Professional Documents
Culture Documents
EMVCo White Paper On Contactless Mobile Payment 20110921111857912
EMVCo White Paper On Contactless Mobile Payment 20110921111857912
EMVCo White Paper On Contactless Mobile Payment 20110921111857912
Version 2.0
September 2011
EMV is a registered trademark in the U.S. and other countries and an unregistered
trademark elsewhere. The EMV trademark is owned by EMVCo.
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications
(Materials) shall be permitted only pursuant to the terms and conditions of the license agreement
between the user and EMVCo found at http://www.emvco.com/specifications.aspx.
EMV
Contactless Mobile Payment
Version 2.0
September 2011
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications
(Materials) shall be permitted only pursuant to the terms and conditions of the license agreement
between the user and EMVCo found at http://www.emvco.com/specifications.aspx.
Contents
1
Executive Summary............................................................................................. 1
References ........................................................................................................... 3
3.1
History........................................................................................................... 5
3.2
3.3
Principles ...................................................................................................... 9
4.2
4.3
4.4
4.5
4.6
4.7
4.8
5.3
5.4
5.5
Looking Forward................................................................................................ 21
Annex A
Annex B
Annex C
Annex D
Glossary ................................................................................................ 35
September 2011
v 2.0
Page iii
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
Figures
Figure 1 Simplified Architecture and Areas of Interest ............................................. 8
Figure 2 Simplified Provisioning Architecture ......................................................... 14
Tables
Table 1 Areas Addressed by EMVCo and Other Specification Bodies................... 23
Table 2 Frequently Asked Questions .....................................................................25
Table 3 EMVCo Actions Based on Areas of Work Identified in
Technical Issues and Position Paper ......................................................... 27
Page iv
v 2.0
September 2011
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
Executive Summary
In 2007 EMVCo published two white papers. The first paper, The Role and Scope of
EMVCo in Standardising the Mobile Payments Infrastructure (1) identified the mobile
landscape at the time, and outlined the role and scope of EMVCos involvement in
the standardisation of Contactless Mobile Payment within this landscape. This
involvement was structured around two main areas: Technical Development and
Industry Co-ordination. The second paper, the Technical Issues and Position Paper
(2), highlighted a number of technical issues that EMVCo had identified as requiring
solutions in order to enable the wide scale deployment of Contactless Mobile
Payment, and EMVCos planned actions in addressing these issues.
In the four years since EMVCo set out this vision, there has been significant
movement in the industry. EMVCo has published a number of documents, and other
industry bodies have also been active in the standardisation of technologies and
services related to Contactless Mobile Payment.
Toward meeting the goals of providing technical development and industry
co-ordination, EMVCo has published the following technical documents:
This white paper provides an updated view of the Contactless Mobile Payment
landscape, setting out EMVCos current position and detailing how the issues
identified previously have been addressed. It also identifies where EMVCo has
on-going work in Contactless Mobile Payment, and highlights areas in which other
industry bodies are providing input.
September 2011
v 2.0
Page 1
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
1 Executive Summary
Page 2
v 2.0
September 2011
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
References
The following documents are referenced in this white paper. All are available on
www.emvco.com.
1
EMV Mobile Contactless Payment: White Paper: The Role and Scope of
EMVCo in Standardising the Mobile Payments Infrastructure. Version 1.0,
2007.
10
11
12
13
14
September 2011
v 2.0
Page 3
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
2 References
Page 4
v 2.0
September 2011
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
3.1
History
In 2007, after analysis and vetting with its stakeholders, EMVCo decided that its role
in Contactless Mobile Payment standardisation is two-fold. Firstly, with the growth of
the contactless mobile payment sector, there was a need for EMVCo to address and
resolve a number of technical infrastructure issues associated with enabling
contactless payments via mobile phone handsets. This technical development
responsibility was in line with EMVCos traditional role within the payments industry
as a technology standards body. The mobile payment technical focus of EMVCo
would be an adjunct to the organisations work towards the development of
specifications related to contactless payment and the associated common Type
Approval process for cards and terminals.
Secondly, due to the nature and early lifecycle stage of the contactless mobile
payment market there was a need for the payments industry to adopt a collaborative
approach to standardisation. EMVCo would co-ordinate the payments industry
efforts, in standardisation work with other industry groups and market forces in order
that an interoperable contactless mobile payment model for EMV transactions could
be defined and created. EMVCo would provide the common voice of the payments
industry on contactless mobile proximity payment standardisation.
EMVCos role within the standardisation of contactless mobile payment could be
classified under two headings and broken down into a number of key deliverables:
September 2011
v 2.0
Page 5
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
Technical Development:
Industry Co-ordination
3.2
In this environment, EMVCo identified the need for common specifications and
common platforms in order to prevent fragmentation, which could in turn become a
barrier to the widespread deployment of Contactless Mobile Payment (CMP). It was
also recognised that mobile devices are not primarily financial instruments. Mobile
devices are primarily communication devices, but are increasingly becoming
multipurpose devices with the advent of location services and the myriad mobile
applications (apps) which are now available. The requirements for CMP are just
one set of requirements which must be balanced with the needs of other application
areas for mobile devices, and it is important for EMVCo to work with the wider mobile
industry in defining specifications and requirements.
Page 6
v 2.0
September 2011
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
It was also clear that the lifecycles of mobile devices are significantly different from
those of payment smart cards. This is the case both in the development timescales
and the time in market. In order for the financial industrys requirements for CMP to
be met by mobile devices it is important that the impact on the mobile device
development lifecycle is minimised. This involved developing pragmatic approaches
to type approval and testing which meet the needs of both the financial and mobile
industries.
In order to identify the areas in which further work was necessary, EMVCo developed
a reference framework for CMP, which has been published in the Contactless Mobile
Payment Architecture Overview (3). That document identified the following areas of
interest in specification work:
Secure Elements
September 2011
v 2.0
Page 7
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
Mobile Device
Provisioning and
Personalisation
Wide Area
Modem
Application Environment
User Interface
Application
CMP Application
Lifecycle
Maintenance
Secure Element
CMP
Application
Contactless
Communication Module
Contactless Payment
Terminal
This white paper provides more detail regarding EMVCos position with respect to
each of these areas.
Page 8
v 2.0
September 2011
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
3.3
Principles
Where possible EMVCo will make use of industry specifications rather than
defining new specifications.
EMVCo will seek to make use of industry type approval programmes for
qualification of mobile devices.
September 2011
v 2.0
Page 9
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
Page 10
v 2.0
September 2011
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
4.1
The heart of a Contactless Mobile Payment transaction is the CMP application. The
definition of the CMP applications is the role of each of the payment systems.
Likewise CMP application approval, both functional and security, is the responsibility
of the payment systems.
Although EMVCo does not define the CMP application itself, the focus of the EMVCo
work is to define a common environment to enable the use of CMP applications. As
per the architecture in Figure 1 above, CMP applications must reside within a Secure
Element in the mobile device, and this Secure Element may be shared with other
applications both CMP and non-payment applications. The EMV specifications
enable the co-existence of this multiplicity of applications.
4.2
To enable the user to choose the desired application to be used for a CMP
transaction, EMVCo has developed the Application Activation User Interface
specification (5). That specification defines how a user interface may gather
information about the CMP applications present on a device in order to enable the
user to select the application that he or she wishes to use for a transaction.
The specification also covers the method by which the user interface application may
configure the mobile device in order that a contactless POS terminal will initiate a
payment transaction with the users chosen application. The primary means by which
this is done is through the Proximity Payment System Environment (PPSE). While
the location of the PPSE within the mobile device is implementation specific, the
Application Activation User Interface specification includes the specification of the
PPSE application when implemented on a Secure Element.
September 2011
v 2.0
Page 11
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
4.3
Throughout the life of an EMVCo based CMP application there may be a need to
reset application counters and modify parameters within the application. EMVCo
regards this as a CMP application concern, and therefore the responsibility of the
individual payment systems.
4.4
The mobile phone offers a rich platform for interaction between a user and a CMP
application during and surrounding a CMP transaction. Examples of such interactions
include display of branding, transaction information, and entry of a confirmation code
on the mobile device. Use of these features may require additional functionality in
contactless payment terminals, beyond that which is required for acceptance of
contactless cards.
It is important that CMP applications are able to work (possibly with reduced
functionality) on deployed terminals; however, support of the advanced payment
capabilities of CMP requires existing terminals to be updated. From an EMVCo
perspective, the features being added to support CMP (such as application choice)
are backward compatible with deployed contactless payment terminal infrastructure.
In order to provide interoperability between Contactless Mobile Payment and existing
card payment, both contactless payment terminals and mobile devices supporting
CMP are required to implement the Contactless Communication Protocol
Specification (11) which is also applicable to contactless payment cards.
EMV Contactless Specifications for Payment Systems, Books C-n (7) (8) (9) (10)
define the latest terminal specifications which implement any CMP specific features
from each of the payment systems.
The result of this is that EMVCo will not define new type approval processes for
Contactless Payment Terminals supporting CMP but will follow the standard EMVCo
terminal approval procedures.
Page 12
v 2.0
September 2011
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
4.5
Secure Elements
September 2011
v 2.0
Page 13
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
4.6
Issuer
Trusted
Service
Manager
Mobile Device
Secure
Element
Although EMVCo had identified this as a gap where work was needed, there has
been ongoing work within the industry to address this area. For example,
GlobalPlatform is defining a messaging specification for the management of MobileNFC Services, and the Association Franaise du Sans Contact Mobile (AFSCM) has
written an interface specification which has been contributed to GlobalPlatform. As
the industry has been addressing these issues, EMVCo will not define the interface
between an issuing bank and a Trusted Service Manager (TSM).
Likewise EMVCo will not define the interface between the TSM and the mobile
device or Secure Element for provisioning and personalisation. The EMV Card
Personalisation Specification (12) may be used as part of the personalisation
process, but is not required by EMVCo.
The GlobalPlatform specifications define mechanisms for personalisation which are
appropriate to GlobalPlatform based Secure Elements. As Secure Elements may be
shared by multiple CMP applications, the EMV Profiles of GlobalPlatform UICC
Configuration specification (6) defines a standard environment into which CMP
applications can be provisioned which is acceptable to the payment systems which
are EMVCo members. EMVCo does not mandate the use of these profiles, but
Secure Elements which make use of these profiles may be qualified through the
EMVCo Compliance programme.
Page 14
v 2.0
September 2011
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
The Application Activation User Interface specification (5) defines how a Secure
Element Contactless Management system should be configured during
personalisation and provisioning in order to support the co-existence of multiple CMP
applications on one mobile device and in particular the use of the GlobalPlatform
Contactless Registry Service (CRS).
4.7
4.8
Mobile devices support a large number of features, and these vary between devices.
To support a wide scale deployment of CMP across multiple models of devices, it is
helpful if there is a minimum set of core features supported across the board.
In order to provide guidance to the mobile industry about what features are required
for CMP, and also areas in which development work would be helpful, EMVCo has
published Handset Requirements for Contactless Mobile Payment (4). The intent of
that document is to provide the industry with direction around CMP, and unless the
same requirements are identified elsewhere within EMVCo documentation, EMVCo
will not be testing the support of those requirements as part of an approvals
programme.
September 2011
v 2.0
Page 15
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
Page 16
v 2.0
September 2011
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
Type Approval
EMVCo has for many years offered an extensive type approval programme for
terminals, and since 2007, for chips and CCD/Common Payment Application cards.
In evaluating the role EMVCo should play in type approval for mobile, two particular
areas have been taken into consideration.
1. Mobile industry development cycles: The mobile industry has rapid and time
constrained releases, and it is important that an EMVCo type approval
programme for Contactless Mobile Payment does not negatively impact the
industrys development cycles.
2. Sharing of platforms between issuers and brands: Whereas cards are
typically under the control of a single issuer supporting a single payment
system brand, mobile handsets and Secure Elements may be shared
between multiple issuers and payment brands.
5.2
Mobile Handsets
The mobile industry has a large number of new products being put on the market
each year, and has rapid and time constrained releases. In order to meet the
requirements of the mobile industry, EMVCo will work with other mobile compliance
bodies in order to establish compliance of the Contactless Communication Modules
of mobile devices with the CCPS. EMVCo has a liaison with the NFC Forum which
has recently launched a compliance programme, and is exploring other bodies which
may also be appropriate in this area. The requirements and processes for a form of
EMVCo accreditation in this area are being established.
In the interim a mobile handset may be submitted for Contactless Level 1 evaluation
under the EMVCo Card Testing Framework for Contactless (13).
September 2011
v 2.0
Page 17
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
5 Type Approval
5.3
5.3.1
Secure Elements
Security Evaluation
5.3.2
Functional Evaluation
EMVCo type approval covers functionality defined in the Application Activation User
Interface specification (5). Where a Secure Element implements the mobile PPSE
and/or Secure Element Contactless Management as defined in the Application
Activation User Interface specification, the PPSE and/or Secure Element Contactless
Management implementation may be submitted for EMVCo testing and type approval
In order to issue an EMVCo Letter of Compliance, EMVCo will require both a
successful functional evaluation of the PPSE and/or Secure Element Contactless
Management implementation and a successful security evaluation of the Platform.
EMVCo has a liaison with GlobalPlatform and has developed PPSE and Secure
Element Contactless Management implementation guidelines for GlobalPlatform
based Secure Elements.
EMVCo type approval recognizes the GlobalPlatform Compliance Program. In order
to be recognized by EMVCo as a GlobalPlatform compliant Secure Element, the
Secure Element provider must select a GlobalPlatform Qualified Laboratory that is
also an EMVCo Accredited Laboratory and pass GlobalPlatform testing
requirements. EMVCo will review the GlobalPlatform Letter of Qualification in
conjunction with the test results of the PPSE and/or Secure Element Contactless
Management (GlobalPlatform Contactless Registry Service) implementation and the
Platform security evaluation before issuing an EMVCo Letter of Compliance.
Page 18
v 2.0
September 2011
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
5.4
5 Type Approval
CMP Applications
5.5
Support for Contactless Mobile Payment has been included in the EMVCo terminal
specifications, and will be type approved in the EMVCo Terminal Type Approval
Programme.
September 2011
v 2.0
Page 19
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
5 Type Approval
Page 20
v 2.0
September 2011
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
Looking Forward
There has been considerable progress in the area of Contactless Mobile Payment
since EMVCo first began to consider the area. The market has moved from regarding
CMP as a potentially interesting area to a position where CMP is ready for
commercial deployment. The specifications required to deploy interoperable CMP are
in place.
This does not mean that all issues around CMP deployment are fully defined. There
remain many deployment options which are available, and it is not yet clear which of
these options will be most appropriate in various regions around the world. As the
market further matures it is expected that new areas will be identified which need
specifications in order to support continued growth of CMP. EMVCo will continue to
monitor the market, to identify areas where specification work is required, and to
evaluate what role EMVCo should play in developing these specifications.
September 2011
v 2.0
Page 21
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
Page 22
v 2.0
6 Looking Forward
September 2011
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
Annex A
Table 1 provides a summary of the areas which EMVCo has addressed in its work, and a non-exhaustive list of other specification
bodies which are also contributing.
Table 1 Areas Addressed by EMVCo and Other Specification Bodies
Component
EMVCo Specifications
EMVCo Approval
CMP Application
CMP Application
Choice
Related
Specification
Bodies
Payment Systems
PPSE
Related Approval
Bodies and Processes
Payment Systems
GlobalPlatform
NFC Forum
ETSI SCP
CMP Application
Lifecycle
Contactless Payment
Terminals
September 2011
Payment Systems
Payment Systems
v 2.0
Page 23
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.
Component
Secure Element
EMVCo Specifications
EMV Profiles of
GlobalPlatform UICC
Configuration (6)
Provisioning and
Personalisation
Contactless
Communication
Modules
EMV Contactless
Communication Protocol
Specification (11)
Mobile Device
Requirements
September 2011
Annex A
EMVCo Approval
Related
Specification
Bodies
GlobalPlatform
GlobalPlatform based
Secure Element functional
testing
Related Approval
Bodies and Processes
GlobalPlatform
Common Criteria
GlobalPlatform
AFSCM
CCPS
NFC Forum
NFC Forum
ETSI SCP
GSMA
v 2.0
Page 24
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.
Annex B
EMVCo does not require a particular type of Secure Element. EMVCo allows for all
different architectural options, e.g. UICC, embedded SE, removable SE.
Terminals which accept Contactless Mobile Payments are covered by the standard EMV
contactless terminal specifications. EMVCo has not defined specific requirements for
terminals supporting CMP.
EMVCo is exploring options for making use of mobile industry compliance programmes
to provide EMVCo accreditation in this area.
EMVCo has a Security Evaluation programme for Secure Elements that covers the
silicon and the operating system.
EMVCo has a functional evaluation programme for implementations of the Application
Activation User Interface specification (5) requirements within Secure Elements.
September 2011
v 2.0
Page 25
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.
Annex B
EMVCo does not specify any policy regarding the number of Secure Elements or how
many should be active at any one time. EMVCos specifications in this area are designed
to have sufficient flexibility to cover all implementations.
EMVCo does not require the use of GlobalPlatform Secure Elements; however, as
GlobalPlatform is a widely deployed standard for Secure Elements, EMVCo has defined
specifications for its use.
As part of the EMVCo type approval programme, EMVCo recognizes the GlobalPlatform
Compliance Program for GlobalPlatform based Secure Elements.
September 2011
EMVCo does not require that payment applications shall operate when the mobile device
is in battery off/battery low state. However, for devices that allow communication with the
Secure Element when the device is switched off, the Application Activation User
Interface specification (5) defines methods for intelligent selection of applications based
on the ability of the application to run without the user interface being available. This
issue is discussed further in the Handset Requirements for Contactless Mobile Payment
(4).
v 2.0
Page 26
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.
Annex C
The EMVCo Technical Issues and Position Paper (2), published in October 2007, identified a number of areas in which EMVCo planned
to undertake work. The actions EMVCo has taken in these areas since the publication of the paper are summarised in Table 3 below.
Table 3 EMVCo Actions Based on Areas of Work Identified in Technical Issues and Position Paper
Identified Area of Work
EMVCo Action
September 2011
v 2.0
Page 27
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.
Actions Taken in Response to Areas Defined in the Technical Issues and Position Paper
EMVCo Action
EMVCo will consider how EMV CPS may be used with secure messaging
protocols such as those of GlobalPlatform and GSM 03.48 in a mobile
environment. If necessary, EMVCo will consider enhancing CPS to provide the
necessary capabilities for the mobile environment, and providing best practice
guidelines as appropriate.
September 2011
v 2.0
Page 28
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.
Actions Taken in Response to Areas Defined in the Technical Issues and Position Paper
EMVCo Action
EMVCo to consider the use of EMV Scripts and EMV CPS in the mobile
environment, in particular for post issuance and post distribution updating of the
payment application and its counters and parameters; additionally, EMVCo to
develop best practice guidelines and User Interface requirements for the
management of post-distribution provisioning mechanisms, such as those offered
by GlobalPlatform. Enhancements to the PPSE will also be considered as
appropriate.
EMVCo to consider best practices guidelines that the methods used to provision
the payment application in a Secure Element also be able to remove the payment
application. In the event that the Secure Element application environment does not
allow for the deletion of the payment application, EMVCo to consider User
Interface requirements and mechanisms to allow for the disablement of the
payment application and the deletion of the payment credentials.
September 2011
v 2.0
Page 29
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.
Actions Taken in Response to Areas Defined in the Technical Issues and Position Paper
EMVCo Action
EMVCo to consider a best practices guideline that the standard processes for
deletion and provisioning and personalisation should be used to transfer the
credentials from one mobile device Secure Element to another mobile device
Secure Element.
EMVCo to consider defining the API between the user interface application and the
payment application.
September 2011
v 2.0
Page 30
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.
Actions Taken in Response to Areas Defined in the Technical Issues and Position Paper
EMVCo Action
September 2011
v 2.0
Page 31
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.
Actions Taken in Response to Areas Defined in the Technical Issues and Position Paper
EMVCo Action
The contactless payment application must have a mechanism to enable the POS
terminal to interact with the chosen payment application. It is expected that the
PPSE mechanism defined by EMVCo should provide this capability. This should
include considerations of enhancing the PPSE as appropriate to support the
mobile payment environment
September 2011
v 2.0
Page 32
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.
Actions Taken in Response to Areas Defined in the Technical Issues and Position Paper
EMVCo Action
The interaction between the mobile device and the POS terminal should not
allow the merchant to override the user preferences, and the behaviour of POS
terminals needs to be defined to respect the user preferences.
Malicious readers seeking to attack the payment application need not follow the
behaviour specified for a POS terminal, so mechanisms to prevent the
activation of non-selected applications should be explored.
The API which the mobile device must send to the contactless payment
application for account selection should be standardised for interoperability
between user interface applications and the payment application.
September 2011
v 2.0
Page 33
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.
Actions Taken in Response to Areas Defined in the Technical Issues and Position Paper
EMVCo Action
September 2011
v 2.0
Page 34
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.
Annex D
Glossary
AAUI
AFSCM
API
Association Franaise du
Sans Contact Mobile (AFSCM)
CCD
CCPS
CMP
Composition Model
September 2011
v 2.0
Page 35
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
Annex D Glossary
Contactless Communication
Module
Contactless Payment
Terminal
CRS
EMV
EMV CPS
Page 36
v 2.0
September 2011
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
Annex D Glossary
EMVCo
EMVCo Compliance
Certificate
ETSI SCP
GlobalPlatform
GlobalPlatform Composition
Model
September 2011
v 2.0
Page 37
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
Annex D Glossary
GlobalPlatform Contactless
Registry Service (CRS)
GlobalPlatform Letter of
Qualification
GlobalPlatform Qualified
Laboratory
GSM 03.48
GSM Association
GSMA
GSM Association
Handset
IC
Integrated Circuit
IC Certificate
Letter of Compliance
Letter of Qualification
Page 38
v 2.0
September 2011
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
Annex D Glossary
Mobile Device
NFC
NFC Forum
OTA
Over-the-Air
Over-the-Air (OTA)
Personalising
Platform
Platform Certificate
POS
Point of Sale
September 2011
v 2.0
Page 39
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
Annex D Glossary
PPSE
Provisioning
SE
Secure Element
SECM
Secure Element
SIM
Subscriber Identification
Module
Page 40
v 2.0
September 2011
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.
Annex D Glossary
TSM
Type Approval
UICC
September 2011
v 2.0
Page 41
2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.