EMVCo is truly a payment industry success story. Since its incorporation in 1999, the consortium of industry leaders has seen its technology adopted by card issuers, acquirers, and merchants across the globe to include more than 14 billion credit and debit cards and millions of point-of-sale (POS) acceptance locations.
The net effect has been a significant reduction in card-present fraud, up to 90% in some markets.
According to the EMVCo website, EMV transactions are more secure than traditional mag stripe processing because their “chip technology uses advanced cryptography to generate a one-time security code (cryptogram) for each transaction that allows the card issuer and merchant point-of-sale terminal to authenticate the card. The security code is unique to each transaction and cannot be reused, which helps prevent counterfeit, lost, and stolen fraud.”
While they don’t actually process any transactions directly, the EMVCo website further explains that the various specifications that they manage and maintain “provide a blueprint for chip technology (both contact and contactless) to work consistently anywhere in the world to deliver the same result – secure, seamless and reliable in-store payments.”
It Takes a Village
Even as we congratulate EMVCo on all they have accomplished over the past 25 years, we must also recognize that the journey has not always been easy and, even today, significant effort is required for any organization that wants or needs to support the EMV standards.
Supporting EMVCo’s advanced cryptography requires engagement and close cooperation from a broad range of industry participants, including card manufacturers, device vendors, and software providers, as well as all of the networks, processors, and merchant or bank systems that touch EMV messages in flight.
In order to ensure that consumer transactions are processed securely and consistently across the globe, EMVCo has published thousands of pages of specifications (i.e., Books) that detail how all of the various components of an EMV contact or contactless payment must behave and interact.
In addition to all of this documentation, EMVCo has also developed and oversees a rigorous testing and certification process that helps all industry participants stay current with the various specifications as they evolve, while also maintaining visibility on how other partners and peers are keeping pace.
EMV Testing Levels: Breaking Down Levels 1, 2 and 3
Here is how EMVCo defines the first two testing levels that apply primarily to device and terminal manufacturers:
- Level 1 testing evaluates the terminal chip reader for compliance with the mechanical and electrical protocols in the EMV Chip Specifications, which covers the transfer of data between the terminal and the card, smartphone, watch, or other device for making card-based payments.
- EMV L2 testing evaluates the ‘EMV Level 2 kernel’, which is the software inside the terminal (also known as firmware) that performs EMV processing, for compliance with the EMV Chip Specifications. This includes tests to confirm that the software supports the EMV payment application functions.
The final integration test, Level 3, is different and is defined as follows:
- Level 3 testing ensures the conformity of merchant terminals to payment systems policies and procedures. The payment systems require that chip terminals that have been configured for deployment are Level 3 tested before being integrated into their payment acceptance environments.
This means the chip terminal must be complete with its EMVCo-approved hardware (L1) and software kernel and payment application (L2) in place and must be configured with the right application before being connected to a test environment or host simulator, which mimics authorization responses from payment systems.
L3 testing evaluates and confirms that an EMV-compliant payment acceptance terminal will work with merchant or bank systems to enable end-to-end transaction acceptance. The testing helps ensure that a new or upgraded terminal (hardware and/or software) meets the specific requirements and recommendations of the individual payment systems before it is brought to market.
EMV Testing and Certification Challenges
Unfortunately, these processes are not as easy as 1, 2, 3. EMV testing, certification, and recertification can be expensive, time-consuming, and frustrating. Some of the challenges include:
- The core EMVCo specifications are voluminous and subject to change as market conditions, such as consumer behavior, technology, and security threats, continue to evolve.
- Regional variations in the EMV standards can further complicate testing and certification for organizations that operate across geographic boundaries.
- All of the participating card brands have their own unique set of testing policies and procedures.
- Many individual components, e.g., cards, terminals, applications, and authorization systems, must all work together correctly to satisfy EMV compliance requirements. Getting all these pieces to line up properly can be expensive and time-consuming.
- Normal changes in business requirements, such as product innovations or new security protocols may require recertification, setting up a continuous cycle of testing and retesting.
- There are limited resources available who have knowledge and experience working with the EMVCo standards and the complex processes related to testing and certification.
Simplify EMV Testing With Modern Tools
After 25 years, it has become increasingly clear that supporting the EMV standards can, and does, provide a number of benefits across the payment industry. The enhanced security provided by EMV cryptography has significantly reduced the incidence of card-present fraud across the globe.
However, adoption and continued support of the EMVCo standards does carry significant overhead that must be factored into the overall value proposition.
Payment industry participants should invest in modern tools and relationships that can help minimize the time, effort, and cost associated with EMV testing and certification.
In the next edition of this blog, we will dig deeper into the capabilities of our Web FASTest platform and look at how this innovative solution can help improve the speed, accuracy, and efficiency of your testing for both EMV contact and contactless processing.
Interested in learning more about improving your EMV testing and certification processes? Get in touch with our team today. We’d love to help.