not allow for postissuance download of applet packages or deletion of applet packages or instantiations, the product cannot be tested in the same manner as a GlobalPlatform card. Therefore, it is necessary to test the Visa payment application on the product to ensure that the JavaCard-S platform can correctly interface with the Visa payment application. For testing purposes, a JavaCard-S product is treated in the same manner as a static native card. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 29 of 57 Chip Card Products Testing and Approval Requirements Changes Allowed to Approved Products After a product is tested and approved, a Vendor may wish to update or modify the product. The following categories of changes may qualify: • Selected application or applet changes • Porting an approved chip card product to a new chip • Changes to the material or hardware of a contactless product See Appendix B for the testing required for a specific change. To initiate the change request, the Vendor must complete and submit a Questionnaire. Note: Vendors that have received a letter from Visa identifying issues in the specification deviation (comments) section may not use this process to make changes to the product. Vendors must correct the issue(s) identified in the letter before submitting the next version of the product for testing. Note: If a product is a change to a previously approved product or a derivative, then all renewal dates and renewal policy will be based on the dates for the original product. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 30 of 57 Chip Card Products Testing and Approval Requirements Section 9: Security Testing Like functional testing, security testing is performed only on a product in its final configuration, as it would be supplied to a Visa client. Security testing focuses on aspects of the product implementation that may have a security impact. Security testing goes beyond the functional testing to see if the product is vulnerable to known attacks, whether or not these are explicitly cited in the specification. The Visa Chip Security Program (VCSP) seeks to minimize the cost and time spent in performing evaluation work and to avoid duplication of effort. Security testing is not exhaustive and focuses on the most likely vulnerabilities as revealed by previous testing, knowledge of the particular application(s), and past experience with similar products. The level of testing is continuously increasing to reflect ‘state-of-the-art’ attack potential. Consequently, the introduction of new chip products should offer a higher level of protection against the latest threats. However, no testing can anticipate all potential future attacks. Security, by definition, is an ongoing process; as time progresses, attack and defense becomes a race. All Visa chip-based payment products are required to go through VCSP security testing. Impact Assessment Letter (IAL) Vendors must obtain an impact assessment letter (IAL) from a Visa-recognized security laboratory prior to Visa authorizing security testing to begin on a product. The Vendor must authorize the laboratory to submit the IAL to Visa for products being submitted for security testing. The review of the IAL will determine the amount of security testing that will need to be performed, and Visa may decide that more or less testing is required based on product history and other factors. The following summarizes different security testing scenarios: • Full security testing – This will be required in the case of a new product that has not been evaluated previously by the Laboratory under the VCSP program. • Delta security testing – This will be performed in the case of (i) product modification or patch; or (ii) product renewal. • No security testing – This may result in the instance that the product has been evaluated before and the changes have no negative security impact (e.g., it is classified as a Minor Change). June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 31 of 57 Chip Card Products Testing and Approval Requirements Minor Change Products exist in many variants and may sometimes have minor differences. A product with a “minor change” is not required to undergo Visa security testing and will leverage the approval date and comments of the original product. A minor change is defined as: • Verified bug fixes with no negative impact on security • Functional changes that do not have an impact on security testing • VSDC code changes that Visa has defined as minor Security Testing Process Table 8: Security Testing Process Security Laboratory • Provides Impact Assessment Letter (IAL) to Approval Services. Approval Services • Reviews IAL. • Authorizes security testing, if applicable. Security Laboratory • Performs security testing. • Provides security evaluation results to Approval Services after Vendor review and approval. Vendor • Reviews report. • Provides signed Request for Approval form to Laboratory, authorizing Laboratory to submit the security testing results to Visa. Security Laboratory • Provides security evaluation results to Approval Services after Vendor review and approval. Approval Services • Reviews the security evaluation report. • If it meets Visa requirements, approves the product as described in Section 10. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 32 of 57 Chip Card Products Testing and Approval Requirements For More Information June 2016 Visa Chip Security Program—Security Testing Process for Chip Cards provides detailed information about the security evaluation program. The VCSP Impact Assessment Letter requirements document provides the requirements for submitting an IAL to Approval Services. These documents are available at the Visa Technology Partner website. © 2013 - 2016 Visa. All Rights Reserved. Page 33 of 57 Chip Card Products Testing and Approval Requirements Section 10: Approval Process This section describes the processes and rules governing the approval of a Visa-branded payment chip card product. The term “approval” is being used generically in this section to mean the issuance of an approval letter or the issuance of a compliance letter. Legal Conditions and Visa’s approval only applies to products that are identical to the product tested by Visa or one of Visa’s recognized laboratories. A product may not be Restrictions considered approved by Visa, nor promoted as approved, if any aspect of the product is different from that which was tested by a laboratory or by Visa, even if the product conforms to the basic product description contained in the letter of approval or letter of compliance. For example, even though a product contains applications or operating systems that have the same name or model number as those tested by one of Visa’s recognized laboratories or by Visa, but the product is not identical to the features previously tested by one of Visa’s recognized laboratories or by Visa, the product should not be considered or promoted as approved by Visa. Visa’s approval is granted solely in connection with a specific product and to the submitting vendor. Such approval may not be assigned, transferred or sublicensed, either directly or indirectly, by operation of law or otherwise. Only vendor(s) that receive a Visa approval for a product may state that they have the approval. No product manufacturer, chip supplier, or other third party may refer to a product, service or facility as “Visa-approved,” nor otherwise state or imply that Visa has, in whole or in part, approved any aspect of a manufacturer, or supplier, or its products, services or facilities, except to the extent and subject to the terms and restrictions expressly set forth in a written agreement with Visa, or in a letter of approval or letter of compliance provided by Approval Services. All other references to Visa approval are strictly and actively prohibited by Visa. When granted, Visa approval is provided by Visa to ensure certain security and operational characteristics important to Visa’s systems as a whole, but does not, under any circumstances, include any endorsement or warranty regarding the functionality, quality or performance of any particular product or service. Visa does not warrant any products or services provided by third parties. Approval does not, under any circumstances, include or imply any product warranties from Visa, including, without limitation, any implied warranties of merchantability, fitness for purpose or non-infringement, all of which are expressly disclaimed by Visa. All rights and remedies regarding products and services which have received Visa approval shall be provided by the party June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 34 of 57 Chip Card Products Testing and Approval Requirements providing such products or services, and not by Visa. Unless otherwise agreed in writing by Visa, all property and services contemplated in this document, which Visa provides to any third parties, are provided on an “as-is” basis, “with all faults” and with no warranties whatsoever. Visa specifically disclaims any implied warranties of merchantability, fitness for purpose or non-infringement. The issuance of a letter of approval or letter of compliance is conditioned upon the vendor having executed all necessary agreements, including without limitation, the applicable license agreements with Visa, and shall be of no force and effect unless such agreements have been executed contemporaneously with or prior to the issuance of the letter. Visa performs limited testing to ascertain a product’s compliance with any required specifications and may perform interoperability testing with other approved products. Visa’s limited testing program is not designed to establish the functionality of an approved product in all potential conditions in which it may be used. Visa’s approval does not in any circumstances include or imply any guarantees, assurances or warranties that the approved product will operate in all possible settings or in connection with any other approved product. Requesting an Approval Visa will consider issuing a letter only for products that have successfully passed all testing at a Laboratory and that support Visa-defined applications. Upon successful completion of official testing, the chip card product will appear on the Visa Approved Products List located on the Visa Technology Partner website unless the Vendor requests otherwise. Note: For contact and contactless chip card approvals that do not require testing, the Vendor must submit ten (10) samples that have been personalized with card image VSDC02 to Approval Services. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 35 of 57 Chip Card Products Testing and Approval Requirements Section 11: Card Lifecycle Management Policy Card Lifecycle Management Policy and Renewal Policy This section describes the card lifecycle management policy for chip card products. The policy explained in this section applies to products approved on or after 1 January 2016. These apply to all newly approved products and their derivatives. The card lifecycle management policy applies to all chip card products, except products based on the EMVCo Common Payment Application and products approved prior to 1 January 2016. This will continue to be governed under the existing renewal policy (See Renewal Policy section below). Upon approval, the usage date assigned on the product’s letter will be based on the issue date of the underlying ICCN from EMVCo. The current approval period is replaced with a usage period covering the entire life of the product in the field. The usage date is defined as the ICCN issue date + 12 years. The vendor may sell the product at any time during its usage period. If the product is submitted on a newly certified IC, then the maximum usage date can approach twelve years. For products submitted on older IC’s, the usage date timeframe will be shorter. • Base and derivative product submissions may be submitted during the ICCN’s certification period. • Products submitted as a base product will receive the usage date based on the underlying ICCN. Derivative products are tied to the parent product’s usage date. When the usage date of a product has been reached, the product will be removed from the Visa Approved Products List the month following the usage end date. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 36 of 57 Chip Card Products Testing and Approval Requirements Renewal Policy This section describes the renewal policy for chip card products. The renewal policy referred to in this section applies to products approved prior to 1 January 2016 or their derivatives approved after 1 January 2016. When a chip card product is approved by Visa, it is assigned a renewal date that is typically three (3) years from the date of approval. The renewal date is conveyed to the Vendor in the letter of approval and appears on the Visa Approved Products List. As a product approaches its renewal date, Visa reviews the product’s eligibility for renewal. Visa will send Vendors a renewal email notice approximately six months before the renewal date to advise of renewal eligibility. It is the Vendor’s responsibility to track renewal dates for its approved products and take all appropriate actions, even if the Vendor does not receive a renewal notice from Visa. Visa will remove a non-renewed product from the Visa Approved Products List the month following the renewal date. All renewals are linked to the conditions contained in the letter of approval sent to the Vendor when the product is initially approved. If problems are identified with the product after an approval (or an extension if a renewal is granted), Visa may revoke the approval or extension. Visa reserves the right to revoke approvals or extensions at any time. Chip cards eligible for renewal must meet all of the following criteria: • The product must comply with Visa’s current versions of specifications, requirements, and errata. • Visa GlobalPlatform cards must contain a supported Visa-approved payment applet. • There are no comments in the product’s approval letter. • The product must successfully complete renewal testing using the latest mandated test plans. If testing is required for the renewal of a GlobalPlatform or Visa GlobalPlatform chip card product, then the following apply: • VGP products will be tested to VGP requirements at a Visa-Recognized Laboratory • GP products will be tested to GP requirements at a GP-Recognized Laboratory. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 37 of 57 Chip Card Products Testing and Approval Requirements Renewal Process Visa will process renewals approximately six months ahead of the renewal date. When a chip card product is approaching its renewal date, the Vendor may be required to submit the product for renewal testing, which consists of the following: Functional Testing • Delta Testing is the difference between the test plan version against which the product was approved and the current version of the test plan. • Regression Testing is a predefined subset of functional test cases executed to determine whether changes have been made to the originally approved product. Regression Testing will be performed when Delta Testing is not required. Security Testing • Delta security testing is required for product renewal. • Vendors must obtain an Impact Assessment Letter (IAL) from a VisaRecognized Security Laboratory prior to Visa authorizing security testing to begin on a product. If a product successfully completes renewal testing, it will be renewed for a period not to exceed three additional years, making the maximum life of an approval six years. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page 38 of 57 Chip Card Products Testing and Approval Requirements Appendix A: Specifications and Requirements EMV All Visa payment contact chip card products must support and be in compliance with EMV Level 1 as defined in EMV Integrated Circuit Card Specifications for Payment Systems, available through www.emvco.com. All Visa contactless chip card products must support and be in compliance with Level 1 analogue and digital as defined in EMV Contactless Specifications for Payment Systems, available through www.emvco.com. The EMVCo security evaluation process is described in EMV Security Guidelines – EMVCo Security Evaluation Process, Version 4.0, December 2010. Visit www.emvco.com. Contactless All contactless products supporting qVSDC or MSD must be in compliance with Visa Contactless Payment Specification, available from the Visa Technology Partner website. VSDC All chip cards supporting Visa Smart Debit/Credit must support and be in compliance with Visa Integrated Circuit Card Specification (VIS), available from the Visa Technology Partner website. Visa Chip Security Program The Visa Chip Security Program is described in Visa Chip Security Program – Security Testing Process, which is available from the Visa Technology Partner website. Visa JavaCard-S All chip cards supporting Visa JavaCard-S must support and be in compliance with the Visa GlobalPlatform Static Card Implementation Requirement. This is an addendum to all Visa GlobalPlatform Requirements. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page A-1 of 57 Chip Card Products Testing and Approval Requirements Appendix B: Testing Requirements Appendix Structure This appendix lists the testing requirements for products. Products are split into two categories: (1) Static Native products (inclusive of Javacard-S), and (2) GlobalPlatform products. Each category is further split into two topics: • The first topic lists the base products. A base product is a new product submission that is required to go through full testing. This product is not based on or sharing test results from a previously approved product. • The second topic lists the acceptable changes allowed to a previously approved base product. If a Vendor wants to make a change that is not listed, they should contact Approval Services to determine which process may be utilized. Renewal Dates Limits to Change Process All derivative products receive the same renewal date as the originally approved “‘base” product. • A change to ROM or Flash memory is considered a new submission, and the testing requirements in section B.1 or B.3 apply, as full testing is required. • Vendors that have received a letter of approval or letter of compliance from Visa identifying issues in the specification deviation/comments sections may not use this process to make changes to the product. Vendors must correct the issue(s) identified in the letter before submitting the next version of the product for testing. Paper Process Only • No functional or security testing is required. • Ten (10) sample cards personalized with card image VSDC02 shall be provided to Approval Services. • Request for Approval and Exhibit A shall be provided to Approval Services. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page B-1 of 57 Chip Card Products Testing and Approval Requirements B.1 Static Native Base Products Table 9: Testing for Static Native Contact Only Base Products # SN-01 Contact Protocol T=0 or T=1 (Base) Contactless Protocol N/A Contact Level 1 Testing Analog / Digital Testing Full Electrical / Full Protocol N/A VIS / Application Testing Full VIS CrossTesting N/A VCSP IAL Table 10: Testing for Static Native Dual Interface Base Products # SN-02 Contact Protocol T=0 or T=1 (Base) Contactless Protocol Type A or Type B Contact Level 1 Testing Analog / Digital Testing Full Electrical / Full Protocol Full Analog / Full Digital VIS / Application Testing Full VIS & VCPS CrossTesting Full VCSP IAL Table 11: Testing for Static Native Contactless Only Base Products # SN-03 Contact Protocol N/A Contactless Protocol Type A or Type B (Base) June 2016 Contact Level 1 Testing N/A Analog / Digital Testing Full Analog / Full Digital © 2013 - 2016 Visa. All Rights Reserved. VIS / Application Testing Full VCPS CrossTesting Full Page B-2 of 57 VCSP IAL Chip Card Products Testing and Approval Requirements B.2 Changes to a Static Native Base Product Below is a list of acceptable changes for a Static Native Base Product. The list below is not exhaustive, but provides examples of commonly submitted change requests. If a Vendor wants to make a change that is not listed below, it should contact Approval Services to determine which process the Vendor may utilize. Changes to the ROM mask are treated as a base product. Table 12: Testing for Changes to a Static Native Base Product # Requested Change Contact Level 1 Testing Analog / Digital Testing VIS / Application Testing CrossTesting VCSP Notes SN04 Change (T=1/T=0)* Full Protocol None VSDC Transaction None None Change to an approved Contact product. SN05 Change (T=1/T=0) Full Protocol Full Digital VCPS/ VSDC Transaction None None Change to an approved Dual Interface product. SN06 Change Type A or Type B Regression Protocol Full Digital VCPS Transaction Selected None Change to an approved Dual Interface product. SN07 Change Type A or Type B None Full Digital Transaction Selected None Change to an approved Contactless product. SN08 Change to VIS Application None None Full VIS None IAL unless defined as a minor change Change does not affect Level 1 components. SN09 Change to VCPS Application None None Full VCPS Selected IAL unless defined as a minor change Change does not affect Level 1 components. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page B-3 of 57 Chip Card Products Testing and Approval Requirements # Requested Change Contact Level 1 Testing Analog / Digital Testing VIS / Application Testing CrossTesting VCSP Notes SN10 Change to Level 1 Contact Firmware Full Protocol None VSDC Transaction None None Change does not affect Level 2 components. SN11 Change to Level 1 Contactless Firmware None Full Digital VCPS Transaction Selected None Change does not affect Level 2 components. Note: VSDC Transaction required if built to VIS 1.4.1. SN12 Change to Proprietary Application None None Regression None IAL Full VIS/VCPS testing is required if interact with Visa application. SN13 Port to Chip in Same Family None None None None None Paper Process Only SN14 Change to Same Chip EEPROM Size None None None None None Paper Process Only SN15 Antenna / Inlay Change None Full Analog TBD – VCPS Transaction to Regression Full None Based on new Antenna/Inlay; application testing may be required. Note: VSDC Transaction required if built to VIS 1.4.1. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page B-4 of 57 Chip Card Products Testing and Approval Requirements # SN16 Requested Change Module Change Contact Level 1 Testing None Analog / Digital Testing Full Analog VIS / Application Testing VCPS Transaction CrossTesting None VCSP Notes None Based on Analog results, Cross-Testing may be required. Note: VSDC Transaction required if built to VIS 1.4.1. SN17 Embedder Change None None None None None Paper Process Only SN18 Plastics Change None None None None None Some testing may be required if metal is being introduced. SN19 Materials Change None Full Analog / Full Digital TBD – VCPS Transaction to Regression TBD None Less testing may apply depending upon actual change. SN20 Remove Contact Plate None None None None None Paper Process Only SN21 Remove Contactless Antenna None None None None None Paper Process Only SN22 Add Contact Plate Full Electrical / Full Protocol Regression Digital VCPS Transaction / Full VIS None IAL Change to an approved Contactless product. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page B-5 of 57 Chip Card Products Testing and Approval Requirements # Requested Change SN23 Add Contactless Antenna SN24 Change to UID size Contact Level 1 Testing Regression Protocol / VSDC Transaction Analog / Digital Testing VIS / Application Testing CrossTesting VCSP Notes Full Analog / Full Digital Full VCPS Full IAL Change to an approved Contact product. Full Digital None Regression None Change to an approved product with support for second UID size *Note: If the T=0 protocol is submitted for testing prior to T=1, protocol application testing will not be required for the T=1 protocol. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page B-6 of 57 Chip Card Products Testing and Approval Requirements B.3 GlobalPlatform Base Product GlobalPlatform manages the platform functional testing for both VGP and GP platforms. Refer to Visa Bulletin# AS1204116 on Visa Technology Partner website for more details. Table 13: Testing for GlobalPlatform Contact Only Base Product # GP-01 Contact Protocol CL Protocol Antenna / Inlay T=0 or T=1 N/A N/A Contact Level 1 Testing Full Electrical / Full Protocol / Analog / Digital Testing N/A VCSP CrossTesting None (Base) Applet Testing TBD – None to Full Notes IAL The Base Product must have a previously approved Visa applet in ROM. Table 14: Testing for GlobalPlatform Dual Interface Base Product # GP-02 Contact Protocol CL Protocol T=0 or T=1 Type A or Type B Antenna / Inlay Design X Contact Level 1 Testing Full Electrical / Full Protocol Analog / Digital Testing Full Analog / Full Digital (Base) June 2016 © 2013 - 2016 Visa. All Rights Reserved. VCSP CrossTesting Full Applet Testing TBD – None to Full Notes IAL The Base Product must have a previously approved Visa applet in ROM. Page B-7 of 57 Chip Card Products Testing and Approval Requirements Table 15: Testing for GlobalPlatform Contactless Only Base Product # GP-03 Contact Protocol CL Protocol N/A Type A or Type B June 2016 Antenna / Inlay Design X Contact Level 1 Testing N/A Analog / Digital Testing Full Analog / Full Digital © 2013 - 2016 Visa. All Rights Reserved. VCSP CrossTesting Full Applet Testing TBD – None to Full Notes IAL The Base Product must have a previously approved Visa applet in ROM. Page B-8 of 57 Chip Card Products Testing and Approval Requirements B.4 Changes to a Visa GlobalPlatform / GlobalPlatform Base Product Below is a list of acceptable changes for a Visa GlobalPlatform/GlobalPlatform Base Product. The list below is not exhaustive, but it provides examples of commonly submitted change requests. If a Vendor wants to make a change that is not listed below, they should contact Approval Services to determine which process to utilize. Table 16: Testing for Changes to a Visa GlobalPlatform/GlobalPlatform Base Product # GP-04 Requested Change Change Contact Level 1 Testing Analog / Digital Testing VGP/GP Testing VCSP Cross-Testing Applet Testing Full Protocol N/A None None VSDC Transaction None Change to an approved Contact product. Full Protocol Full Digital None None VCPS / VSDC Transaction None Change to an approved Dual Interface product. Full Protocol Full Digital None Selected VCPS / VSDC Transaction None Change to an approved Dual Interface product. N/A Full Digital None Selected VCPS / VSDC Transaction None Change to an approved Contactless product. None None None None None None Paper Process Only (T=1 / T=0)* GP-05 Change (T=1 / T=0) GP-06 Change (Type A / Type B) GP-07 Change (Type A / Type B) GP-08 Port to Chip in Same Family June 2016 Notes © 2013 - 2016 Visa. All Rights Reserved. Page B-9 of 57 Chip Card Products Testing and Approval Requirements # Requested Change Contact Level 1 Testing Analog / Digital Testing VGP/GP Testing VCSP Cross-Testing Applet Testing Notes GP-09 Change to Same Chip EEPROM Size None None None None None None Paper Process Only GP-10 Add Approved Applet to EEPROM None None None TBD Regression VSDC on Contact / Regression VSDC, MSD & qVSDC on Contactless IAL unless defined as a minor change No change to ROM. Logically Delete originally approved VSDC applet. Based on Analog results, Cross-Testing may be required. GP-11 Antenna / Inlay Change None Full Analog None Full VCPS Transaction None No changes to ROM. GP-12 Module Change None Full Analog None None VCPS Transaction None No changes to ROM. GP-13 Embedder Manufacturer Change None None None None None None No changes to ROM. Paper Process Only GP-14 Plastics Change None Full Analog None None VCPS Transaction None No changes to ROM. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Based on Analog results, Cross-Testing may be required. Based on Analog results, Cross-Testing may be required. Page B-10 of 57 Chip Card Products Testing and Approval Requirements # Requested Change Contact Level 1 Testing Analog / Digital Testing VGP/GP Testing VCSP Cross-Testing Applet Testing Notes GP-15 Materials Change None Full Analog / Full Digital None TBD VCPS / VSDC Transaction None Less testing may apply depending upon actual change. GP-16 Remove Contact None None None None None None Paper Process Only GP-17 Remove Contactless Antenna None None None None None None No changes to ROM. Paper Process Only GP-18 Add Contact Plate Full Electrical / Full Protocol Regression Digital Full Contact None VSDC Transaction IAL Add contact plate to an approved contactless only product. GP-19 Add Antenna Regression Protocol Full Analog / Full Digital Full Contactless Full VCPS / VSDC Transaction IAL Add antenna to an approved contactonly product. GP-20 Swap an Applet in ROM None None None None VCPS / VSDC Regression or Transaction IAL *Note: If the T=0 protocol is submitted for testing prior to T=1, protocol application testing will not be required for the T=1 protocol. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page B-11 of 57 Chip Card Products Testing and Approval Requirements Appendix C: Testing Laboratories Please contact the laboratory directly for current pricing and scheduling. For current Laboratory contact information and to determine which type of product testing is offered by the Laboratory, visit the Visa Technology Partner website. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page C-1 of 57 Chip Card Products Testing and Approval Requirements Appendix D: Glossary This appendix defines selected terms used in this document. Agreements Includes the Visa Service Testing Agreement with the company, along with the Visa Technology License Agreements. Analog Testing Ensures that the magnetic field characteristics of a contactless product are able to carry the communication. API Application Programming Interface. Approval A generic term meaning the issuance of a letter of approval or letter of compliance. Approval Services Serves as a single point of contact for Vendors, Laboratories, and Visa personnel, on the chip card product testing and approval process. Approval Services Questionnaire A form that enables Approval Services to determine whether a product is acceptable for Visa testing and approval. Approval Services Testing Agreement (ASTA) A legal agreement between Visa and the product manufacturer or chip supplier regarding testing and approval. ASTA See “Approval Services Testing Agreement” above. ATR Answer To Reset, one of the commands tested in EMV Level 1 testing. ATS Answer To Select, one of the commands tested in contactless Type A testing. Card Manufacturer The entity that offers the final tested and approved product to the financial institution. Chip Supplier The entity that manufactures the silicon chip. Digital Testing Ensures that the timing, anti-collision, and protocol characteristics of a contactless product are able to carry the communication. Dual Interface That which supports both contact and contactless payment. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page D-1 of 57 Chip Card Products Testing and Approval Requirements EMV Level 1 Testing that addresses the electrical and protocol aspects of a contact chip card to ensure that chip cards are interoperable with EMV Level 1 chip card readers. EMVCo EMVCo, LLC is the organization of payment systems that manages, maintains, and enhances the EMV specifications. Exhibit A A form, signed by the Vendor, that establishes Visa’s right to review results submitted by the Vendor, following testing at a Laboratory; it must be submitted before testing begins. Forms See topic “Required Forms for Testing.” Functional Testing Testing that ensures that the chip card product processes transactions correctly according to Visa specifications and requirements. GP-BFC GlobalPlatform Basic Financial Configuration. GP-MG GlobalPlatform Mapping Guidelines of existing GP 2.1.1 implementation on v2.2 or higher. IAL See “Impact Assessment Letter” below. IC Integrated Circuit. (Also referred to as the “Chip”) ICC Integrated Circuit Card. (Also referred to as the “Chip Card”) ICCN IC Certificate Number. (issued by EMVCo) ICS See “Implementation Conformance Statement” below. Impact Assessment Letter A letter reporting the Security Test Laboratory’s assessment of whether full, delta, or no security testing is required for a chip card product. Implementation Conformance Statement (ICS) A form providing detailed information regarding the Visa payment application, platform, or interface; it must be submitted before testing begins. JavaCard-S A designation of a payment product that is based upon the Visa GlobalPlatform requirements along with GlobalPlatform and JavaCard requirements. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page D-2 of 57 Chip Card Products Testing and Approval Requirements Laboratory In the context of this document, refers to a Visa-Recognized Laboratory that tests products in preparation for approval by Visa. Letter of Approval An acknowledgement by Approval Services that a specific chip card product has successfully completed functional and security testing at a Visa-Recognized Laboratory. MSD Magnetic Stripe Data, a Visa payment application for contactless cards. Official Testing In the context of this document, refers to testing conducted by a Visa-Recognized Laboratory with the intention of obtaining Visa approval of a chip card product. OS Operating System. Payment Application See “Visa Payment Application” below. PCN Platform Certificate Number. (issued by EMVCo) Personalization In this document, refers only to the personalization of cards for Visa functional and security testing purposes. QA Quality Assurance. qVSDC Quick VSDC, a Visa payment application for contactless products. REQB REQuest command, Type B; one of the commands tested in contactless Type B testing. Request for Approval The form submitted after test results are received from the functional and security testing Laboratories; this is used if the Vendor wishes to have Visa Form evaluate the test results. Request for Testing Services Form A form the Vendor signs that establishes Visa’s right to review results submitted by the Vendor, following testing at a Laboratory. Must be submitted before testing begins. Also known as Exhibit A. ROM Read-only Memory. Security Testing Testing that ensures that the chip card product processes transactions securely. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page D-3 of 57 Chip Card Products Testing and Approval Requirements Separate Submissions If a contact chip card product supports both T=0 and T=1 protocols, the product must be submitted for testing separately for each protocol, and each protocol will be tested independently. If a contactless or dual interface product supports both Type A and Type B, the product must be submitted for testing separately for each contactless type, and each contactless type will be tested independently. Single Production Batch Form This is signed by the Vendor and provided to each Laboratory that is testing the product. This form is an attestation from the Vendor that all samples being submitted for testing (whether initial test samples or replacement samples), regardless of the Laboratory to which they are being sent, are from the same production batch. Static Native A contact chip card that was not developed to the Visa GlobalPlatform requirements Test Plan “Test Plans” can be obtained from the Visa Technology Partner website. Test Script See topic “Commercial Test Tools and Test Scripts 13” for information about obtaining test scripts. Test-Cycle Submission The initial submission of a chip card product for testing and, if the product fails testing initially, each subsequent submission for testing. Vendor A company that has registered with Visa, signed all necessary agreements, and paid all required service fees. VCSP See “Visa Chip Security Program” below. VGP See “Visa GlobalPlatform” below. VIS Visa Integrated Circuit Card Specification, which provides the technical details of chip card and terminal functionality, related to VSDC payment transactions. Visa Approved Products List A listing of products that have passed both functional and security testing as described in this document. Visa Chip Security Program The Visa security evaluation methodology used for chip card testing. For more information, see Section 9. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page D-4 of 57 Chip Card Products Testing and Approval Requirements Visa GlobalPlatform (VGP) The Visa implementation of GlobalPlatform, a non-proprietary platform that enables fast and easy development of globally interoperable, multiple application smart card systems. Visa Payment Application Any of the following: • Visa Smart Debit/Credit (VSDC) • Quick VSDC (qVSDC) • Magnetic Stripe Data (MSD) Visa Smart Debit/Credit (VSDC) Visa service offerings for chip-based debit and credit programs, which are based on EMV and VIS specifications and are support by VisaNet processing, as well as by Visa rules and regulations. Visa-Recognized Laboratory A Laboratory that is recognized by Visa to test products in preparation for approval by Visa. VSDC See “Visa Smart Debit/Credit” above. VTF An internal tracking number assigned to each product undergoing testing. June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page D-5 of 57 Chip Card Products Testing and Approval Requirements Appendix E: Document History Version Date Description 6.7 June 2016 Corrections, clarifications and updates. Section 1: Updated mailing address for Singapore location. 6.6 December 2015 Section 7 Cross-Testing Cards New section - Appendix E: Document History 6.5 December 2015 Section 8 Cross-Testing Cards: Updated cross-testing cards and mailing address Section 9 Cross-Testing: Added the performance testing card profiles Section 12: Added the Card Lifecycle Management policy 6.4 October 2015 Section 9: Added Cross-Testing information Section 12: Moved the General Conditions & Exceptions section to the Renewal Policy section Appendix B: Added VCSP testing requirements June 2016 © 2013 - 2016 Visa. All Rights Reserved. Page E-6 of 57
