A Current Guide to EMV Testing and Certification
As EMVCo celebrates its 25th anniversary, it is important for the entire payment industry to acknowledge the organization’s success in reducing counterfeit and card-present fraud across the globe.
Visa statistics indicate that during the first three years of the EMV roll-out in the USA - from September 2015 to December 2018 - merchants who upgraded to support the chip cards saw their counterfeit fraud dollars reduced by 76%.
And EMV continues to move from success to success. Statistics on the EMVCo website reveal that by the end of 2023, there were nearly 14 billion EMV Chip cards in circulation, more than 70% of globally issued cards were EMV-enabled, and almost 95% of card-present transactions used their chip technology.
Now in our post-COVID world, EMV contactless payments are dominating the retail marketplace. Forbes Magazine reports that many global markets have hit a 90+% contactless adoption rate, with places like Singapore (97%), Australia (95%), and the UK (93.4%) leading the charge. The US is not far behind, with nearly 90% of consumers now using contactless payments.
So, What Actually is EMV?
Originally formed by EuroPay, Mastercard, and Visa back in 1999, EMVCo is now collectively owned by American Express, Discover, JCB, Mastercard, UnionPay, and Visa. EMVCo's mission is to “facilitate worldwide interoperability and acceptance of secure payment transactions by managing and evolving the EMV Specifications and related testing processes”.
The EMVCo website describes the current role of the organization as follows:
“EMVCo manages and evolves EMV Specifications and supporting programs that enable card-based payment products to work together seamlessly and securely worldwide.
EMVCo seeks to facilitate a payments infrastructure that is standardized in terms of security and interoperability, EMVCo plays an important role in bringing together stakeholder interests among payments industry participants.
EMVCo, however, does not establish obligations, requirements, or recommendations for the implementation of its specifications. EMVCo does not mandate or enforce EMV compliance or the implementation policies for issuers, merchants, and acquirers, which are handled by payment networks independently outside of EMVCo.”
EMV Certification Required
Even though EMVCo “does not mandate or enforce EMV compliance”, it has established specific certification levels that are typically required or mandated by the card brands and payment networks.
The EMVCo Knowledge Hub defines the three Certification levels as follows:
EMV Level 1 testing evaluates the terminal chip reader for compliance with the mechanical and electrical protocols in the EMV Chip Specifications, which covers the transfer of data between the terminal and the card, smartphone, watch, or other device for making card-based payments.
EMV L2 testing evaluates the ‘EMV Level 2 kernel’, which is the software inside the terminal that performs EMV processing, for compliance with the EMV Chip Specifications.
EMV Level 3 testing ensures the conformity of merchant terminals to payment systems policies and procedures. The payment systems require that chip terminals that have been configured for deployment are Level 3 tested before being integrated into their payment acceptance environments.
What Testing is Required for EMV Certification?
As we have discussed previously in this blog, payment certification is critically important for card brands, networks, and processors. In order to maintain the safety and security of the overall payment system, these organizations are on the front lines to make sure that all payment messages are correctly formatted and processed.
In the case of EMV chip transactions, that means ensuring that all of the complex cryptography associated with EMV security is processed accurately.
Unfortunately, the EMV certification processes can be complicated, time-consuming, and resource-intensive. It is not unusual for organizations to spend many months and significant man-hours to achieve a single certification. For organizations working with many device types (including ATMs), brands, and networks, this constant cycle of analysis, testing, and certification has become increasingly burdensome and expensive.
Common EMV Certification Challenges
Check out this comprehensive list of challenges as highlighted by EMV consultancy company EazyPay Tech on their website:
- Complex Test Requirements: One of the primary challenges is the complexity of the test requirements. Each card scheme (Visa, MasterCard, American Express, etc.) has its own set of testing protocols that need to be validated. These test plans are comprehensive and differ depending on the acquirer’s specifications. Ensuring that all test scenarios are covered and validated can be a significant hurdle, especially when integrating multiple card schemes.
- Multiple Stakeholder Coordination: EMV L3 certification involves collaboration with numerous stakeholders, including payment networks, acquirers, testing laboratories, and terminal manufacturers. Each party has its own set of expectations and timelines, making it difficult to coordinate smoothly. Misalignment or delays in communication between stakeholders can slow down the entire process.
- Prolonged Testing Cycles: The L3 certification process involves multiple rounds of testing for different card schemes, with each one having specific protocols and transaction types to test. This results in long testing cycles, especially if failures are encountered and retesting is required. These prolonged cycles can push back the launch of a payment solution.
- Varied Acquirer Requirements: Every acquirer may have slightly different transaction processing rules, and these variations add complexity to the testing process. Terminal configurations that work for one acquirer may not work for another, requiring separate test cases and adjustments. This customization increases both the time and effort needed for certification.
- Device Compatibility: Ensuring that the payment terminal is compatible with different devices—whether hardware or software—can be tricky. Many payment solutions operate in multi-device environments, which means that L3 certification must ensure interoperability across all devices, adding another layer of complexity to the process.
- Transaction Flow Validation: EMV L3 certification requires a thorough validation of transaction flows between the terminal and the acquirer. Every transaction type (purchase, refund, void, etc.) must be tested and validated to ensure it adheres to the specific rules of the card schemes and the acquirer. Missing or incorrectly implemented transaction flows can cause certification delays.
- Error Handling: Error handling is a crucial part of the certification process. The terminal must be tested for its ability to handle errors, such as transaction declines, communication breakdowns, and network issues. Comprehensive testing is necessary to ensure that the terminal can gracefully handle errors without compromising the user experience or data security.
- Security Protocol Compliance: Data security is a top priority in payment systems, and L3 certification demands strict adherence to security protocols, such as data encryption and tokenization. These security protocols must be rigorously tested to ensure compliance with EMV standards and to prevent vulnerabilities, adding additional complexity to the process.
- Communication Protocol Testing: Payment terminals often use different communication protocols (such as NAC or TCP/IP) to interact with the acquirer’s host system. Each communication protocol needs to be tested to ensure it works reliably under all conditions. Testing multiple communication types can significantly complicate the certification process.
- Time-Consuming Documentation: The L3 certification process requires detailed documentation for each test case and the corresponding results. This documentation needs to meet the acquirer’s and payment network’s exacting standards. Preparing, maintaining, and submitting this documentation can be a time-consuming process that requires great attention to detail.
- Cost Implications: The costs involved in achieving L3 certification can be substantial. Failed tests can result in additional development time, retesting, and lab fees. As the certification process can take months, these delays and additional rounds of testing can accumulate significant costs.
- Acquirer-Specific Configurations: Each acquirer has specific configuration requirements, such as transaction types, settlement processes, and network protocols. Configuring the terminal to meet the specifications of each acquirer can be challenging, especially if multiple acquirers or regions are involved.
- Terminal Software Updates: Payment terminals often receive software or firmware updates, which may require portions of the L3 certification process to be repeated. Each update can potentially introduce new issues or incompatibilities, necessitating retesting and increasing the overall certification time.
- Interoperability Issues: Interoperability between different card schemes, payment terminals, and acquirers is critical for certification. Interoperability issues can emerge during testing, leading to certification delays, especially when different card schemes or terminal configurations conflict with each other.
- Test Lab Backlogs: Accredited test laboratories, which are essential for L3 certification, can often experience backlogs due to high demand. Scheduling delays at these labs can further prolong the certification timeline, making it difficult to meet project deadlines.
Modern Tools are Required for Successful and Efficient EMV Testing and Certification
There can be no doubt that the certification process plays a significant role in protecting the retail payment industry for all stakeholders, including the consumer. However, responding to and addressing the many challenges associated with the EMV certification processes requires focus commitment, modern testing tools, and the right partners.
Paragon Application Systems has been supporting and sometimes leading the payment industry for more than 30 years, with a team that has significant experience with EMV. Our Web FASTest and VirtualATM solutions include full EMV contact and contactless testing capabilities, including issuer scripting, as well as ARQC and ARPC processing.
EMV cards can be easily created, copied, modified, imported, and exported. Users get full access to EMV tag data and can calculate cryptograms with built-in encryption logic. Processing traces provide complete details of all the unique EMV processing that takes place on each message. Individual message fields can be edited down to the bit level, either setting specific values or assigning dynamic values using built-in processors.
Additionally, Web FASTest has the flexibility to support EMV processing for issuers, acquirers, payment networks, processors, and merchants. Specifically, the simulator can be used to initiate EMV messages as if it is an acquiring network or respond to chip card messages 24x7x365 by behaving like an issuer host.
Tools like Web FASTest and VirtualATM provide payment industry participants with the capabilities to simulate and test EMV transactions in exacting detail – while at the same time improving their overall payment testing capabilities by delivering a number of benefits, including:
- Improved quality and accuracy
- Increased staff collaboration and efficiency
- Reduced cost and complexity
- Shorter regression and release cycles
- Faster time to market for new products and services
Are you interested in finding out more about how Paragon Web FASTest can help support your EMV testing and certification efforts? To learn more, please reach out today and request a consultation with one of our payment industry specialists.
Stay in the Know!
Check out our newsletter and stay up to date about the latest trends.
Subscribe now!
Related posts
There are no related posts