Type Approval Bulletin No.

11
Sixth Edition February 2014

Major and Minor Change Definitions

Note: the 6th edition:

 Changes the wording Merchant Controlled by Attended
 Adds a section for additional change for Contactless Product

Changes to an approved IFM or Kernel will be considered major or minor in nature based upon
the impact to the approved component. When a change to an approved component is considered
major, the new component is no longer linked to the original approval and requires the vendor to
submit the new component for Type Approval testing to receive EMVCo approval. If a change to
an approved component is considered minor, there is no retesting required by EMVCo. However,
it should be noted that EMVCo does not issue approval letters to these derivative IFM’s or
Kernels. It is the vendor’s responsibility to manage all linkage, documentation or test results to the
new IFM or Kernel to show this is a derivative of the original approval.

As vendors are intimately familiar with their developed components (IFM or Kernel), it is ultimately
the vendor’s responsibility to make the determination whether a change to their approved IFM or
Kernel is major or minor. However, if the vendor is unsure of the severity of the change, they may
submit details of the change to EMVCo via email to request EMVCo's opinion. This request
should include a full description of the change being made by the vendor in order for EMVCo to
make a timely assessment.

Interface Modules (IFM)

Most changes to an IFM are classed as major changes. The list below provides some examples
of IFM changes; please note this list is not meant to be exhaustive. As stated above, it is the
vendor’s responsibility to determine if the change to the IFM is major or minor. However, anything
that significantly impacts or affects the functionality of the IFM must be considered a major
change.

Examples of major changes

Change of firmware
Change of contacts
Change of clock crystals
Change of PCB layout

Examples of minor changes

Change of connector
Change of transistor
Change of capacitor/resistor

This document contains proprietary and confidential information of EMVCo LLC.

Copyright © EMVCo LLC 2013

Page 1
Minor changes to the IFM
Please note that the above examples of minor changes may or may not qualify as a minor
change. This will depend on the nature of the change and the impact to the IFM.

Application Kernel
Since the application kernel is software related, changes can be made that directly involve the
interface with the application kernel. Such changes might include parameter settings of the
kernel, or to the operating system itself. These changes can rate major or minor depending on the
software architecture of the kernel. This list below provides some examples of application kernel
changes; please note this list is not meant to be exhaustive. As stated above, it is the vendor’s
responsibility to determine if the change to the application kernel is major or minor. However,
anything that significantly impacts or affects the functionality of the application kernel must be
considered a major change.

Examples of major changes

Change of operating system (see below)
Any change to the CVM Capability (Plaintext PIN for ICC Verification, Enciphered PIN for
online Verification, Signature {paper}, Enciphered PIN for offline Verification, No CVM
required)
Any modification to the Data Authentication capabilities (SDA, DDA, CDA)
Adding, removing, or changing the following Transaction Types: Cash, Goods, Services,
Cashback, Purchase, Refund, Purchase with Cashback, Cash Advance
Loading new, or removing all, Issuer Code Table Indexes
Adding or removing PSE, Cardholder Confirmation, or Preferred Order of Display
Any modification to the methods used Issuer Public Key revocation
Adding or removing default DDOL
Any change to the Cardholder Verification methods (Bypass PIN Entry, Get Data for PIN Try
Counter, Fail CVM, Amount known before CVM processing)
Adding or removing Terminal Risk Management functions (Floor Limit Checking, Random
Transaction Selection, Velocity Checking, Transaction Log, Exception File)
Adding or removing Terminal Action Code support
Modifying the timing (before or after first Generate AC) for Default Action Codes
Adding, removing, or changing Completion Processing (Forced Online, Forced Acceptance,
Support Advices, Referral Support, Batch Data Capture, Online Data Capture, Default TDOL)
Recompiling the application kernel

This document contains proprietary and confidential information of EMVCo LLC.

Copyright © EMVCo LLC 2013

Page 2
Examples of minor changes
Update to operating system (see below)
Modification of Terminal Country Code
Update to Application Version Number
Modification of Terminal Currency Code
Adding, removing, or changing Manual Key Entry functionality
Adding, removing, or changing Magnetic Stripe Reader (For Application Contact Kernel only)
Replacing the IFM with another approved module
Adding, removing, or changing Card Capture features
Adding, removing, or changing the following Transaction Types: Inquiry, Transfer, Payment,
Administrative
Any modification to the Terminal Data Input Capabilities (Numeric Keys, Alphabetic and
Special Character Keys, Command Keys, Function Keys)
Adding, removing, or changing Printer or Display hardware
Modification to previously loaded Issuer Code Table Indexes
Adding or changing terminal multi-language support
Modification to the POS Entry Mode

A sample level 2 implementation conformance statement is provided below, illustrating those

options that relate to major or minor changes.

Contactless Product
All major and minor changes described above in the present document are applicable for
Contactless Product. Additional changes related to Contactless Product specifically exist as per
the below examples :

Examples of additional major changes specfic for Contactless Product

Terminal Capabilities change
Addition or removal of functions (Pre processing , CVM, …)
For C-3 only:
Adding or removing Magnetic Stripe Reader

Terminal Type

Changes to terminal type may, or may not, qualify as major change. This depends on the nature
of the change:

1. Change of operational control (financial institution, merchant, or cardholder) with no other

changes may be considered minor, if the terminal type value is a parameter and falling within
one of these combinations:
Financial Institution controlled to attended, assuming the original Financial Institution
implementation prompted for amount entry when Amount, Authorized is not available
following a PDOL request.
Financial Institution controlled to Cardholder controlled, assuming Terminal Risk
Management remains supported and no change to the Magnetic Stripe Reader
interface.
Attended to Financial Institution controlled, assuming the original Merchant
implementation prompt for amount entry when Amount, Authorized is not available
following a PDOL request remains supported.
Attended to Cardholder controlled, assuming Terminal Risk Management remains
supported and no change to the Magnetic Stripe Reader interface.

This document contains proprietary and confidential information of EMVCo LLC.

Copyright © EMVCo LLC 2013

Page 3
 Cardholder controlled to Financial Institution controlled, assuming the original
Cardholder implementation supported Terminal Risk Management and a Magnetic
Stripe Reader interface.
Cardholder controlled to attended, assuming the original Cardholder implementation
prompted for amount entry when Amount, Authorized is not available following a
PDOL request, supported Terminal Risk Management and a Magnetic Stripe Reader
interface.

2. Change of environment (attended or unattended) is always considered as a major change.

3. Change of capabilities (offline or online) is always considered as a major change.

Note: That when supporting Terminal Type '12', '22', '15', or '25' (offline with online capability),
setting the Terminal Floor Limit to zero and the corresponding TAC-Online bit to 1 shall not
be considered identical to Terminal Type '11', 21, '14', or '24' (online only).

4. By default, all other terminal type changes shall be considered as major.

Operating Systems
Changes to an application kernel’s operating system may, or may not, qualify as a major change.
This depends on the nature of the change.

Application kernels may reside on commercially available operating systems, such as Windows
XP, NT, or Linux. In this type of environment there are two basic changes that can occur.

1. Updating an existing operating system. An example of this would be the NT operating system
updating from service pack 4 to service pack 5. A commercial operating system update is
generally considered a minor change. However, it is the vendor’s responsibility to ensure
such a change does not significantly impact the interface or functionality or the application
kernel. If the application kernel is significantly impacted this would be considered a major
change.

2. Porting from one commercially available operating system to another. For example, porting
an application kernel from Windows 98 to Windows XP, porting from Linux to Windows NT, or
from a proprietary operating system to a commercial operating system are all major changes,
and the application kernel would require new Type Approval to maintain EMVCo approval.

Finally, an application kernel may reside on a proprietary operating system. As EMVCo has no
familiarity with these proprietary operating systems it is the vendor’s responsibility to determine
whether changes are major or minor in nature. However, should any change to a proprietary
operating system significantly impact the interface or functionality of the kernel it is considered a
major change. In addition, porting from one proprietary operating system to another is also
considered a major change.

Combining of Approved IFMs and Application Kernels

IFMs and Application Kernels are approved as independent functional components, it may be
considered a minor change to combine previously approved components that may never have
been used in combination before -- including components that may have been developed
according to different versions of the EMV specification. For example, it is possible use an EMV
3.1.1-compliant IFM in conjunction with an EMV 4.0-compliant application kernel provided that the
combining of components did not require additional modifications that could negatively impact the
functionality of either component. If an IFM and application kernel can be combined without

This document contains proprietary and confidential information of EMVCo LLC.

Copyright © EMVCo LLC 2013

Page 4
requiring any of the modifications categorized as major for each component, then the process of
combining the components could be considered a minor change.

PIN Pads
Changes to an approved device may also impact the PIN Pad itself. These changes follow our
major and minor procedures as outlined above, if the change significantly impacts kernel or IFM
functionality the change would be classed as major. If the change does not significantly impact
the kernel or IFM the change would be classed as minor.

The EMV kernel typically falls into one of four basic categories, in regards to Terminals utilizing
PIN Pads. The following possibilities may exist:

The kernel exists entirely within the Terminal/POS device and the attached PIN Pad does
not contain the IFM but serves only for the purposes of PIN entry. In this scenario the PIN
Pad is terminal dependent, simply passing PIN related data but providing no kernel
functionality.

In this environment changes to the PIN Pad are considered minor as none of the EMV
kernel functionality exists in the PIN Pad. However, changes to the PIN Pad in this
environment may impact the IFM itself, as described above.

The kernel exists entirely within the Terminal/POS device and the attached PIN Pad only
contains the IFM. In this scenario the PIN Pad is terminal dependent, simply passing PIN
related data but providing no kernel functionality.

In this environment changes to the PIN Pad are considered minor as none of the EMV
kernel functionality exists in the PIN Pad. Changes to the PIN Pad in this environment
may impact the IFM itself, as described above.

The kernel is split between the Terminal/POS device and the PIN Pad. In this scenario,
core functions of the kernel, such as Data Authentication or CVM Processing, is
processed by the PIN Pad while all other kernel functionality is performed by the
Terminal/POS.

In this environment, it is important to note that both portions of the kernel within the
Terminal/POS and PIN Pad make up the entire kernel and are approved as a single
kernel. If the vendor makes changes to, or replaces either, it would be considered a
major change. Changes to the PIN Pad that effect the IFM fall under the rules outlined
above for major or minor consideration.

The kernel exists entirely within the PIN Pad and may be attached to a Terminal/POS
device. In this scenario, the Terminal/POS provides a point of input for the PIN Pad to
complete the transaction, such as the amount entry or IC contacts. Otherwise, the PIN
Pad performs all EMV kernel functionality.

In this environment, changes to the PIN Pad that effect the EMV Level 2 kernel may be
considered major based the rules outlined above. Changes to the Terminal/POS would
generally be considered minor, as none of the EMV Level 2 functionality exists within the
Terminal/POS. Changes to the PIN Pad that effect the IFM fall under the rules outlined
above for major or minor consideration.

This document contains proprietary and confidential information of EMVCo LLC.

Copyright © EMVCo LLC 2013

Page 5
 The following level 2 ICS outline provides an example of the level of impact when applying
changes to an approved kernel. However, these definitions are examples only. It is the
vendor's responsibility to determine the level of impact for any change. Some changes listed
below as minor may in fact be major changes, based on a specific implementation.

Part V - Terminal Details

Terminal Capabilities Minor/Major

change
Card Data Input Capability
O Manual Key Entry
minor
O Magnetic Stripe
M IC with Contacts

CVM Capability
O Plaintext PIN for ICC Verification
O Enciphered PIN for online Verification
O Signature (paper)
Major
O Enciphered PIN for offline Verification

O No CVM required

Security Capability
C Static Data Authentication
(Mandatory for offline capable terminals and
Major
terminals supporting DDA)
O Dynamic Data Authentication
O Card Capture minor
O Combined Dynamic Data Major
Authentication/Application Cryptogram
Generation

This document contains proprietary and confidential information of EMVCo LLC.

Copyright © EMVCo LLC 2013

Page 6
 Additional Terminal Capabilities Minor/Major
change
Transaction Type Capability
At least one of the following transaction types
must be supported:
O Cash
O Goods
Major
O Services
O Cash Back
O Inquiry
O Transfer
O Payment minor
O Administrative
O Cash Deposit

Terminal Data Input Capability

Does terminal have a keypad?
(If keypad is supported the terminal shall support
one or more of the following key types:)
C Numeric Keys
C Alphabetic and Special Character Keys
minor
C Command Keys
C Function Keys

Terminal Data Output Capability

C Print, Attendant
(Mandatory for terminals supporting signature)
O Print, Cardholder
minor
C Display, Attendant
(Mandatory for Attended terminals)
O Display, Cardholder
O Code Table 10
If value of
O Code Table 9 supported table
O Code Table 8 changed: minor
O Code Table 7
O Code Table 6 If removing all the
O Code Table 5 supported tables
O Code Table 4 or indicating one
O Code Table 3 as supported when
O previously none
Code Table 2

This document contains proprietary and confidential information of EMVCo LLC.

Copyright © EMVCo LLC 2013

Page 7
O Code Table 1 were: Major

Application Selection Minor/Major

change
O Support PSE selection Method
O Support Cardholder Confirmation
O Does Terminal have a preferred order of
displaying applications Major

List the correct order if applicable.

M Does terminal perform partial AID

O Does the terminal have multi language support
minor
And if so, what are the languages supported?

M Does the terminal support the Common Character

Set as defined in Annex B Table 20 Book 4

Data Authentication Minor/Major

change
C What is the maximum supported Certificate
Authority Public Key Size
(Mandatory for terminals supporting Data
Authentication with minimal expected support for
248 bytes)
C What exponents does the terminal support
(Mandatory for terminals supporting Data
Authentication ie. 3 and 2 16 + 1)
O During data authentication does the terminal
check validity for revocation of Issuer Public Key
Certificate
C Does the terminal contain a default DDOL
(Mandatory for terminals supporting DDA)
O Is operator action required when loading of CA
Major
Public Key fails?
O Is CA Public Key verified with CA Public Key
Check Sum? If no, provide a description of the
method used to validate the CA Public Key when
loaded in the Comments and Explanations
Section.

This document contains proprietary and confidential information of EMVCo LLC.

Copyright © EMVCo LLC 2013

Page 8
 Cardholder Verification Method Minor/Major
change
O Terminal support bypass PIN Entry
O Terminal Support Get Data for PIN Try Counter
Major
M Terminal Support Fail CVM
O Are amounts known before CVM processing?

This document contains proprietary and confidential information of EMVCo LLC.

Copyright © EMVCo LLC 2013

Page 9
 Terminal Risk Management Minor/Major
change
C Floor limit checking
(Mandatory for offline only terminals and
offline terminals with online capability)
C Random Transaction Selection
(Mandatory for terminals with offline/online
capabilities) Major
C Velocity Checking
(Mandatory for offline only terminals and offline
terminals with online capability)
O Transaction Log
O Exception File
O Performance of Terminal Risk Management
minor
based on AIP setting?

Terminal Action Analysis Minor/Major

change
O Does the terminal support the Terminal Action
Codes
Offline Only terminals shall support one of the
following:
Major
O Does Offline Only Terminal process Default
Action Codes prior to First Generate AC
O Does Offline Only Terminal process Default
Action Codes after First Generate AC

Completion Processing Minor/Major

change
O Transaction Forced Online Capability
O Transaction Forced Acceptance Capability
O Does terminal Support Advices
C Does the terminal support Issuer initiated Voice
Referrals? Major
C Does the terminal support Card initiated Voice
Referrals?
C Does the terminal support Batch Data Capture
(Mandatory for Offline Capable Terminals)

This document contains proprietary and confidential information of EMVCo LLC.

Copyright © EMVCo LLC 2013

Page 10
O Does the terminal supports Online Data Capture
O Does the terminal support a Default TDOL

Exception Handling Minor/Major

change
C What is the POS Entry Mode value when IC
cannot be read and the transaction falls back
minor
using magstripe
(Mandatory for attended terminals)

Miscellaneous Minor/Major
change
O Is the terminal equipped with a PIN Pad?
O Are the amount and PIN entered at the same
keypad?
O Is the ICC/Magstripe Reader combined?
minor
O If ICC/Magstripe Reader combined is
supported, is Magstripe read first?
O Does the terminal support account type
selection?

This document contains proprietary and confidential information of EMVCo LLC.

Copyright © EMVCo LLC 2013

Page 11