Visa Mobile Proximity Payment
Testing & Compliance Requirements
For Mobile Products
Version 5.4
June 2016
Visa Public
DISCLAIMER
Visa’s testing services and polices are subject to change at any time in Visa’s sole discretion, with
or without notice. This document does not create any binding obligations on Visa regarding Visa
testing services or product approval. Any such obligations, to the extent they exist at all, are
pursuant to separate written agreements between Visa and the party submitting products for
testing and approval. In the absence of a fully-executed written agreement under which Visa has
agreed to perform testing services for you or your company you should not rely on this
document, nor shall Visa be liable for any such reliance (detrimental or otherwise).
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Contents
1
2
Preface ....................................................................................................................................................................................... 6
1.1
Audience ................................................................................................................................................................................................. 6
1.2
Purpose .................................................................................................................................................................................................... 6
1.3
Scope and Assumptions.................................................................................................................................................................... 6
1.4
Support and Contact Information ................................................................................................................................................. 7
1.5
Visa Business Requirements ............................................................................................................................................................ 7
1.6
Vendor Registration and Licensing............................................................................................................................................... 8
1.7
Specifications and Requirements ................................................................................................................................................ 10
1.8
Terms and Definitions ...................................................................................................................................................................... 11
1.9
Abbreviations and Terminology .................................................................................................................................................. 12
Mobile Testing Overview .................................................................................................................................................... 13
2.1
Products Accepted for Testing ..................................................................................................................................................... 14
2.2
Mobile Component Overview ....................................................................................................................................................... 14
2.3
Mobile Component Descriptions ................................................................................................................................................ 16
2.4
UICC or Embedded Secure Element Component ................................................................................................................. 20
2.5
Handsets ................................................................................................................................................................................................ 21
2.6
MicroSD ................................................................................................................................................................................................. 23
2.7
Mobile Accessory ............................................................................................................................................................................... 26
2.8
Component Specification and Compliance ............................................................................................................................. 27
3
Security Testing ..................................................................................................................................................................... 28
4
Certification Process, Laboratories and Documentation ............................................................................................ 30
5
4.1
Certification Process Overview ..................................................................................................................................................... 30
4.2
Certification Areas By Organization ........................................................................................................................................... 31
4.3
EMVCo Mobile Product Level 1 Testing ................................................................................................................................... 32
4.4
GlobalPlatform Qualification Testing ......................................................................................................................................... 32
4.5
Cross Testing ....................................................................................................................................................................................... 33
4.6
Test Plans and Test Tools ............................................................................................................................................................... 34
4.7
Test Laboratories................................................................................................................................................................................ 35
4.8
Starting the Product Submission Process ................................................................................................................................ 35
Submission of Testing Materials for Functional Testing............................................................................................. 37
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 3 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
6
7
A
5.1
Requirements for Product Submission ..................................................................................................................................... 37
5.2
Over the Air (OTA) Testing ............................................................................................................................................................. 40
5.3
Testing Over a Contact Interface ................................................................................................................................................. 42
5.4
Utilizing Test Results between Products................................................................................................................................... 43
5.5
Tested Combinations Policy .......................................................................................................................................................... 44
Compliance Letters .............................................................................................................................................................. 46
6.1
Legal Conditions and Restrictions ............................................................................................................................................... 46
6.2
Requesting a Compliance Letter.................................................................................................................................................. 47
6.3
Compliant Products List .................................................................................................................................................................. 47
6.4
Changes to Products with a Compliance Letter .................................................................................................................... 47
Lifecycle Management and Renewal of Compliance Letters ..................................................................................... 49
7.1
Secure Element Lifecycle Management .................................................................................................................................... 49
7.2
Secure Element Renewals ............................................................................................................................................................... 51
7.3
Mobile Handset and Accessory Renewals ............................................................................................................................... 52
7.4
Secure Element Products – Renewal Process ......................................................................................................................... 52
7.5
General Conditions and Exceptions............................................................................................................................................ 53
Appendix A ............................................................................................................................................................................. 54
A.1
B
C
Revision History .................................................................................................................................................................................. 54
Appendix B.............................................................................................................................................................................. 55
B.1
Testing Requirements for Changes to a Compliant Mobile Product ............................................................................ 55
B.2
Testing Requirements ...................................................................................................................................................................... 57
Appendix C ............................................................................................................................................................................. 68
C.1
Submission Requirements .............................................................................................................................................................. 68
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 4 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
1
Preface
Audience
1.1
This document is intended for vendors submitting the following mobile proximity payment
product configurations to Visa for testing:
•
Secure Element (UICC, microSD, embedded secure element)
•
Handset (HCE, UICC and eSE execution environments)
•
Mobile Accessory
•
Combinations of secure element, handset and accessory
Purpose
1.2
This document provides detailed information related to the Visa testing submission process and
the testing requirements for mobile proximity payment products. The intent of the document is to
identify the forms and documents needed to correctly submit products for testing. The document
also identifies testing requirements and process that are applied to specific mobile proximity
payment products that a vendor may submit.
Scope and Assumptions
1.3
The design of a mobile product with a payment application may vary significantly between
vendors and products, so it is necessary to make certain assumptions regarding common
functionality in order to perform testing on a mobile product while minimizing the effort and cost
of testing. These assumptions include but are not limited to the following:
June 2016
•
The mobile product complies with all required EMVCo and Visa contactless specifications
and Visa testing requirements.
•
An approved mobile payment applet developed to Visa Mobile Contactless Payment
Specification (hence forth referred to as “VMPA applet”) will reside on a GlobalPlatform
compliant secure element physically separated from the low level contactless analogue
interface component. Based on the product configuration digital functionality may or may
not be separated from the secure element.
•
The secure element complies with GlobalPlatform (GP) specifications and may be directly
connected to the proximity communication antenna (in this case, no separate contactless
digital interface component).
•
Products that are not developed GP specifications are outside the scope of this
document.
•
Testing for compliance does not include testing of the user interface application
(commonly referred to as a wallet).
•
The antenna and low level analogue interface components may be powered by the host
product’s battery or independently powered.
•
A handset shall be in an operational state. It shall be able to perform a payment
transaction without any remote activation of controls. However, it is not necessary for a
© 2010 - 2016 Visa. All Rights Reserved.
Page 6 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
handset to have an active subscription enabled on a Mobile Network Operator (“MNO”)
since testing is not performed when the handset is connected to the MNO.
•
For testing purposes, it shall be possible to remotely activate the contact and the
contactless interface via defined commands sent to a client application residing in the
handset. Refer to VMPA Test Tool Interface Requirements (Book 6).
•
For handsets with an Operating System that supports Host-based Card Emulation (HCE) –
Vendors must submit samples configured to support the secure element path for
payment and HCE path for payment.
•
This document does not address additional Visa regional business requirements that may
be required prior to deployment.
Support and Contact Information
1.4
Visa’s goals are to provide a formal, standardized process for testing mobile payment products
and to enhance communication between all participants in the product testing and compliance
process. Approval Services provides a single point of contact for vendors, testing laboratories and
Visa personnel.
Approval Services Contact Information
Contact Method
Contact Information
Email address:
ApprovalServices@visa.com
Visa Technology
Partner Website:
https://technologypartner.visa.com/Testing/
Address
Visa Inc.
(for sending legal
agreements and
samples for cross
testing)
Approval Services
Mailstop M4-2D
900 Metro Center Blvd.
Foster City, CA 94404, USA
Visa Business Requirements
1.5
This document addresses Visa’s testing requirements for mobile components; however, there are
some additional business requirements that may be required prior to any deployment in the Visa
system. Vendors should contact their regional Visa representative for details.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 7 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Vendor Registration and Licensing
1.6
All mobile payment product manufacturers must register on the Visa Technology Partner website
and have executed the appropriate testing agreement before they are eligible to submit a
product for testing.
A vendor that submits a product for Visa compliance testing is not required to license Visa mobile
specifications or mobile software from Visa if;
•
the product does not include a secure element, or
•
the product includes a secure element, but the vendor does not and will not have the
keys to access the security domain where the Visa-developed VMPA applet resides.
An example would be a handset submission that only supports HCE - a submission in which the
handset does not contain a built-in secure element or UICC that is to be included in the
compliance recognition from Visa.
Secure element suppliers and vendors who will be submitting products with a secure element and
have the keys to the security domain where the Visa-developed VMPA applet resides must license
the applicable Visa mobile specifications and software. Licensing is handled by the Visa
Technology Partner website.
A Visa-recognized laboratory (hereafter referred to in this document as “laboratory”) may only
accept mobile payment products for official compliance testing from vendors authorized by Visa.
Vendors wishing to perform debug “QA” testing at a laboratory do not need prior authorization
from Visa.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 8 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
The definitions for seeking to become a Visa mobile payment product vendor are described
below:
Vendor
Definition
Chip/OS Component
Supplier
The entity that supplies Chip/OS packages must have executed the necessary
agreements with Visa to allow it to submit chip/OS component packages (in
an ID1 card format) directly to Visa for testing.
Secure Element Supplier
The entity that provides the final Secure Element product and takes
responsibility for the entire package: operating system, application,
embedding of module and, when applies, the inlay/antenna.
Mobile Product Supplier
The entity that manufactures a mobile product capable of hosting the Secure
Element and performing a Visa mobile contactless transaction.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 9 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Specifications and Requirements
1.7
Vendors are responsible for licensing and developing their products to comply with the
appropriate specifications and requirements. The major relevant documents are listed in the table
below. This list is not exhaustive of all specifications and requirements that may be used in the
development of a Visa-compliant mobile payment product. The vendor developing a mobile
payment product is ultimately responsible for obtaining all specifications and requirements
relevant to the mobile payment product it submits for testing and compliance.
Documentation Acronyms
Document Acronym
Document Title
[EMV_SEWG]
EMVCo Security Evaluation Process
[EMV-CCP]
EMV Contactless Communication Protocol Specification. Also known as Book
D
[ETSI-001]
ETSI TS 102 613 UICC - Contactless Front-end (CLF) Interface; part 1 physical
and data link layer characteristics
[MA]
Multi-Access Specification for VMPA
[SIM-PROF]
SIM Profile Requirements for Functional Testing
[VCSP]
Visa Chip Security Program – Security Testing Process
[VMCPS]
Visa Mobile Contactless Payment Specification
[VMG-IUF]
Visa Mobile Gateway. Issuer Update Functional Specification
[VMG-IUP]
Visa Mobile Gateway. Issuer Update Protocol Specification
[VMG-SCF]
Visa Mobile Gateway. Secure Channel Functional Specification
[VMG-SCP]
Visa Mobile Gateway. Secure Channel Protocol Specification
[VMPA_MFPR]
Minimum Platform Functional Requirements for VMPA Implementations
[VMPA_TP]
Visa Mobile Contactless Payment Specification Functional Testing
Requirements
[VTKPM]
Visa Toolkit & Process Message Specification
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 10 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Terms and Definitions
1.8
Term
Definition
EMVCo
EMVCo exists to facilitate worldwide interoperability and acceptance of
secure payment transactions. It accomplishes this by managing and evolving
the EMV® Specifications and related testing processes. This includes, but is
not limited to, card and terminal evaluation, security evaluation, and
management of interoperability issues. Today there are EMV Specifications
based on contact chip, contactless chip, common payment application
(CPA), card personalisation, and tokenisation.
This work is overseen by EMVCo’s six member organisations—American
Express, Discover, JCB, MasterCard, UnionPay, and Visa.
Handset
Another term for a mobile device, usually a mobile phone handset
microSD
An extended and removable memory card which may integrate a Secure
Element. A memory card integrating a Secure Element may be plugged into
a mobile handset.
Mobile Application
The interface that manages the interactions between the handset user and
the VMPA applet. Also referred to as Visa Mobile Application or wallet.
Mobile Device
A portable electronic device with contactless and wide area communication
capabilities. Mobile devices include mobile phones and other consumer
electronic devices
Near Field
Communications
A short range contactless proximity technology based on ISO/IEC 18092,
which provides for ISO/IEC 14443 compatible communications
Secure Element
A tamper resistant module, capable of hosting applications in a secure
manner
SIM
Subscriber Identity Module – an application on a UICC for management of
mobile telephony authentication and functionality.
SWP
Single Wire Protocol – the electrical and protocol interface for connecting a
UICC to a contactless component. Defined by [ETSI-001]
UICC
Universal Integrated Circuit Card – the physical integrated circuit card which
hosts the (U)SIM and other applications
User Interface
Input and output components on a mobile device, for example, display,
keyboard and touch screen.
VMPA
Visa Mobile Payment Application—Visa Mobile Contactless Payment
application hosted in the Secure Element
VMPA Applet
A software application developed to [VMCPS] and [MA] that resides on a
Secure Element in a mobile device.
VMPA Core
A version of the VMPA applet that excludes functionality required by UICC
form factors.
VMPA UICC
A version of the VMPA applet that includes functionality required by UICC
form factors.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 11 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Abbreviations and Terminology
1.9
Abbreviation
Terminology
AID
Application Identifier
APDU
Application Protocol Data Unit
API
Application Programming Interface
AS
Approval Services
ATS
Answer to Select
CLF
Contactless Front-end
CPS
Card Personalization Specification
DES
Data Encryption Standard
ETSI
European Telecommunication Standards Institute
GP
GlobalPlatform
HCE
Host-based Card Emulation
HCI
Host Controller Interface, defined by ETSI TS 102 622
IC
Integrated Circuit
ICCN
Integrated Circuit Certificate Number
ICS
Implementation Conformance Statement
ISD
Issuer Security Domain
NFC
Near Field Communications
OS
Operating System
OTA
Over the Air
PCN
Platform Certificate Number
POS
Point of Sale
QA
Quality Assurance
RF
Radio Frequency
SE
Secure Element
SIM
Subscriber Identification Module
SWP
Single Wire Protocol, defined by [ETSI-001]
TTIA
Test Tool Interface Application
UAT
User Acceptance Testing
UI
User Interface
UICC
Universal Integrated Circuit Card
(U)SIM
Universal Subscriber Identification Module
VMPA
Visa Mobile Payment Application
VMCPS
Visa Mobile Contactless Payment Specification
VTKPM
Visa Toolkit and Process Message
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 12 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
2
Mobile Testing Overview
Visa oversees testing of mobile proximity payment products that will be used to conduct Visa
“payWave” payment transactions to ensure that they comply with Visa, GlobalPlatform and
EMVCo specifications and requirements.
Mobile products subject to such testing include, but are not limited to:
•
Secure Elements
•
Mobile Handsets
•
Combinations of Secure Elements and Mobile Handsets
•
Mobile Accessories
Depending on the configuration of the product submitted the testing process may involve:
•
Analogue and Digital (EMVCo Contactless Level 1)
•
Visa Cross Testing
•
Visa Mobile Payment Application testing (VMPA)
•
Secure Element Platform Functional testing (GP)
•
Secure Element Platform Security testing (EMV PCN)
•
Secure Element Visa Chip Security Program testing (VCSP)
If the mobile product meets Visa’s testing requirements, Visa issues a Compliance Letter to the
vendor. Visa’s compliance recognition applies worldwide unless geographic restrictions are
specified in the Compliance Letter.
Note: The process described in this document does not approve vendors; it only denotes that a
tested mobile product is compliant to Visa specifications and requirements.
Note: A Compliance Letter is not transferable from one vendor’s product to another product or
from one vendor to another vendor.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 13 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Products Accepted for Testing
2.1
This document covers the following configurations of mobile products for compliance testing:
•
UICC
•
Embedded Secure Element Component (alone /on board)
•
Handset (UICC Only)
•
Handset (HCE Only)
•
Handset (Secure Element and HCE)
•
Handset with UICC
•
Handset with Embedded Secure Element
•
microSD with an Internal Antenna
•
microSD without an Antenna
•
Handset with a microSD (Antenna within the Handset)
•
Mobile Accessory with embedded Secure Element (Antenna within the Mobile Accessory)
•
Mobile Accessory with removable Secure Element (Antenna within the Mobile Accessory)
Visa will decide in its sole discretion whether to accept alternative configurations of mobile
products for testing. Vendors should contact their regional Visa representative to determine if
Visa will accept their alternative mobile product configuration. The Vendor must provide a
complete description of the alternative mobile product to aid Visa in its decision-making.
Mobile Component Overview
2.2
To simplify the description of the testing program we have divided the mobile product into
component zones. These component zones identify areas within a mobile product that perform
different aspects of proximity “Visa payWave” mobile payment. The configurations and
components within these zones are subject to this testing program. Five zones have been
identified and are described in the following sections. Following the zone descriptions are
diagrams showing some of the common mobile component configurations of zones,
components, and the interfaces between these zones and components.
2.2.1 A: Secure Element Component
This component known as a Secure Element (SE) could also be identified by various names for the
different form factor/product such as UICC, embedded SE, or removable SE. This component
hosts the VMPA applet.
2.2.2 B: Contactless Interface Component
This component mainly performs the conversion of interfaces from an analogue signal to digital
contact based link such as SWP and HCI. As a most common implementation, the contactless
interface component is expected to be a Near Field Communication device.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 14 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
This module may incorporate a router to direct the contactless communication to various Secure
Elements on the handset and to the handset itself. In this case the functionality of the component
extends beyond interface conversion.
In some cases, the Secure Element component (A) may be capable of receiving analogue signals
with an ability of analyzing them to the digital (contactless protocol) level. In such configurations,
there is no component B.
2.2.3 C: Proximity Communication Antenna
This component captures and transmits Radio Frequency (electromagnetic field) analogue signals
with an external device such as a contactless-enabled POS terminal.
2.2.4 D: Handset Device
This component incorporates the previously described components as well as others related to
the mobile wireless network. It also hosts the handset part of the Visa Proximity Mobile Payment
Application, such as the user interface application (referred to as the wallet).
2.2.5 E: Mobile Application
This component is the software application resident on the mobile device that consumers use to
interact with their mobile device to access a product or a service. For Visa cloud-based payments,
Mobile Applications typically include, but are not necessarily limited to, mobile banking
applications or mobile wallet applications.
2.2.6 MA: Mobile Accessory
This component is a peripheral unit to a mobile device. It may or may not be physically connected
to the mobile device.
2.2.7 Interaction between Components
Although the mobile product components must go through testing that is required for Visa, Visa
testing focuses on the secure element (hosting the VMPA applet) and the contactless interface
components. The tests that are performed and the tests that are out of scope are described in this
document.
The following diagrams represent possible arrangements of components in a mobile product. The
diagrams indicate areas tested, areas not tested, and interfaces that may be exercised during
testing.
The following diagrams are shown in different colors, which signify the following:
June 2016
•
Green: indicates the Secure Element component and some of the technologies that may
be implemented in that component
•
Blue: indicates the Contactless Interface component and some of the technologies that
may be implemented in that component
•
Red:
indicates the Proximity Communication Interface component and some of the
technologies that may be implemented in that component
•
Black: indicates the Handset component and some of the technologies that may be
implemented in that component
© 2010 - 2016 Visa. All Rights Reserved.
Page 15 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
•
Orange: indicates the mobile application component and some of the technologies that
may be implemented in that component.
The figures that follow show the component zones A, B, C, D, E, MA that are subjects of the
testing and compliance process. These diagrams are simplified models used to represent what is
usual and expected in today’s mobile payment products. These diagrams are not based on any
specific mobile payment product.
2.3
Mobile Component Descriptions
2.3.1 Components with a Secure Element
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 16 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
2.3.2
Components with HCE Capability
2.3.3 Components with a Secure Element and HCE Capability
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 17 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
2.3.4 Components without a Contactless Interface Component
- GP (contact)
- GP (contactless)
- OTA channel
- Security
Implementation
- Digital
- Etc
A
D
- UI
- Security
Implementation
- OTA Channel
Phone
Baseband
T0
Analog
C
2.3.5 Components with a Removable microSD with Internal Antenna
D
A
C
SD I/O
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 18 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
2.3.6 Components with a Removable microSD with Antenna in the
Handset
2.3.7 Components with a Mobile Accessory with a Secure Element
Secure
Element
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 19 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
UICC or Embedded Secure Element Component
2.4
A vendor can submit a secure element for testing that is developed according to GP
specifications.
Prior to submitting the UICC or eSE for testing the vendor must ensure that the chip is listed on
EMVCo’s Approved Chips List and the platform is listed on EMVCo’s Approved Platforms List. See
Section 3.0 regarding Security Testing.
The Visa Compliance Letter will address the product’s ability to host a VMPA applet and complete
a Visa payWave payment transaction. At the very minimum, platforms must support the Visa
Minimum Functional Platform Requirements for VMPA Implementations [VMPA_MFPR]. All other
functionality (e.g. Single Wire Protocol (SWP) interface) is out of scope of Visa’s compliance
testing. It is the vendor’s responsibility to ensure proper compliance to the respective standards
issued by other organizations such as ETSI.
2.4.1 UICC or Embedded Secure Element Component
This configuration is of a UICC or stand-alone embedded secure element.
The following table describes the scope of the tests.
Test Type
Cross-Testing
Test Extent
Zone Subject
to Testing
Supporting Specification(s)
UICC: Applicable
eSE: Not Applicable
Visa Application Testing
Applicable
A
[VMCPS]
GP Platform Functional
Testing
Applicable
A
Refer to GlobalPlatform
Platform Certification
Testing
Applicable
A
Refer to EMVCo
Visa Security Testing
Applicable
A
[VCSP]
Note: If the configuration includes built-in contactless digital protocol technology, digital testing
is required.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 20 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Handsets
2.5
A vendor may submit a handset in the following product configuration:
•
Handset (Secure Element Only)
•
Handset (HCE Only)
•
Handset (Secure Element and HCE)
•
Combinations:
o
Handset with a UICC
o
Handset with an Embedded Secure Element
o
SE may be removable or embedded.
Handsets with HCE Capability
Visa has developed a Level 1 Test Application (hereafter referred to in this document as “L1 Test
Application”) to be used on HCE capable handsets for Contactless Level 1 testing. The L1 test
application is modeled after the UICC profiles document available from EMVCo. The L1 test
application has been developed to support an Android OS. For other OS implementations contact
Approval Services.
The L1 test application package is available to download on the Visa Technology Partner website
through a click license. The package includes the application, ICS for HCE, and the test application
product setup guidelines document.
HCE testing is mandatory for all HCE capable handsets submitted for testing and compliance.
2.5.1 Handset (UICC Only)
This configuration is of a handset that is NFC-enabled (supports a UICC). The Compliance Letter is
for the handset only.
The testing and compliance process cannot be performed in a handset that is not capable of
supporting a UICC.
The UICC used in the handset to perform testing will not be included in the Compliance Letter.
The UICC is only used to facilitate testing of the handset and is not an evaluated component of
the submitted handset.
Contactless protocols tested include Type A and Type B.
The following table describes the scope of the tests.
Test Type
Test Extent
Analog
Applicable
B+C
[EMV-CCP]
Digital
Applicable
B+C
[EMV-CCP]
Cross-Testing
Applicable
June 2016
Zone Subject
to Testing
© 2010 - 2016 Visa. All Rights Reserved.
Supporting Specification(s)
Page 21 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
2.5.2 Handset (HCE Only)
This configuration is of a handset that is NFC-enabled and the handset OS is HCE capable.
For testing purposes, the vendor is required to provide the handset configured to use the HCE
path for Contactless Level 1 testing. For cross testing, the handsets provided should be in such a
state that Approval Services may be able to load a test application.
Contactless protocols tested include Type A and Type B.
The following table describes the scope of the tests.
Test Type
Test Extent
Zone
Subject to
Testing
Supporting
Specification(s)
Testing Path
Analog
Applicable
B+C
[EMV-CCP]
HCE
Digital
Applicable
B+C
[EMV-CCP]
HCE
Cross-Testing
Applicable
HCE
2.5.3 Handset (Secure Element and HCE)
This configuration is of a handset that is NFC-enabled (supports a removable or an embedded SE)
and the handset OS is HCE capable.
For testing purposes, the vendor is required to provide an additional handset configured to use
the HCE path for Level 1 Contactless testing. For cross testing, the handsets provided should be in
such a state that Approval Services may be able to load a test application.
For handsets that support a removable secure element, the secure element used in the handset to
perform testing will not be included in the Compliance Letter. The secure element is only used to
facilitate testing of the handset and is not an evaluated component of the submitted handset.
Contactless protocols tested include Type A and Type B.
The secure element is a compliant product.
The following table describes the scope of the tests.
Test Type
Test Extent
Analog
Applicable
Digital
Applicable
Cross-Testing
Applicable
Zone
Subject to
Testing
Supporting
Specification(s)
Testing Path
B+C
[EMV-CCP]
SE
B+C
[EMV-CCP]
SE and HCE
SE - Full and
HCE - Selective
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 22 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
2.5.4 Combinations
A vendor may submit the following combinations to obtain a Compliance Letter that covers both
the mobile device and secure element:
•
Handset with a UICC
•
Handset with an embedded Secure Element
Note: The handsets described in this section does not support HCE.
Either of these combinations will be subjected to the combined Secure Element and handset
requirements. The following table describes the scope of the tests.
The following table describes the scope of the tests.
Test Type
Test Extent
Zone Subject
to Testing
Supporting Specification(s)
Analog
Applicable
B+C
[EMV-CCP]
Digital
Applicable
B+C
[EMV-CCP]
Cross-Testing
Applicable
Visa Application Testing
Applicable
A
[VMCPS]
GP Platform Functional
Applicable
A
Refer to GlobalPlatform
Platform Certificate
Testing
Applicable
A
Refer to EMVCo
Visa Security Testing
Applicable
A
[VCSP]
MicroSD
2.6
A vendor can submit a microSD for testing that is developed according to GP specifications.
Prior to submitting the microSD for testing the vendor must ensure that the embedded secure
elements chip is listed on EMVCo’s Approved Chips List and the platform is listed on EMVCo’s
Approved Platforms List. See Section 3.0 regarding Security Testing.
The embedded secure element hosts the VMPA applet and Proximity Payment System
Environment (PPSE) applications.
The proximity communication antenna is used to transmit and receive radio frequency
(electromagnetic field) analogue signals to and from an external payment device directly to and
from the microSD. This allows resident payment applications in the secure element to exchange
commands related to payment transactions with an external payment device via the contactless
interface.
Note: The contact interface between the handset and the microSD is beyond the scope of this
document.
For testing purposes only, a vendor shall be required to supply a handset with a TTIA in order to
execute VMPA functionality. For more information refer to Book 6 - VMPA Test Tool Interface
Requirements, available to download on the Visa Technology Partner website.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 23 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
The Visa Compliance Letter will address the product’s ability to host a VMPA applet and complete
a Visa payWave payment transaction. At the very minimum, platforms must support the Visa
Minimum Functional Platform Requirements for VMPA Implementations [VMPA_MFPR]. All other
functionality (e.g. Single Wire Protocol (SWP) interface) is out of scope of Visa’s compliance
testing. It is the vendor’s responsibility to ensure proper compliance to the respective standards
issued by other organizations such as ETSI.
2.6.1 MicroSD with an Internal Antenna
This configuration consists of a microSD and a proximity communication antenna in a single unit.
Visa approves microSDs with a secure element and internal antenna as a standalone component,
independent of use in combination with any particular handset(s). However, because the testing
necessarily requires use of a reference handset, the Compliance Letter shall state “as tested with”
followed by the handset model name that was provided by the vendor for testing purposes.
Visa does not issue Compliance Letters covering other potential combinations of the product with
different handset models that were not used in testing, unless and until the vendor submits those
specific combinations for testing by Visa and they are found to be compliant with Visa’s
applicable testing requirements.
The following table describes the scope of the tests.
Test Type
Test Extent
Zone Subject
to Testing
Supporting Specification(s)
Analog
Applicable
A+C
[EMV-CCP]
Digital
Applicable
A+C
[EMV-CCP]
Cross-Testing
Applicable
Visa Application Testing
Applicable
A
[VMCPS]
GP Platform Functional
Applicable
A
Refer to GlobalPlatform
Platform Certificate
Testing
Applicable
A
Refer to EMVCo
Visa Security Testing
Applicable
A
[VCSP]
2.6.2 MicroSD (No Antenna)
This configuration consists of a microSD without the proximity communication antenna.
Note: The Compliance Letter will state that the testing did not include timing tests as defined in
Visa’s specifications.
The following table describes the scope of the tests.
Test Type
Test Extent
Digital
Applicable
Zone Subject
to Testing
Supporting Specification(s)
A
[EMV-CCP]
(No Transaction Timing)
Cross-Testing
Applicable
Visa Application Testing
Applicable
A
[VMCPS]
GP Platform Functional
Applicable
A
Refer to GlobalPlatform
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 24 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Platform Certificate
Testing
Applicable
A
Refer to EMVCo
Visa Security Testing
Applicable
A
[VCSP]
2.6.3
MicroSD with Handset (Antenna within the Handset)
This configuration consists of a microSD with an embedded secure element submitted in
combination with a handset containing a contactless communication antenna.
The following table describes the scope of the tests.
Test Type
Test Extent
Zone Subject
to Testing
Supporting Specification(s)
Analog
Applicable
A+C
[EMV-CCP]
Digital
Applicable
A+C
[EMV-CCP]
Cross-Testing
Applicable
Visa Application Testing
Applicable
A
[VMCPS]
GP Platform Functional
Applicable
A
Refer to GlobalPlatform
Platform Certificate
Testing
Applicable
A
Refer to EMVCo
Visa Security Testing
Applicable
A
[VCSP]
MicroSD with Handset (Antenna Within the Handset)
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 25 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Mobile Accessory
2.7
A mobile accessory is a unit attached to a mobile device via various proprietary methods. A
vendor can submit a secure element for testing that is developed according to GP specifications.
Prior to submitting the secure element for testing the vendor must ensure that the embedded
secure element’s chip is listed on EMVCo’s Approved Chips List and the platform is listed on
EMVCo’s Approved Platforms List (see Security Testing).
The embedded secure element hosts the approved VMPA applet and Proximity Payment System
Environment (PPSE) applications.
The proximity communication antenna is used to transmit and receive radio frequency
(electromagnetic field) analogue signals to and from an external payment device directly to and
from the secure element. This allows resident payment applications in the secure element to
exchange commands related to payment transactions with an external payment device via the
contactless interface.
Note: The attachment interface between the handset and the accessory is beyond the scope of
this document.
The Compliance Letter will address the product’s ability to host the VMPA applet and complete a
Visa payWave payment transaction. At the very minimum, platforms must support the Visa
Minimum Functional Platform Requirements for VMPA Implementations [VMPA_MFPR]. All other
functionality (e.g. Single Wire Protocol (SWP) interface) is out of scope of Visa’s compliance
testing. It is the vendor’s responsibility to ensure proper compliance to the respective standards
issued by other organizations such as ETSI.
2.7.1 Mobile Accessory with a Secure Element (Antenna within the
Accessory)
This configuration consists of a mobile accessory with a secure element (either an embedded or
removable) and a proximity communication antenna in a single unit.
For testing purposes only, a vendor is required to supply a handset with a Test Tool Interface
Application residing on the mobile device. For more information refer to Book 6 - VMPA Test Tool
Interface Requirements, available to download on the Visa Technology Partner website.
Visa approves the mobile accessory with a SE as a standalone component, independent of use in
combination with any particular handset(s). However, because the testing necessarily requires use
of a reference handset, the Compliance Letter shall state “as tested with” followed by the handset
model name that was provided by the vendor for testing purposes.
Visa does not issue Compliance Letters covering other potential combinations of the product with
different handset models that were not used in testing, unless and until the vendor submits those
specific combinations for testing by Visa and they are found to be compliant with Visa’s
applicable testing requirements.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 26 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
The following table describes the scope of the tests.
Test Type
Test Extent
Zone Subject
to Testing
Supporting Specification(s)
Analog
Applicable
A+C
[EMV-CCP]
Digital
Applicable
A+C
[EMV-CCP]
Cross-Testing
Applicable
Visa Application Testing
Applicable
A
[VMCPS]
GP Platform Functional
Applicable
A
Refer to GlobalPlatform
Platform Certificate
Testing
Applicable
A
Refer to EMVCo
Visa Security Testing
Applicable
A
[VCSP]
Component Specification and Compliance
2.8
The components described in this document are developed based on specifications defined by
various standards bodies such as GlobalPlatform or EMVCo.
Visa acknowledges that some of these organizations have developed a compliance program for
their respective specification and Visa will incorporate those programs into Visa’s compliance
process. Among these various compliance programs, certain plans exist that grant testing
laboratories the following:
June 2016
•
The right to perform the tests
•
The authority to provide test results
•
The authority to certify the component
© 2010 - 2016 Visa. All Rights Reserved.
Page 27 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
3
Security Testing
Security testing is required for the secure element hosting the VMPA applet. It is not currently
applicable to other components of a mobile product, such as the NFC device containing the
contactless interface components.
Security testing goes beyond the functional testing to help determine whether the secure element
is vulnerable to known attacks, whether or not these are explicitly cited in the specification.
Security testing is not exhaustive and focuses on the most likely vulnerabilities as revealed by
previously conducted testing, knowledge of the particular application(s), and past experience with
similar products. The Visa Chip Security Program (VCSP) seeks to minimize the cost and time
spent in performing evaluation work and, where possible, to avoid duplication of effort. A copy of
the VCSP process document can be downloaded from the Visa Technology Partner website.
The VMPA applet must only be loaded on an EMVCo approved platform. EMVCo issues a
platform certificate with a Platform Certificate Number (PCN) for platform products that
successfully complete the EMVCo security evaluation process [EMV-SEWG]. Visa will accept new
mobile products only if the secure element has successfully completed the EMVCo testing and is
posted on the EMVCo Approved Chip and Approved Platform Lists.
The VMPA applet residing on the EMVCo approved platform must successfully complete a Visa
composite security evaluation (e.g., platform with VMPA applet) with “High” as required level of
assurance (see [VCSP]) by a Visa recognized security lab.
The security testing laboratory must verify that the final composite product fulfills all the platform
requirements as documented in the latest EMVCo Shared Evaluation Report (SER). This document
defines what security mechanisms are implemented by the platform and the scope of previously
performed security testing. It provides mandatory security requirements and highlights areas of
potential concern.
Any pre-loaded or future (post-issuance) application loaded on the secure element must not
impact the security of the Visa payment application assets. Each application must pass the byte
code verifier and must meet all requirements in the latest platform security guidance documents.
If the mobile product is based on an open EMVCo platform product, composite security
evaluations of basic applications should comply with the GP Composition Model principles.
If the mobile product is a closed platform product and there is a change, then a VCSP delta
security evaluation is required.
Note: Visa composite security evaluation can be authorized once the EMVCo platform security
evaluation has started. In this case, the vendor must acknowledge that starting the
composite evaluation prior to EMVCo approval is at own risk and cost.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 28 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
For More Information
For detailed information on the EMVCo ‘Platform’ Security Evaluation process, please see EMVCo
Security Evaluation Process document [EMV-SEWG] available at www.emvco.com, or contact the
EMVCo Security Evaluation Secretariat at securityevaluation@emvco.com with any questions
about the process.
For further information on the Visa chip security testing process [VCSP], please refer to the “Visa
Chip Security Program – Security Testing Process” document on the Visa Technology Partner
website.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 29 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
4
Certification Process, Laboratories and Documentation
4.1
Certification Process Overview
PRODUCT SUBMISSION AND COMPLIANCE TESTING PROCESS
INITIAL STAGE
TESTING STAGE
SUBMISSION STAGE
REVIEW STAGE
Approval Services
Reviews
Questionnaire and
Determines Testing
Requirements
Vendor and
Laboratories
Schedule Test Slot
Laboratory Provides
Test Results to
Vendor
Visa Reviews Test
Results
Vendor Notified of
Testing
Requirements
Vendor Provides
Visa Forms &
Samples to
Laboratories
Vendor Authorizes
Laboratories to
Release Test Results
to Visa
Test Results
Meet Visa’s
Requirements?
Complete Mobile
Questionnaire
No
Failure Notification
Issued
Yes
Chosen Laboratories
Authorized for
Visa Testing
June 2016
Laboratories
Perform
Authorized
Testing
Laboratories send
Test Results to Visa
© 2010 - 2016 Visa. All Rights Reserved.
Compliance Letter
Issued
Page 30 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Certification Areas By Organization
4.2
To reduce the duplication of testing for vendors, Visa’s program utilizes testing and certification
programs offered by EMVCo and GlobalPlatform.
Depending on the configuration and technical specifications of the mobile product, Visa may
require the product to have been certified by those organizations prior to submitting the product
to Visa.
Visa’s program covers Secure Elements, Handsets, Accessories, and combinations thereof, with
different testing requirements for each. See Appendix C for testing requirements by product
configuration.
EMVCo’s certification programs cover chips and platforms used for Secure Elements, whether
embedded or removable. In addition, they offer Contactless EMV Level 1 testing for mobile
products.
GlobalPlatform’s certification program covers functional platform qualification for Secure
Elements, whether embedded or removable.
Furthermore, a product being tested by more than one organization may also be performed in
parallel (e.g. Visa testing, GlobalPlatform testing), again at the request of the vendor and at their
own risk.
The following table shows which areas of testing each organization qualifies:
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 31 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
EMVCo Mobile Product Level 1 Testing
4.3
Visa requires products to receive an EMVCo issued Test Assessment Summary or Letter of
Approval in lieu of testing requirements managed by Visa, if EMVCo offers the testing.
If the Test Assessment Summary or Letter of Approval is not available at the time of the product
submission to Visa, the vendor is responsible for providing the Test Assessment Summary or
letter before Visa will determine whether the product meets Visa’s requirements and issue a
Compliance Letter.
Note: Visa does not issue a Compliance Letter for a product with an EMVCo Letter of Approval that
does not require further testing required by Visa.
Vendors are required to provide the EMVCo Level 1 ICS with the Test Assessment Summary or
Letter of Approval.
If Visa requires other testing on the submitted product this may be done in parallel with the
EMVCo process.
Visa will continue to accept EMVCo’s process as they continue to expand the scope of products
accepted.
GlobalPlatform Qualification Testing
4.4
A vendor can submit a secure element for testing that is developed according to GlobalPlatform
(GP) specifications.
GlobalPlatform manages the platform functional testing for GP platforms.
Visa only accepts official GP test results performed by a GP-qualified laboratory. Self-testing
results are not accepted as proof of specification compliance.
Vendors shall provide a SCO Form and Qualification Letter from GP to Visa in support of their Visa
submission process.
Visa requires Secure Elements to have a Qualification Letter issued by GlobalPlatform prior to the
issuance of the Visa Compliance Letter.
Vendors who are unable to receive a Letter of Qualification from GP because their product does
not support all mandatory GP requirements may request a Compliance Assessment Report (CAR)
from GP.
Visa will only review a final GP CAR. As an exception process, vendors who provide a GP CAR to
Visa where the product meets Visa’s minimum functional platform requirements may be eligible
to receive a Compliance Letter from Visa without a Letter of Qualification from GP. Refer to Visa
Minimum Platform Functional Requirements for VMPA Implementations [VMPA_MFPR] for
technical requirements.
More information about the GlobalPlatform compliance testing process can be found on their
website at http://www.globalplatform.org/complianceupdates.asp.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 32 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Cross Testing
4.5
Visa performs cross testing (also referred to as interoperability testing). Cross testing is part of the
official testing process and the performance during this testing will be part of the final compliance
consideration. Products that fail to communicate with various devices may not be eligible for
compliance.
For more information refer to the Vendor Guide For Interoperability Testing on the Visa
Technology Partner website.
Note: Visa is not permitted to disclose information about the terminals used to obtain the cross
testing results.
EMVCo also offers cross testing, referred to as terminal interoperability testing, as part of its
mobile product level 1 type approval process. Visa accepts an EMVCo Letter of Approval in lieu of
cross testing.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 33 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Test Plans and Test Tools
4.6
Test plans and commercial test tools with associated test scripts are available to assist vendors in
quality assurance (QA) testing. These test tools are not intended as a replacement for Visa testing.
Successful completion of all the test scripts by the vendor does not imply compliance, nor does it
duplicate Visa’s full testing process.
Visa reserves the right to develop and run additional tests that are not defined as part of the
current test plans or tools. Visa testing may include subjecting the product to additional physical
and situation-specific tests as needed.
Commercial test tools and test scripts are available from test tool suppliers. Vendors must have
licensed the Visa mobile specification and software before acquiring the mobile test tools.
Information about Visa test tools can be found at
https://technologypartner.visa.com/Testing/TestPlans.aspx.
Information about EMVCo test tools can be found at www.emvco.com.
Information about GlobalPlatform test tools can be found at www.globalplatform.org.
The following Visa test plans are available on the Visa Technology Partner website to licensed
users:
•
Visa Mobile Payment Application (VMPA)
•
Visa Toolkit and Process Message (VTKPM)
Before requesting a test plan, the following agreements need to be executed with Visa:
•
All applicable Visa Technology License Agreements. Technology licensing is handled on the
Visa Technology Partner website.
•
Approval Services Testing Agreement for Mobile Proximity Payment Products (ASTA) or
Approval Services Documentation License Agreement
Possession and use of these materials is subject in all respects to the terms of the ASTA or
documentation license agreement.
Test plans and test scripts are subject to enhancements and modifications at any time. Test plan
revisions will be accumulated and made available to vendors with new releases as determined by
Visa. It is the vendor’s responsibility to ensure that they have the most current test plan available.
Vendors should contact their tool supplier to obtain any test script updates. Test case updates are
published in the query application on the Visa Technology Partner website, available to
authorized users only.
Visa grants permission to use the test plans solely for purposes of QA testing for use in
connection with a Visa payment application. Visa may revoke its permission at any time for any or
no reason. Possession and use of these materials is subject in all respects to the terms of the
ASTA or documentation license agreement. Test plans and all intellectual property subsisting
therein are the property of Visa. THESE MATERIALS ARE PROVIDED ON AN “AS IS” BASIS “WITH
ALL FAULTS. VISA DISCLAIMS ALL WARRANTIES PERTAINING TO THESE MATERIALS, EXPRESSED
OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR
PURPOSES, OR NON INFRINGEMENT.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 34 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Test Laboratories
4.7
The list of Visa-Recognized Laboratory’s is available on the Visa Technology Partner website.
Testing will not begin until the laboratory has received all required items. If any required item is
incorrect or non-functioning, the test slot may be delayed.
Please contact the Laboratory for pricing and to arrange scheduling of testing.
When testing is complete, the Laboratory will provide the vendor with a report outlining the test
results.
The vendor is required to grant authorization for the Laboratory to provide the test reports to
Approval Services.
Approval Services will evaluate the test results and provide the vendor with information about the
usability of the product in Visa deployments.
Starting the Product Submission Process
4.8
Before submitting any mobile product for testing, vendors must execute the current Approval
Services Testing Agreement for Mobile Proximity Payments (ASTA) with Approval Services (see
Section 1.7).
Additionally, vendors will also need to execute any agreements required by the Laboratory that
performs the testing.
Once the legal agreements have been executed, vendors are eligible to submit the necessary
paperwork to start the testing process.
A questionnaire is required by Approval Services to start the product submission process.
The following table lists the forms required for product testing. All the Visa forms are available on
the Visa Technology Partner website. All information must be provided in English.
Note: Some forms may be combined into a single document.
Documentation Required for Testing and Evaluation
Form
Description
Approval Services Mobile
Product Questionnaire
Information regarding the submission of a mobile product for
testing. Allows Visa to determine whether the mobile product is
eligible for submission.
Exhibit A: Request for Testing
Services or Request for Testing
Review (addendum to ASTA)
Establishes Visa’s right to review results submitted by the vendor,
following testing at a laboratory. Handset-only submissions will use
the Request for Testing Review form. All other submissions shall
use the Request for Testing Services form.
Implementation Conformance
Statement (ICS)
Detailed information regarding the Visa payment application,
platform, or interface.
A separate statement is required for each:
Request for Compliance Form
June 2016
•
Contactless Interface Analogue & Digital
•
VMPA (including VTKPM)
Official request for Visa to begin the compliance review for a
mobile product tested at a laboratory.
© 2010 - 2016 Visa. All Rights Reserved.
Page 35 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Form
Description
Single Production Batch
Confirmation Form
Declares that the secure elements supplied to the laboratories and
Approval Services are all from the same production batch and are
identical. Only required for configurations involving secure
elements.
Mobile Vendor Confirmation
Form
Attests that a compliant product has been changed and remains
compliant with the Visa specifications, policies and requirements.
Additional Documentation Required for Testing and Evaluation
Form
Description
GlobalPlatform Letter of
Qualification (or Conformance
Assessment Report) and SCO
Form
Vendors whose product has gone through GlobalPlatform
functional testing shall provide the long version of the LOQ
including any Conformance Assessment Report (if applicable) and
the SCO Form. See section 4.4.
EMVCo Platform Certificate
Vendors whose product has gone through EMVCo platform security
testing shall provide a copy of the certificate if the platform is not
published on EMVCo’s Approved Platforms List on their website.
EMVCo Test Assessment
Summary or Letter of Approval
Vendors whose product that has gone through EMVCo Mobile
Product Level1 Type Approval process shall provide a copy of the
Test Assessment Summary or letter including the associated EMVCo
ICS.
EMVCo Mobile Product Level 1
Minor Change Declaration Form
Vendors whose product has gone through EMVCo Mobile Product
Level 1 Minor Change Declaration Form process may provide a
copy of the signed form along with the acknowledgment from
EMVCo.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 36 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
5
Submission of Testing Materials for Functional Testing
This section details the materials that the vendor must submit to the laboratory for Visa functional
testing. Refer to Appendix C for detailed requirements by product configuration.
5.1
Requirements for Product Submission
5.1.1 FOR ALL PRODUCT CONFIGURATIONS
Products submitted for testing must be in the final configuration that will be deployed
commercially. The exception is Embedded Secure Element Components, which are accepted
for testing prior to embedding in a handset or mobile accessory.
All debugging code must be removed from the product before it is submitted for testing.
Failure to remove this code may cause the product to fail testing.
5.1.2 FOR SECURE ELEMENTS
Secure Elements must contain a Visa-approved VMPA applet and PPSE applet, pre-installed
and personalized.
Secure elements containing a Visa-developed VMPA applet shall be provided as follows:
o
the Visa Library loaded (if VMPA Core is used)
o
the VMPA applet loaded, Container installed and VMPA personalized with images
Mobile00, 30 or 35 depending on the test (as defined in [VMPA_TP])
o
SIM profile configured as described in [SIM-PROF]
o
A Proximity Payment System Environment (PPSE) applet installed and configured.
o
VMPA shall be personalized according to the submitted VMPA ICS form. The ICS form
shall accurately represent the personalization of the samples.
EMV CPS personalization is required to personalize the VMPA applet. If the mobile product
allows multiple application instances with pre-personalized images, the documentation must
also explain how to select among the different applications with specific instruction on how to
obtain the application image(s) needed for Visa’s testing requirements.
A microSD shall be able to perform contactless transactions with the handset switched on. Visa
does not require the microSD to be able to perform contactless transactions with the handset
switched off; however, if this functionality is implemented, it must be stated in the
accompanying documentation.
All commands and status words for UICCs and microSDs must be identified in the technical
documentation submitted with the UICC and microSD for testing. Failure to identify
commands and status words in the technical documentation may cause the product to fail
testing. Commands that can update the product must be in compliance with the Visa
specifications.
Products should be clearly marked with the Visa Reference Number, the VMPA applet version
and build number, and mobile image the VMPA applet was personalized with.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 37 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
5.1.3 FOR HANDSETS AND ACCESSORIES
The vendor must include all cables and batteries required to operate the product including
detailed operating instructions and how to configure the device for NFC communication.
Products should be marked to show the location of the zero point. If the product is intended
to be used in a defined orientation and/or presentment, this information must be
communicated to Approval Services and the laboratory as part of the product submission.
Products should be clearly marked with its assigned Visa Reference Number.
A user guide detailing how to operate the product and access the payment application must
be provided.
Vendors who are submitting a product utilizing an embedded secure element and have not
licensed the Visa specifications and mobile software should consult with their embedded
secure element provider on providing VMPA installed and personalized for testing a
completed VMPA ICS form, and a Test Tool Interface Application.
If providing a handset, it shall be configurable in a manner that allows a test environment to
be setup for testing. This test environment may be comprised of one of the following:
o
A mechanism or test application residing on the handset (zone D) which allows the
phone to remain on for multiple transactions avoiding any end-user intervention in
order to perform in batch mode: contactless analogue, contactless digital,
GlobalPlatform functional, and VMPA testing
o
A test configuration of the contactless analogue and digital interface components
avoiding any interference of any other proprietary contactless application/protocol in
order to perform in batch mode: contactless analogue, contactless digital,
GlobalPlatform functional, Cross Testing, and VMPA testing.
o
A Test Tool Interface Application is required on the handset if VMPA testing is
required.
If there are any changes to the product after the testing authorization has been sent Approval
Services is required to be notified and the testing requirements to be reassessed. If samples
have been sent to the Laboratory, new samples are required to be resent to all Laboratories.
5.1.4 FOR PRODUCTS WITH HCE CAPABILITY
In addition to the submission requirements mentioned above:
June 2016
•
The vendor must provide the Contactless Level 1 laboratory with at least two samples for
testing. For products supporting a secure element and HCE, one sample should be
configured to use HCE and the other sample should be configured to use the secure
element.
•
The vendor must provide Approval Services with at least two samples for cross testing.
For products supporting a secure element and HCE, one sample should be configured to
use HCE and the other sample should be configured to use the secure element.
•
Alternatively the vendor can provide instructions to the laboratory on how to configure
the product between the secure element and HCE paths.
© 2010 - 2016 Visa. All Rights Reserved.
Page 38 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
5.1.5 SHIPPING
Vendors shall indicate, either directly on the product samples or on the shipping
documentation, the Visa Reference Number of the product(s) being tested and contained in
the shipment.
The shipper is responsible for completing and providing all required US Customs forms,
including FCC Form 740 if required. The shipper shall be liable for any and all costs associated
with releasing an impounded shipment seized by US Customs due to missing or incomplete
paperwork.
Note: Testing will not begin until the laboratory has received all required items. If any required
item is incorrect or non-functioning, the test slot may be delayed.
Vendors have six months from the date Approval Services authorized the laboratory
testing to submit all test results to Approval Services for review.
After testing is complete, the Laboratory and/or Visa will retain the tested components
for any subsequent testing that may be required.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 39 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Over the Air (OTA) Testing
5.2
Visa testing and compliance process does not test all aspects of Over-the-Air personalization
(OTA) functionality (refer to [VMPA_PROC]).
Approval Services tests the UICC, and handset with embedded Secure Element (SE) and their
involvement with OTA functionality.
Visa tests the UICC GlobalPlatform content management and personalization functionality to
ensure that the UICC is able to handle all APDU commands via the contact interface in regards to
OTA.
Visa tests a product with embedded SE according to GlobalPlatform content management and
personalization functionality to ensure that the product with embedded SE is able to handle all
commands in regards to OTA.
Visa tests the VMPA applet to ensure its adherence to EMV Common Personalization commands
that are involved with any OTA personalization.
Visa has the capability to perform OTA tests during type approval of UICC and products with
embedded Secure Element.
The vendor submitting a mobile product that supports OTA functionality must provide a
simulated or an actual OTA host.
The OTA host must provide the tester a means to issue OTA commands to the mobile product.
The OTA host must also provide a means for the tester to view and analyze responses sent from
the mobile product back to the OTA host.
The OTA host must also provide a means to log all of the OTA commands and responses sent
during a test session.
The OTA host must provide a means to save the log as a file and provide a means to print the log
from the current test session or from a file saved from a previous test session.
For products with embedded SE such OTA functionality may include an application to be loaded
and run on the product to facilitate the communication with the embedded SE.
The OTA simulator shall provide a means so that the Visa Test Script Execution Tool is able to
establish a connection to the simulator, or alternatively imports and executes the Visa test scripts.
If the product is UICC and supports SWP/HCI interface then Visa accredited testing equipment is
able to perform the OTA tests without requiring a vendor provided OTA host.
Please refer to VMPA Test Tool Interface Requirements (Book 6) for detailed information.
The following figure shows a high level diagram of such OTA system provided by vendors when
testing a UICC.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 40 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
OTA with UICC
The access point to the actual OTA host shall provide a means so that the Visa Test Script
Execution Tool is able to establish a connection to the remote OTA server, or imports and
executes the Visa test scripts.
The following figure shows a high level diagram of such OTA system provided by vendors when
testing a product with embedded SE.
OTA with Embedded Secure Element
If such simulated or actual OTA host is not provided the compliance statement will exclude the
conformance of the product in regards to OTA functionalities.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 41 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Testing Over a Contact Interface
5.3
When Approval Services tests a microSD or mobile product with embedded Secure Element over
the contact interface, Visa tests the GlobalPlatform content management and personalization
functionality to ensure that the component is able to handle all APDU commands destined for the
Secure Element via the contact interface. Visa also tests the Visa-approved VMPA applet to ensure
its adherence to EMVCo Common Personalization commands and the Issuer Update commands
that are involved with any OTA connectivity, as well as the Consumer Device commands, such as
Passcode Verification over the contact interface.
The vendor submitting a microSD or mobile product with embedded Secure Element must
provide the tester a means to issue APDU commands over the contact interface to the product.
The vendor shall provide a means so that the Visa Test Script Execution Tool is able to establish a
PCSC connection to the product.
Alternatively, the vendor may provide a means so that the Visa Test Script Execution Tool is able
to establish a TCP/IP connection to the product.
Refer to VMPA Test Tool Interface Application Requirements (Book 6) for detailed information.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 42 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Utilizing Test Results between Products
5.4
Vendors that have executed the ASTA may have the opportunity to leverage functional test
reports from previously certified components and products. A product that uses shared test
results may be eligible for reduced testing.
If Visa discovers a defect in a previously certified product, all vendors involved in the sharing
consent to Visa’s communication of all relevant information to each affected vendor and its
customers, including an explanation of the nature of the defect and products at issue.
Shared test results are only permitted under and are subject to the following conditions:
•
All vendors involved in the sharing have signed the appropriate agreements allowing
results to be shared.
•
The components being leveraged have been tested and certified by Visa with no issues.
•
The components being leveraged are not already sharing test results from another
product.
•
A product using shared results will be tied to the original product
•
The new product will receive the same expiration date as the product from which the
results are shared.
•
If for any reason the original product is not renewed, any product sharing testing results
will not be renewed either.
•
If the original product is revoked, then all products sharing testing results will be revoked.
•
If the original product is modified and/or updated, then all products sharing testing
results may require additional testing.
Note:
June 2016
If a product is submitted for full testing it receives an independent certification and its
expiration date is not tied to any other product.
© 2010 - 2016 Visa. All Rights Reserved.
Page 43 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Tested Combinations Policy
5.5
After a handset is found compliant, it is common for the handset OS and/or NFC chip firmware
version to be changed as newer versions are released. In order to reduce the testing
requirements, Visa implemented the concept of tested combinations. Tested combinations
policy is only applicable to handsets.
A tested combination is defined as either:
•
A Handset OS version + NFC Controller Chip Model + NFC Firmware version
•
A Handset OS version + NFC Controller Chip Model + NFC Firmware version + a
compliant eSE component
Note: For the purpose of this policy, a compliant eSE component is defined as a the chip name,
OS name, OS version and the VMPA applet version, package and build.
A change of handset OS version and/or NFC firmware version on a compliant handset will only
require testing if the tested combination has not been evaluated by Visa. Once a handset with a
new combination is found compliant, the product will receive a letter of compliance and be listed
on the Compliant Products List. Additionally, the tested combination will be included on the
Tested Combinations List available on the Visa Technology Partner website.
Handset vendors with a compliant handset may use any tested combination from the Tested
Combinations Lists without having to resubmit the handset for type approval.
Note: Visa issues Letters of Compliance for products, not tested combinations. The Tested
Combinations List is provided solely to inform stakeholders of specific combinations that have
been tested successfully as part of the Visa testing process.
For example:
•
A handset vendor with a currently compliant handset may upgrade its handset OS if the
OS version and NFC controller chip model and NFC firmware version are already listed on
the tested combinations list.
•
A handset vendor with a currently compliant handset may upgrade its handset NFC
firmware version if the OS version and NFC controller chip model and NFC firmware
version are already listed on the tested combinations list.
•
A handset vendor with a currently compliant handset may upgrade its handset OS and
NFC firmware version if the OS version and NFC controller chip model and NFC firmware
version are already listed on the tested combinations list
It is the vendor’s responsibility to verify that the combination is on the tested combinations list,
and the handset functions properly with the selected tested combination.
Vendors that wish to receive a letter of compliance must submit the handset for testing even if
such combination is already included on the tested combinations list as a result of submission by
a different handset vendor.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 44 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Pre-requisite to the policy:
•
Vendor must have a compliant handset
•
The NFC Controller Chip Model must remain the same
The policy applies if the following change is made:
•
Handset OS version and/or
•
NFC Firmware version
The policy does not apply if the following change is made:
•
Change to the hardware, such as the NFC controller chip model
•
Change to the compliant eSE
Note: These changes are subject to the standard testing process.
A flowchart has been provided to assist the vendor to determine if the tested combinations policy
applies:
Handset has a
Compliance
Letter?
Yes
Tested
Combination is
Listed?
Yes
Compliance
Letter Wanted?
No
No
Yes
No
Submit Handset to
Visa Approval
Services
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Handset does not
need to be
Submitted
Page 45 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
6
Compliance Letters
This section describes the process that vendors must follow in order to obtain a Compliance
Letter for a mobile payment product.
Legal Conditions and Restrictions
6.1
Visa’s determination that a product complies with its specifications only applies to products that
are identical to the product tested by one of Visa’s recognized laboratories or by Visa. A product
should not be considered compliant to Visa’s requirements, nor promoted as compliant, if any
aspect of the product is different from the specimen that was tested by a laboratory or by Visa,
even if the product conforms to the basic product description contained in the Compliance Letter.
For example, even though a product contains components, applications or operating systems that
have the same name or model number as those tested by one of Visa’s recognized laboratories or
by Visa, but the product is not identical to the features previously tested by one of Visa’s
recognized laboratories or by Visa, the product should not be considered or promoted as
compliant to Visa’s requirements.
Visa’s Compliance Letter is granted solely in connection with a specific product and to the
submitting vendor. A Compliance Letter may not be assigned, transferred or sublicensed, either
directly or indirectly, by operation of law or otherwise. Only vendors that have received a Visa
Compliance Letter for a mobile payment product may claim that they have a Compliance Letter.
No mobile payment product manufacturer, chip supplier, or other third party may refer to a
product, service or facility as “compliant” or as having a “Compliance Letter”, nor otherwise state
or imply that Visa has, in whole or part, found the product to be compliant to Visa’s requirements
in any aspect of a manufacturer, or supplier, or its products, services or facilities, except to the
extent and subject to the terms and restrictions expressly set forth in a written agreement with
Visa, or in a Compliance Letter provided by Visa Approval Services. All other references to Visa’s
“Compliance Letter” or “compliance” are strictly prohibited by Visa.
When given, Visa’s Compliance Letter is provided by Visa to reflect certain security and
operational characteristics important to Visa’s systems as a whole, but does not, under any
circumstances, include any endorsement or warranty regarding the functionality, quality or
performance of any particular product or service. Visa does not warrant any products or services
provided by third parties. A Compliance Letter does not, under any circumstances, include or
imply any product warranties from Visa, including, without limitation, any implied warranties of
merchantability, fitness for purpose or non-infringement, all of which are expressly disclaimed by
Visa. All rights and remedies regarding products and services that have received a Visa
Compliance Letter shall be provided by the party providing such products or services, and not by
Visa. Unless otherwise agreed in writing by Visa, all property and services contemplated in this
document that Visa provides to any person or entity are provided on an “as-is” basis, “with all
faults” with no warranties whatsoever. Visa specifically disclaims any implied warranties of
merchantability, fitness for purpose or non-infringement.
The issuance of the Compliance Letter is conditioned upon the vendor having executed all
necessary agreements with Visa, including without limitation, all applicable license agreements
with Visa and shall be of no force and effect unless such agreements have been executed prior to
the issuance of the letter.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 46 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Visa performs limited testing to ascertain a product’s compliance with any required specifications
and may perform interoperability testing with other compliant or approved products. Visa’s
limited testing program is not designed to ensure the proper functioning of vendor’s compliant
product in all potential conditions in which it may be used. Visa’s Compliance Letter does not
include or imply any guarantees, assurances or warranties that the compliant product will operate
in all settings or in combination with any other compliant or approved product.
Requesting a Compliance Letter
6.2
Visa will consider issuing a Compliance Letter only for mobile payment products that have
successfully passed testing at a Visa-recognized laboratory and that support Visa’s mobile
payment product requirements.
Approval Services ensures that all agreements, tests, and reviews have taken place at a laboratory
including:
•
All mobile payment products destined for use in Visa mobile payment projects have
passed all testing as identified in this document.
•
All required documentation for the mobile payment products tested at a laboratory must
be completed by the vendor and submitted to Visa for verification.
At the vendor’s request, products that are submitted to Visa to perform cross testing that do not
successfully pass cross testing may be returned to the vendor.
Note – Visa does not issue a Compliance Letter for products with an EMVCo Letter of Approval
that do not require additional testing required by Visa.
Compliant Products List
6.3
In addition to the issuance of the Compliance Letter the mobile product will be listed on either
the public or private Visa Approval Services Mobile Compliant Products List, as chosen by the
vendor. The public list is published on the Visa Technology Partner website.
Changes to Products with a Compliance Letter
6.4
Any derivative products that are changed must have either the name and/or versioning changed
to indicate that it is a different product than what was tested and certified by Visa.
Refer to Appendix B for details.
A combination of two compliant mobile products, e.g. taking a compliant handset and combining
it with a compliant microSD, is not recognized by Visa as “Visa-compliant” unless the actual
combination has been evaluated by Visa.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 47 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
The following flow charts represent the Visa testing requirements for changes made to a product
with a Compliance Letter.
Complete Mobile
Questionnaire
Approval Services
Reviews
Questionnaire and
Determines Testing
Requirements
Testing
Required?
Yes
Vendor Notified of
Testing
Requirements
Vendor Completes
Exhibit A and
Request for
Compliance Forms
Chosen Laboratories
Authorized for
Visa Testing
Laboratories
Perform
Authorized
Testing
Visa Reviews Test
Results
Test Results
Meet Visa’s
Requirements?
No
Failure Notification
Issued
Yes
No
June 2016
Vendor Completes
Mobile
Conformance Form
© 2010 - 2016 Visa. All Rights Reserved.
Compliance Letter
Issued
Page 48 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
7
Lifecycle Management and Renewal of Compliance
Letters
This section describes the requirements and the process of the secure element lifecycle
management policy and the renewing the Compliance Letter for a mobile payment product.
Secure Element Lifecycle Management
7.1
The policy changes referred to in this section apply to products submitted on or after 1 June
2015. All previously compliant products remain subject to the existing secure element renewal
policy.
The revised secure element lifecycle management policy applies to all secure element form
factors including removable1 and embedded secure element products.
Upon compliance of a secure element product, the compliance recognition end date assigned on
the compliance letter will be based on the issue date of the underlying ICCN from EMVCo. The
compliance recognition end date is defined as the ICCN issue date + 7 years. If the secure
element is submitted on a newly certified IC, then the maximum Visa compliance recognition can
approach seven years. For secure elements submitted on older IC’s, the compliance recognition
timeframe will be shorter.
•
Base product submissions may be submitted during the ICCN’s certification period of a
max of 6 years.
•
Derivative product submissions may be submitted prior to the base products compliance
recognition end date.
•
Secure elements whether submitted as a base or derivative product will receive the
compliance recognition end date based of the underlying ICCN.
When the compliance recognition end date of a secure element has been reached, the product
will no longer be recognized as compliant and will be removed from the Visa Approval Services
Mobile Compliant Products List the month following the compliance recognition end date.
1
The secure element lifecycle policy does not apply to a microSD with an internal antenna product
configuration. This product type will fall under the secure element renewal policy.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 49 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
The following figure illustrates the Secure Element Lifecycle Management Policy.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 50 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Secure Element Renewals
7.2
The policy referred to in this section applies to products submitted prior to 1 June 2015.
Secure elements eligible for renewal must meet all of the following criteria:
•
The product complies with Visa’s currently supported versions of specifications and
requirements.
•
The secure element contains a currently supported VMPA applet. Please refer to the
Mobile Specifications and Applets Sunset Plan on the Visa Technology Partner website
(available to licensed users).
•
The product Compliance Letter contains no comments, i.e., any items identified during
testing that are required to be corrected in the next version of the product.
•
The product has successfully completed any additional testing that may be required.
•
The platform Letter of Qualification from GlobalPlatform was not revoked (if qualified by
GlobalPlatform).
•
Secure elements receive an initial three year compliance recognition period and can be
renewed a maximum of three times, at one year extensions for a maximum Visa
compliance recognition of six years.
Additional testing may be required, at three years, for compliance recognition extension if the
testing has changed since the time the product was fully tested.
Secure Elements
3 Years
4 Years
5 Years
6 Years
Handsets & Accessories
1
June 2016
2
3
© 2010 - 2016 Visa. All Rights Reserved.
4
5
6
Page 51 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Mobile Handset and Accessory Renewals
7.3
Mobile handsets and accessories are not eligible for renewal after the initial three year
compliance recognition period expires.
If a vendor wishes to extend the compliance recognition the handset or accessory shall be
submitted as a new product and is subject to the testing requirements at that time.
Secure Element Products – Renewal Process
7.4
When a mobile product is found compliant by Visa, it is assigned a renewal date that is
communicated to the vendor in the Compliance Letter and also appears on the Visa Approval
Services Mobile Compliant Products List.
The renewal date for a mobile product is typically three years from the time the Compliance Letter
is issued, unless noted in the letter.
As a mobile product approaches its renewal date Visa reviews the product details to ensure that it
complies with all of Visa’s current policies and is a product the vendor continues to issue. These
policies apply to all compliant products and their derivatives.
When a mobile product is approaching its renewal date and it is eligible for renewal (see Sections
7.2), the vendor should contact Approval Services and ask for a Request for Renewal Form to
complete.
In completing and signing the form, the vendor confirms that no changes have been made to the
compliant product and the vendor wishes to continue to sell the product.
Once the vendor has confirmed that no changes have been made to the product, and Visa
confirms that the product meets Visa’s current policies, the product is assigned a new renewal
date and will continue to be listed on the Visa Approval Services Mobile Compliant Products List.
When a mobile product is approaching its renewal date the product may be required to go
through additional testing if the testing has changed since the product was fully tested. If testing
is required, Approval Services will contact the vendor to advise what additional testing is required
before the product can be considered for renewal. If a product successfully completes the
required testing it will be renewed and the new renewal date will be reflected on the Visa
Approval Services Mobile Compliant Products List.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 52 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
The following flow chart represents the renewal process.
General Conditions and Exceptions
7.5
Visa will notify the vendor if its product does not meet the renewal criteria.
It is the vendor’s responsibility to track renewal dates for its compliant products and take actions
as appropriate.
The product will be removed from the relevant Visa Approval Services Mobile Compliant Products
List the month following the renewal date.
Renewals are linked to the conditions contained in the Compliance Letter sent to the vendor
when the product was initially found compliant. If problems are identified with the product after
receiving a Compliance Letter (or extension if a renewal is granted), Visa reserves the right to
revoke compliance or extensions at any time.
If a vendor seeks an extension of compliance for a product that no longer meets Visa’s current
policy, the vendor must contact their local Visa regional representative.
Visa reserves the right to amend this policy without prior notice. The effective date of any such
change will be communicated to vendors.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 53 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
A
Appendix A
A.1
Revision History
Version
4.1
Date
May 2015
5.1
October 2015
5.2
December 2015
5.3
February 2016
5.4
June 2016
June 2016
Added HCE testing information:
Section 2, Section 5, Appendix B, Appendix C
Updated Section 4.2
Updated Section 4.8
Updated Appendix B
Updated Appendix B: Added base product testing requirements and updated derivatives
testing requirements
Minor editorial updates
Section 7.2 Updated
Updated Appendix B: Updated testing requirements based on Visa Chip Bulletin 13 4th edition
and implementation of the second phase of EMVCo Mobile Product Level 1 Type Approval
Testing.
Minor editorial updates.
© 2010 - 2016 Visa. All Rights Reserved.
Page 54 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
B
Appendix B
B.1
Testing Requirements for Changes to a Compliant Mobile
Product
B.1.1
Appendix Structure
This appendix lists the testing requirements for base mobile products and changes to a compliant
mobile product. The products have been grouped by handsets, secure elements and mobile
accessories.
If a vendor wants to make a change that is not listed, contact ApprovalServices@visa.com to
determine which process may be utilized.
B.1.2
Renewal Dates
If a product is a change to or sharing test results from a base product, then all renewal dates will
be based on the dates for the base product.
B.1.3
Limits to Change Process
A change to ROM of the approved product’s secure element is considered a new submission and
testing is required. The security lab must provide an Impact Assessment Letter (IAL) to Approval
Services defining the scope of the security evaluation.
Vendors that have received a Compliance Letter from Visa identifying issues in the specification
deviation / comments sections may not use this process to make changes to a product. Vendors
must correct the issue(s) identified in the Compliance Letter before submitting the next version of
the product for testing.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 55 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
B.1.4
Paper Process Only
No functional or security testing is required.
Samples must be provided to Approval Services.
Following forms must be completed, signed and provided to Approval Services:
B.1.5
•
Request for Compliance for Mobile
•
Exhibit A
•
Mobile Vendor Confirmation Form or the EMVCo Mobile Product Level 1 Minor Change
Declaration form
Definitions and Acronyms
•
CCPS – EMVCo Contactless Communication Protocol Specification.
•
CCPS Antenna – The antenna in the mobile product which facilitates the (EMV) contactless
proximity communication for Visa payment transaction.
•
OTA Antenna - The antenna in the mobile product which facilitates the contactless
communication over MNO network.
•
Regression testing – A subset of testing.
•
Delta testing – A delta test is the difference between the testing performed for the original
product versus a newer test plan
•
IAL – Impact Assessment Letter
•
Embedded Secure Element (eSE) – The secure element embedded in the mobile product
where the VMPA applet resides.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 56 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
B.2
Testing Requirements
B.2.1
Handsets
Visa recognizes EMVCo’s mobile product level 1 type approval process, specifically the issuance of a Test
Assessment Summary (TAS) for contactless level 1 testing or a Letter of Approval (LoA). Visa requires that
all supported execution environments have a Test Assessment Summary or Letter of Approval, if available,
from EMVCo.
This table is only a guideline and additional testing may be required depending on the test results.
Product submissions that are comprised of a handset with another component, such as an embedded
secure element or a mobile accessory, are subject to the aggregated testing requirements for each
component making up the product being submitted. Therefore a handset with an embedded secure
element shall be subject to the testing requirements for both the handset and the embedded secure
element component.
Base Product Testing Requirements - Handsets
#
Base Product
Configuration
1
Handset with
Embedded Secure
Element
2
Handset only
supporting SWP UICC
EMVCo
Contactless
Level 1
Cross
Testing
EMVCo TAS
Full or
or LoA
EMVCo LoA
EMVCo TAS
Full
VMPA
Notes
Handset does not support HCE or UICC.
Transaction
See Secure Elements – Base product Testing
Requirements for the eSE component.
Handset does not support HCE or eSE.
None
Handset does not have an EMVCo LoA.
EMVCo TAS
3
4
Handset only
supporting HCE
Handset supporting
more than one
execution
environment
June 2016
Or Full
analogue, Full
digital
EMVCo LoA or
EMVCo TAS
(includes HCE)
or EMVCo TAS
and full digital
for HCE
Handset does not support a UICC or eSE.
Full
None
Handset does not have an EMVCo LoA.
Full
and
selective testing
for HCE, or
EMVCo LoA
Secure Element can be embedded or UICC.
Transaction if
eSE, else
none.
© 2010 - 2016 Visa. All Rights Reserved.
Handset supports HCE.
If eSE see section B.2.2 for the additional
requirements for eSE component.
Page 57 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Derivative Testing Requirements - Handsets
Multiple changes will result in the aggregation of each applicable test requirement for the changes.
Card emulation is defined as any level 1 PICC parameters defined in EMVCo Contactless Communication
Protocol Specification - Book D, or any settings that include, but not limited to, NFC controller clock
settings, or proximity payment antenna performance (NFC).
Product submissions comprising of a handset and another component, such as an eSE or a mobile
accessory, are subject to the aggregated testing requirements for each component making up the
product and all changes being made to those components.
#
1
Derivation
Handset Software
Change
EMVCo
Contactless
Level 1
EMVCo TAS or
LoA
Cross
Testing
Regression or
EMVCo LoA
VMPA
Transaction
Compliance
Letter
Yes
Notes
Card emulation affected or major OS
version change. Impact to digital
functionality only.
See also Tested Combinations.
2
3
Handset Software
Change
EMVCo TAS or
LoA
Handset Software
Change
EMVCo Minor
Change
Declaration
Form
Full or EMVCo
LoA
Card emulation affected or major OS
version change. Impact to analogue and
digital functionality.
Transaction
Yes
This derivation is treated as a base
product.
Card emulation not affected or not a
major OS version change.
None
None
No
See also Tested Combinations.
Handset does not have an EMVCo LoA.
Card emulation affected.
4
NFC Controller
Firmware Change
EMVCo TAS
Full
None
Yes
Handset does not have an EMVCo LoA.
See also Tested Combinations.
5
NFC Controller
Firmware Change
EMVCo Minor
Change
Declaration
Form (first
presentment
only)
None
Card emulation not affected.
Same vendor, identical NFC controller.
None
No
Handset does not have an EMVCo LoA.
Additional presentments of #4.
6
NFC Controller
Hardware Change
EMVCo TAS or
LoA
Full or EMVCo
LoA
Transaction
Yes
See also Tested Combinations.
7
NFC Controller
Driver Updates
EMVCo TAS
Full
None
Yes
Handset does not have an EMVCo LoA.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 58 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
#
Derivation
EMVCo
Contactless
Level 1
8
Different Base
Bands Supported
(with hardware
changes)
EMVCo TAS
Regression
None
Yes
9
Different Base
Bands Supported
(without hardware
changes)
EMVCo Minor
Change
Declaration
Form
None
None
No
Different Proximity
Payment Antenna
Manufacturer or
Antenna
Manufacturing Site
EMVCo TAS
Full
10
Cross
Testing
VMPA
Compliance
Letter
Notes
Handset does not have an EMVCo LoA.
Handset does not have an EMVCo LoA.
Only software changes.
None
Yes
Antenna materials and design are
unchanged.
Handset does not have an EMVCo LoA.
Antenna materials and design are
unchanged.
11
Different Proximity
Payment Antenna
Manufacturer or
Antenna
Manufacturing Site
12
Proximity Payment
Antenna Changes
(materials or
design)
EMVCo TAS
13
Change of
Proximity Payment
Antenna Location
EMVCo TAS
Full
None
Yes
Handset does not have an EMVCo LoA.
14
Change to the
Proximity Payment
Antenna Optimal
Functional Position
EMVCo TAS
Regression
None
Yes
Handset does not have an EMVCo LoA.
EMVCo TAS
Regression
None
Yes
Proximity payment antenna not in
battery.
Handset does not have an EMVCo LoA.
None
None
Full
None
None
Yes
Yes
Driving electronics are identical to
original antenna and no change of
tuning.
Handset does not have an EMVCo LoA.
Change of Battery
15
Additional presentments of #10 for the
same handset model, with the
assumption that the first presentment
receives a letter of compliance.
(materials or size)
Handset does not have an EMVCo LoA.
Proximity payment antenna in battery.
Change of Battery
EMVCo TAS
16
Full
None
Yes
(materials or size)
June 2016
Handset does not have an EMVCo LoA.
This derivation is treated as a base
product.
© 2010 - 2016 Visa. All Rights Reserved.
Page 59 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
#
Derivation
Change of Battery
(adding charging
17 method capability wireless transfer
pack)
EMVCo
Contactless
Level 1
19
VMPA
Compliance
Letter
Notes
Only applicable to the first submission in
product family.
EMVCo TAS
Full
None
Yes
Handset does not have an EMVCo LoA.
This derivation is treated as a base
product.
Change of Battery EMVCo Minor
(different capacity
Change
18
with no impact to
Declaration
Form
battery dimensions)
Handset Casing
Changes
Cross
Testing
EMVCo TAS
None
Regression
None
None
No
Handset does not have an EMVCo LoA.
Yes
Casing materials, thickness, or paint (with
metallic composition) changed.
Handset does not have an EMVCo LoA.
Only shape of casing has changed.
20
Handset Casing
Changes
None
None
None
No
Casing materials, thickness, and paint
remain the same.
Handset does not have an EMVCo LoA.
Handset does not have an EMVCo LoA.
21
Contactless Level1
Specification
Version
22
Change of
Execution
EMVCo TAS or
Environment (UICC
LoA
to eSE)
23
24
Change of
Execution
Environment (eSE
to UICC)
Change of
Execution
Environment
(addition of HCE)
EMVCo TAS
EMVCo TAS
Full
None
Yes
This derivation is treated as a base
product.
Embedded secure element component
has received a compliance letter.
Regression or
EMVCo LoA
Transaction
Regression
None
Yes
VMPA applet is identical to eSE
component submission.
Yes
Handset is not submitted in combination
with UICC.
Handset does not have an EMVCo LoA.
Handset is already compliant for SE
transactions.
EMVCo TAS or
Full Digital
(HCE)
Handset does not have an EMVCo LoA.
Full
None
Yes
Requirements subject to change based
on OS version.
(Applies to removable or eSE’s.)
25
Change of
Execution
Environment
(addition of SE)
June 2016
Handset is already compliant for HCE.
EMVCo TAS
Full
None
Yes
Handset does not have an EMVCo LoA
This derivation is treated as a base
product.
© 2010 - 2016 Visa. All Rights Reserved.
Page 60 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
B.2.2
Secure Elements
This table is only a guideline and additional testing may be required depending on the test results.
Base Product Testing Requirements – Secure Elements
#
Base Product
Configuration
1
UICC
2
Embedded Secure
Element
Component
3
MicroSD (with
Internal Antenna)
EMVCo
Contactless
Level 1
None
None
Cross
Testing
Full
None
VMPA
Full
Full
GP
LOQ
Yes
Yes
EMVCo
PCN
Yes
Yes
Visa
Security
Testing
IAL
Full
Full
Yes
Yes
IAL
IAL
Security testing may be
required dependent on
the Impact Assessment
Letter (IAL).
IAL
Security testing may be
required dependent on
the Impact Assessment
Letter (IAL).
EMVCo TAS
Full digital
4
MicroSD (without
Internal Antenna)
OR
Full
Full
Yes
EMVCo TAS
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Yes
Security testing may be
required dependent on
the Impact Assessment
Letter (IAL).
Security testing may be
required dependent on
the Impact Assessment
Letter (IAL).
Full analogue
Full digital
OR
Notes
Page 61 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Derivative Testing Requirements – Secure Elements
EMV
Product
Cross
# Configuration Derivation Contactless Testing
VMPA
Visa
GP EMVCo
Security
LoQ PCN
Testing
None
No
Level 1
1
All
Replacing
VMPA
UICC14
Applet with
VMPA
UICC17
Applet
None
None
All
All
Addition of
new
applications
(OTA or
preissuance)
None
None
All
Change to
CDR/CREL/
PPSE
parameters
(e.g. change
Type A SAK
from 28 to
20)
None
Full
5
All
Different
EEPROM or
Flash
memory
size
None
None
None
6
microSD with
Internal
Proximity
Payment
Antenna
NFC
Controller
Firmware
Change
None
None
3
4
June 2016
None
Notes
Yes
Same applet version and
build date.
Same applet package,
e.g. VMPA 1.4.1 UICC14
to VMPA 1.4.3 UICC14.
Updating
VMPA
applet to a
higher
specificatio
n version
2
No
Compliance
Letter
None
None
Delta
No
No
IAL
Yes
Security testing may be
required in addition to
the Impact Assessment
Letter (IAL) from the
security testing
laboratory.
No
No
None
No
New application(s) must
comply with latest
Platform Security
Guidance Documents.
Transaction No
No
None
No
Same PCN and ROM
mask.
No
No
None
No
No
No
None
Yes
None
Full digital
OR
EMVCo TAS
© 2010 - 2016 Visa. All Rights Reserved.
Page 62 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
EMV
Product
Cross
# Configuration Derivation Contactless Testing
VMPA
Visa
GP EMVCo
Security
LoQ PCN
Testing
None
No
Level 1
7
Different
Full
Proximity
analogue,
microSD with
Payment
regression
Antenna
Internal
digital
Proximity
Manufactur
Payment
er or
OR
Antenna
Antenna
Manufacturi EMVCo TAS
ng Site
8
microSD with
Internal
Proximity
Payment
Antenna
9
All
June 2016
Proximity
Payment
Antenna
Changes
(materials
or design)
Security
patch
Full
analogue,
regression
digital
Full
Full
None
No
No
No
None
None
Compliance
Letter
Notes
Yes
Antenna materials and
design are unchanged.
Yes
Driving electronics are
identical to original
antenna and no change
of tuning.
Yes
Security testing may be
required dependent on
the Impact Assessment
Letter (IAL).
OR
EMVCo TAS
TBD
TBD
TBD
TBD
Yes
© 2010 - 2016 Visa. All Rights Reserved.
IAL
Page 63 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
B.2.3
Mobile Accessories
Visa recognizes EMVCo’s mobile product level 1 type approval process, specifically the issuance of a Test
Assessment Summary (TAS) for contactless level 1 testing. Visa requires that all supported execution
environments have a Test Assessment Summary if available from EMVCo.
This table is only a guideline and additional testing may be required depending on the test results.
Product submissions that are comprised of an accessory with another component, such as an embedded
secure element, are subject to the aggregated testing requirements for each component making up the
product being submitted. Therefore an accessory with an embedded secure element shall be subject to
the testing requirements for both the accessory and the embedded secure element component.
Base Product Testing Requirements – Mobile Accessories
#
1
2
Accessory
Configuration
Accessory with
internal antenna and
embedded Secure
Element
Accessory with
internal antenna and
removable Secure
Element
June 2016
EMVCo
Contactless
Level 1
Cross
Testing
EMVCo TAS or
Full Analogue
Full Digital
Full
and
Full Digital
(HCE)
EMVCo TAS or
Full Analogue
Full Digital
and
Full Digital
(HCE)
and
VMPA
HCE testing is only applicable if the product
supports it.
Transaction
See section B.2.2 for the requirements for eSE
component.
Selective
(HCE)
Full
and
Notes
HCE testing is only applicable if the product
supports it.
None
Selective
(HCE)
© 2010 - 2016 Visa. All Rights Reserved.
See section B.2.2 for the requirements for
removable secure element.
Page 64 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 65 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
Derivative Testing Requirements – Mobile Accessories
Multiple changes will result in the aggregation of each applicable test requirement for the changes.
Card emulation is defined as any level 1 PICC parameters defined in EMVCo Contactless Communication
Protocol Specification - Book D, or any settings that include, but not limited to, NFC controller clock
settings, or proximity payment antenna performance (NFC).
Product submissions comprising of an accessory and another component, such as an embedded secure
element, are subject to the aggregated testing requirements for each component making up the product
and all changes being made to those components.
#
1
Derivation
Accessory Software
Change
EMVCo
Contactless Cross Testing
Level 1
EMVCo TAS
Regression
VMPA
Transaction
Compliance
Letter
Notes
Yes
Card emulation affected or major
OS version change. Impact to
digital functionality only.
See also Tested Combinations.
2
Accessory Software
Change
EMVCo TAS
Full
Transaction
Yes
Card emulation affected or major
OS version change. Impact to
analogue and digital
functionality.
Treated as a base product.
See also Tested Combinations.
3
4
5
EMVCo Minor
Change
Declaration
Form
None
NFC Controller
Firmware Change
EMVCo TAS
Full
NFC Controller
Firmware Change
EMVCo Minor
Change
Declaration
Form (first
presentment
only)
None
Accessory Software
Change
None
No
See also Tested Combinations.
Card emulation affected.
None
Yes
See also Tested Combinations.
Card emulation not affected.
None
Yes
Same vendor, identical NFC
controller.
Additional presentments of #4.
6
NFC Controller
Hardware Change
EMVCo TAS
Full
Transaction
Yes
7
NFC Controller Driver
Updates
EMVCo TAS
Full
None
Yes
8
Different Proximity
Payment Antenna
Manufacturer or
Antenna
Manufacturing Site
EMVCo TAS
Full
None
Yes
June 2016
Card emulation not affected or
not a major OS version change.
© 2010 - 2016 Visa. All Rights Reserved.
See also Tested Combinations.
Antenna materials and design are
unchanged.
Page 66 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
EMVCo
Contactless Cross Testing
Level 1
VMPA
Compliance
Letter
Full
None
Yes
EMVCo TAS
Full
None
Yes
EMVCo TAS
Regression
None
Yes
EMVCo TAS
Regression
None
Yes
#
Derivation
9
Proximity Payment
Antenna Changes
(materials or design)
EMVCo TAS
10
Change of Proximity
Payment Antenna
Location
11
Change to the
Proximity Payment
Antenna Optimal
Functional Position
Change of Battery
12
(materials or size)
Change of Battery
13
EMVCo TAS
Full
None
Yes
(materials or size)
14
15
Change of Battery EMVCo Minor
(different capacity
Change
with no impact to
Declaration
Form
battery dimensions)
17
18
Accessory Casing
Changes
Accessory Casing
Changes
Contactless Level1
Specification
Version
June 2016
Driving electronics are identical
to original antenna and no
change of tuning.
Proximity payment antenna not
in battery.
Proximity payment antenna in
battery.
Treated as a base product.
Change of Battery
(adding charging
method capability wireless transfer
pack)
16
Notes
EMVCo TAS
EMVCo TAS
Full
None
Yes
None
None
No
Regression
None
Yes
Only applicable to the first
submission.
Casing materials, thickness, or
paint (with metallic composition)
changed.
Only shape of casing has
changed.
None
None
None
No
Casing materials, thickness, and
paint remain the same.
EMVCo TAS
Full
TBD
© 2010 - 2016 Visa. All Rights Reserved.
Yes
Treated as a base product.
Page 67 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
C
Appendix C
C.1
Submission Requirements
The vendor is required to provide the items listed below for Visa functional testing.
For GlobalPlatform testing submission requirements refer to the GlobalPlatform site.
For EMVCo testing submission requirements refer to the EMVCo site.
Note: Visa reserves the right to conduct additional testing on any products that have gone
through the testing and compliance process. The number of samples stated is the minimum
required. Additional samples may be required or provided upon request.
C.1.1
UICC
Test Description
Labs
Number of Samples
Required for Testing
Personalization Profile
GlobalPlatform Testing
External Lab
Refer to
GlobalPlatform
Refer to GlobalPlatform
VMPA Testing
External Lab
1 Handset
6 UICCs with Mobile00
12 UICCs
2 UICCs with Mobile30
VTKPM Testing
4 UICCs with Mobile35
The type (A, B and A&B) is not important for
this test, so is left to vendor discretion
Cross Testing
Visa Lab
2 Handsets
15 UICCs Type A&B with Mobile00
15 UICCs
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 68 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
C.1.2
Embedded Secure Element Component (Without a Handset)
Test Description
Labs
Number of Samples
Required for Testing
Personalization Profile
GlobalPlatform Testing
External Lab
Refer to
GlobalPlatform
Refer to GlobalPlatform
VMPA Testing
External Lab
10 Secure Elements (as
a Dual Interface ID1 or
UICC)
Not Applicable
To test the Embedded Secure Element in contactless mode, it will be necessary to supply a form factor
that permits Contactless Level 1 communication with the Secure Element and compatible with the test
tools through a Test Tool Interface Application.
Note: An Embedded Secure Element shall be submitted as either a dual interface ID1 card or as a UICC
form factor. See Section 2.
C.1.3
Handset-Only
Test Description
Labs
Contactless Level 1
Testing:
External Lab
Number of Samples
Required for Testing
Personalization Profile
1 SWP Handset
3 UICCs Type A with Mobile00
6 UICCs
AND
Analog
3 UICCs Type B with Mobile00
Digital
Cross Testing
Visa Lab
2 Handsets
6 UICCs Type A&B with Mobile00
6 UICCs
C.1.4
Handset (HCE Only)
Test Description
Labs
Number of Samples
Required for Testing
Personalization Profile
Contactless Level 1
Testing:
External Lab
2 Handset
See L1 Test Application Package
Visa Lab
2 Handsets
Ability to load test applet
Analog
Digital
Cross Testing
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 69 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
C.1.5
Path
Handset (Secure Element and HCE)
Test Description
Labs
Number of Samples
Required for Testing
Personalization Profile
Contactless Level 1 Testing:
External Lab
1 SWP Handset
3 UICCs Type A with
Mobile00
SE PATH
Analog
6 UICCs
AND
Digital
3 UICCs Type B with
Mobile00
Cross Testing
Contactless Level 1 Testing:
HCE PATH
6 UICCs
6 UICCs Type A&B with
Mobile00
External Lab
1 SWP Handset
(Configured for HCE)
See L1 Test Application
Package
Visa Lab
1 Handsets
Ability to load test applet
Visa Lab
Digital
Cross Testing
C.1.6
1 Handset
Handset with a Compliant Embedded Secure Element
Test Description
Labs
Number of Samples
Required for Testing
Personalization Profile
Contactless Level 1
Testing:
External Lab
1 Handset
Mobile00
VMPA Testing
External Lab
1 Handset with TTIA
Not Applicable
Cross Testing
Visa Lab
2 Handsets with TTIA
Mobile00
Analog
Digital
The embedded secure element must meet the test requirements for initialization for testing (e.g.
OP_Ready State/Secure State, test keys, ISD AID, etc.) as identified in the test preparation documentation
provided to vendors who have licensed the Visa specifications and software.
Handset vendors who have not licensed the Visa specifications and software would consult with the
embedded secure element provider on stalling VMPA and personalization and a completed VMPA ICS
form.
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 70 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
C.1.7
microSD with an Internal Antenna
Test Description
Labs
Number of Samples
Required for Testing
Personalization Profile
Contactless Level 1
Testing:
External Lab
1 Handset
3 microSDs Type A with Mobile00
6 microSDs
AND
Analog
3 microSDs Type B with Mobile00
Digital
GlobalPlatform Testing
External Lab
Refer to GlobalPlatform
Refer to GlobalPlatform
VMPA Testing
External Lab
1 Handset with TTIA
6 microSDs with Mobile00
8 microSDs
2 microSDs with Mobile30
The type (A, B and A&B) is not important
for this test, so is left to vendor discretion.
Cross Testing
Visa Lab
2 Handset
15 microSDs Type A&B with Mobile00.
15 microSDs
C.1.8
microSD (No Antenna)
Test Description
Labs
Number of Samples
Required for Testing
Personalization Profile
EMV Contactless Level 1
Testing:
External Lab
1 Handset
3 microSDs Type A with Mobile00
6 microSDs
AND
1 Handset sleeve with
microSD slot and built-in
antenna. (If applicable)
3 microSDs Type B with Mobile00.
Digital
GlobalPlatform Testing
External Lab
Refer to GlobalPlatform
Refer to GlobalPlatform
VMPA Testing
External Lab
1 Handset with TTIA
6 microSDs with Mobile00
8 microSDs
2 microSDs with Mobile30
1 Handset sleeve with
microSD slot and built-in
antenna. (If applicable)
The type (A, B and A&B) is not important
for this test, so is left to vendor discretion.
2 Handsets
15 microSDs Type A&B with Mobile00.
Cross Testing
Visa Lab
15 microSDs
2Handset sleeves with
microSD slot and built-in
antenna. (If applicable)
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 71 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
C.1.9
microSD with Handset (Antenna within the Handset)
Test Description
Labs
Number of Samples
Required for Testing
Personalization Profile
Contactless Level 1 Testing:
External Lab
1 Handset
6 microSDs
3 microSDs Type A with Mobile00
Analog
AND
3 microSDs Type B with Mobile00
Digital
GlobalPlatform Testing
External Lab
Refer to GlobalPlatform
Refer to GlobalPlatform
VMPA Testing
External Lab
1 Handset with TTIA
8 microSDs
6 microSDs with Mobile00
2 microSDs with Mobile30
The type (A, B and A&B) is not important
for this test, so is left to vendor discretion.
Cross Testing
Visa Lab
2 Handsets
15 microSDs
15 microSDs Type A&B with Mobile00.
C.1.10
Mobile Accessory with embedded Secure Element (Antenna within the
Mobile Accessory)
Test Description
Labs
Number of Samples
Required for Testing
Personalization Profile
Contactless Level 1 Testing:
External Lab
2 Handsets
2 Accessories
1 Accessory Type A with Mobile00
AND
1 Accessory Type B with Mobile00
GlobalPlatform Testing
External Lab
Refer to GlobalPlatform
Refer to GlobalPlatform
VMPA Testing
External Lab
1 Handset with TTIA
2 Accessories
VMPA is pre-installed and personalized
with Mobile00 on one accessory, and
Mobile30 on the other.
The type (A, B and A &B) is not important
for this test, so is left to vendor discretion.
Cross Testing
Visa Lab
2 Handsets
2 Accessories
2 Accessories Type A&B with Mobile00.
Analog
Digital
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 72 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
C.1.11
Mobile Accessory with Removable Secure Element (Antenna within the
Mobile Accessory)
Test Description
Labs
Number of Samples
Required for Testing
Personalization Profile
Contactless Level 1 Testing:
External Lab
1 Handset
1 Accessory
6 microSDs
3 microSDs Type A with Mobile00
AND
3 microSDs Type B with Mobile00
GlobalPlatform Testing
External Lab
Refer to GlobalPlatform
Refer to GlobalPlatform
VMPA Testing
External Lab
1 Handset with TTIA
1 Accessory
8 microSDs
6 microSDs with Mobile00
2 microSDs with Mobile30
The type (A, B and A&B) is not important
for this test, so is left to vendor discretion.
Cross Testing
Visa Lab
2 Handsets
2 Accessories
15 microSDs
15 microSDs Type A&B with Mobile00.
Analog
Digital
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 73 of 74Page
Visa Mobile Proximity Payment Testing & Compliance Requirements for Mobile Products
End of Document
June 2016
© 2010 - 2016 Visa. All Rights Reserved.
Page 74 of 74Page