Professional Documents
Culture Documents
Major and Minor Change Definitions: Type Approval Bulletin No. 11 Sixth Edition February 2014
Major and Minor Change Definitions: Type Approval Bulletin No. 11 Sixth Edition February 2014
11
Sixth Edition February 2014
Changes to an approved IFM or Kernel will be considered major or minor in nature based upon
the impact to the approved component. When a change to an approved component is considered
major, the new component is no longer linked to the original approval and requires the vendor to
submit the new component for Type Approval testing to receive EMVCo approval. If a change to
an approved component is considered minor, there is no retesting required by EMVCo. However,
it should be noted that EMVCo does not issue approval letters to these derivative IFM’s or
Kernels. It is the vendor’s responsibility to manage all linkage, documentation or test results to the
new IFM or Kernel to show this is a derivative of the original approval.
As vendors are intimately familiar with their developed components (IFM or Kernel), it is ultimately
the vendor’s responsibility to make the determination whether a change to their approved IFM or
Kernel is major or minor. However, if the vendor is unsure of the severity of the change, they may
submit details of the change to EMVCo via email to request EMVCo's opinion. This request
should include a full description of the change being made by the vendor in order for EMVCo to
make a timely assessment.
Page 1
Minor changes to the IFM
Please note that the above examples of minor changes may or may not qualify as a minor
change. This will depend on the nature of the change and the impact to the IFM.
Application Kernel
Since the application kernel is software related, changes can be made that directly involve the
interface with the application kernel. Such changes might include parameter settings of the
kernel, or to the operating system itself. These changes can rate major or minor depending on the
software architecture of the kernel. This list below provides some examples of application kernel
changes; please note this list is not meant to be exhaustive. As stated above, it is the vendor’s
responsibility to determine if the change to the application kernel is major or minor. However,
anything that significantly impacts or affects the functionality of the application kernel must be
considered a major change.
Page 2
Examples of minor changes
Update to operating system (see below)
Modification of Terminal Country Code
Update to Application Version Number
Modification of Terminal Currency Code
Adding, removing, or changing Manual Key Entry functionality
Adding, removing, or changing Magnetic Stripe Reader (For Application Contact Kernel only)
Replacing the IFM with another approved module
Adding, removing, or changing Card Capture features
Adding, removing, or changing the following Transaction Types: Inquiry, Transfer, Payment,
Administrative
Any modification to the Terminal Data Input Capabilities (Numeric Keys, Alphabetic and
Special Character Keys, Command Keys, Function Keys)
Adding, removing, or changing Printer or Display hardware
Modification to previously loaded Issuer Code Table Indexes
Adding or changing terminal multi-language support
Modification to the POS Entry Mode
Contactless Product
All major and minor changes described above in the present document are applicable for
Contactless Product. Additional changes related to Contactless Product specifically exist as per
the below examples :
Terminal Type
Changes to terminal type may, or may not, qualify as major change. This depends on the nature
of the change:
Page 3
Cardholder controlled to Financial Institution controlled, assuming the original
Cardholder implementation supported Terminal Risk Management and a Magnetic
Stripe Reader interface.
Cardholder controlled to attended, assuming the original Cardholder implementation
prompted for amount entry when Amount, Authorized is not available following a
PDOL request, supported Terminal Risk Management and a Magnetic Stripe Reader
interface.
Operating Systems
Changes to an application kernel’s operating system may, or may not, qualify as a major change.
This depends on the nature of the change.
Application kernels may reside on commercially available operating systems, such as Windows
XP, NT, or Linux. In this type of environment there are two basic changes that can occur.
1. Updating an existing operating system. An example of this would be the NT operating system
updating from service pack 4 to service pack 5. A commercial operating system update is
generally considered a minor change. However, it is the vendor’s responsibility to ensure
such a change does not significantly impact the interface or functionality or the application
kernel. If the application kernel is significantly impacted this would be considered a major
change.
2. Porting from one commercially available operating system to another. For example, porting
an application kernel from Windows 98 to Windows XP, porting from Linux to Windows NT, or
from a proprietary operating system to a commercial operating system are all major changes,
and the application kernel would require new Type Approval to maintain EMVCo approval.
Finally, an application kernel may reside on a proprietary operating system. As EMVCo has no
familiarity with these proprietary operating systems it is the vendor’s responsibility to determine
whether changes are major or minor in nature. However, should any change to a proprietary
operating system significantly impact the interface or functionality of the kernel it is considered a
major change. In addition, porting from one proprietary operating system to another is also
considered a major change.
Page 4
requiring any of the modifications categorized as major for each component, then the process of
combining the components could be considered a minor change.
PIN Pads
Changes to an approved device may also impact the PIN Pad itself. These changes follow our
major and minor procedures as outlined above, if the change significantly impacts kernel or IFM
functionality the change would be classed as major. If the change does not significantly impact
the kernel or IFM the change would be classed as minor.
The EMV kernel typically falls into one of four basic categories, in regards to Terminals utilizing
PIN Pads. The following possibilities may exist:
The kernel exists entirely within the Terminal/POS device and the attached PIN Pad does
not contain the IFM but serves only for the purposes of PIN entry. In this scenario the PIN
Pad is terminal dependent, simply passing PIN related data but providing no kernel
functionality.
In this environment changes to the PIN Pad are considered minor as none of the EMV
kernel functionality exists in the PIN Pad. However, changes to the PIN Pad in this
environment may impact the IFM itself, as described above.
The kernel exists entirely within the Terminal/POS device and the attached PIN Pad only
contains the IFM. In this scenario the PIN Pad is terminal dependent, simply passing PIN
related data but providing no kernel functionality.
In this environment changes to the PIN Pad are considered minor as none of the EMV
kernel functionality exists in the PIN Pad. Changes to the PIN Pad in this environment
may impact the IFM itself, as described above.
The kernel is split between the Terminal/POS device and the PIN Pad. In this scenario,
core functions of the kernel, such as Data Authentication or CVM Processing, is
processed by the PIN Pad while all other kernel functionality is performed by the
Terminal/POS.
In this environment, it is important to note that both portions of the kernel within the
Terminal/POS and PIN Pad make up the entire kernel and are approved as a single
kernel. If the vendor makes changes to, or replaces either, it would be considered a
major change. Changes to the PIN Pad that effect the IFM fall under the rules outlined
above for major or minor consideration.
The kernel exists entirely within the PIN Pad and may be attached to a Terminal/POS
device. In this scenario, the Terminal/POS provides a point of input for the PIN Pad to
complete the transaction, such as the amount entry or IC contacts. Otherwise, the PIN
Pad performs all EMV kernel functionality.
In this environment, changes to the PIN Pad that effect the EMV Level 2 kernel may be
considered major based the rules outlined above. Changes to the Terminal/POS would
generally be considered minor, as none of the EMV Level 2 functionality exists within the
Terminal/POS. Changes to the PIN Pad that effect the IFM fall under the rules outlined
above for major or minor consideration.
Page 5
The following level 2 ICS outline provides an example of the level of impact when applying
changes to an approved kernel. However, these definitions are examples only. It is the
vendor's responsibility to determine the level of impact for any change. Some changes listed
below as minor may in fact be major changes, based on a specific implementation.
CVM Capability
O Plaintext PIN for ICC Verification
O Enciphered PIN for online Verification
O Signature (paper)
Major
O Enciphered PIN for offline Verification
O No CVM required
Security Capability
C Static Data Authentication
(Mandatory for offline capable terminals and
Major
terminals supporting DDA)
O Dynamic Data Authentication
O Card Capture minor
O Combined Dynamic Data Major
Authentication/Application Cryptogram
Generation
Page 6
Additional Terminal Capabilities Minor/Major
change
Transaction Type Capability
At least one of the following transaction types
must be supported:
O Cash
O Goods
Major
O Services
O Cash Back
O Inquiry
O Transfer
O Payment minor
O Administrative
O Cash Deposit
Page 7
O Code Table 1 were: Major
Page 8
Cardholder Verification Method Minor/Major
change
O Terminal support bypass PIN Entry
O Terminal Support Get Data for PIN Try Counter
Major
M Terminal Support Fail CVM
O Are amounts known before CVM processing?
Page 9
Terminal Risk Management Minor/Major
change
C Floor limit checking
(Mandatory for offline only terminals and
offline terminals with online capability)
C Random Transaction Selection
(Mandatory for terminals with offline/online
capabilities) Major
C Velocity Checking
(Mandatory for offline only terminals and offline
terminals with online capability)
O Transaction Log
O Exception File
O Performance of Terminal Risk Management
minor
based on AIP setting?
Page 10
O Does the terminal supports Online Data Capture
O Does the terminal support a Default TDOL
Miscellaneous Minor/Major
change
O Is the terminal equipped with a PIN Pad?
O Are the amount and PIN entered at the same
keypad?
O Is the ICC/Magstripe Reader combined?
minor
O If ICC/Magstripe Reader combined is
supported, is Magstripe read first?
O Does the terminal support account type
selection?
Page 11