Frequently Asked Questions (FAQs) Visa Chip Security Program Security Evaluation Testing and Process. Version 1.0

Transcription

1 Frequently Asked Questions (FAQs) Visa Chip Security Program Security Evaluation Testing and Process Version 1.0 Visa Approval Services Visa Public June, 2018

2 DISCLAIMER Visa s testing services and policies are subject to change at any time in Visa s sole discretion, with or without notice. This document does not create any binding obligations on Visa regarding Visa testing services or product approval. Any such obligations, to the extent they exist at all, are pursuant to separate written agreements between Visa and the party submitting products for testing and approval. In the absence of a fully-executed written agreement under which Visa has agreed to perform testing services for you or your company you should not rely on this document, nor shall Visa be liable for any such reliance (detrimental or otherwise). This document is provided on an as is, where is, basis, with all faults known and unknown. To the maximum extent permitted by applicable law, Visa explicitly disclaims all warranties, express or implied, regarding this document, including any implied warranty of merchantability, fitness for a particular purpose and non-infringement. In no event shall Visa, its principals, members, officers, employees, affiliates, contractors, subsidiaries, or parent organization, be liable to you for any special, consequential, incidental, or punitive damages, including, without limitation, any damages for loss of business profits, business interruption, loss of business information, or other monetary loss, whether or not Visa has been advised of the possibility of such damages. Note: This document is not part of the Visa Rules. In the event of any conflict between any content in this document, any document referenced herein, any exhibit to this document, or any communications concerning this document, and any content in the Visa Rules, the Visa Rules shall govern and control. June, 2018 ii

3 Table of Contents Table of Contents 1 General Questions Where can I find the Visa Approved Products Lists? Where can I find a list of Visa s approved security laboratories? Where can I find the most recent Security Testing Process document? I have a product submission. Where can I find the Chip Card and Mobile questionnaires? I have a new product for submission. Does the product require security testing? I have a product that is a derivative of a previously approved product. Does the product require security testing? How long does Visa Approval Services take to review an IAL? How long does Visa Approval Services take to review a security report? My product has gone through security testing. Due to functional issues, some minor changes are made to the product before getting the approval. Does the product require additional security testing? I have a product that has one or more security issue(s). What are the required next steps? I have a product that requires security testing. None of the EMVCo accredited security laboratories have available time slots. Can I submit the product to a security laboratory that is not EMVCo accredited? PCN and ICCN Is a valid ICCN required before submitting a product to Approval Services? Is a valid PCN required before submitting a product to Approval Services? I have a product with a pending PCN number. Can I submit the product for security testing while waiting for the PCN to be approved? Visa Chip Card and SE Lifecycle Management Where can I find the most recent version of the complete Visa Chip Card and SE Lifecycle Management Policy? When was the last update to Visa Chip Card and SE Lifecycle Management Policy? How does the current policy differ from the old one? What is the impact on the approved chip card and mobile products based on the old policy? Will my LOA be valid if the GlobalPlatform certification is not renewed?... 8 June, 2018 iii

4 Table of Contents 3.6 Are there any changes to the testing requirements? What is the policy for chip card and mobile products issued with an LOA after 1 January 2016, but using a chip with an ICCN issued before 1 January 2016? Will an approval be invalid if an ICCN is not renewed? How are derivative products impacted by the Visa Card Lifecycle Management policy? What happens if a bug or security flaw is identified after approval? I have a new card (mobile) product that uses a chip with an expired ICCN. Can I submit the product for testing? What happens if the EMVCo ICCN validity period changes? What are the card vendor s responsibilities to ensure Issuers comply with the current policy? What are the Issuers responsibilities? How does the new policy affect Chip Bulletin 16, i.e. how are specification and applet sunset dates impacted? Does the Lifecycle policy have a grace period (comparable to Chip Bulletin 17 s grace period ) for products that are no longer allowed on the approved products list? Can card vendors continue to sell products after the ICCN has expired? Are issuers required to support decreasing card-in-field or expiry timelines as their card products get older? Are Common Payment Application (CPA) based products covered by the current policy? DCVV2 Security Test Requirements What are the security requirements for dcvv2 based products? Flash Memory Can we used a flash memory instead of ROM in a Chip Card product? 12 6 Biometric Sensor on Chip Card Where can I find the security testing requirements for Biometric Sensor on Chip products? June, 2018 iv

5 Abbreviations and Notations Tables Table 1 Abbreviations and Notations... 1 Table 2 Support and Contact Information... 2 Abbreviations and Notations Table 1 shows the Abbreviations and Notations used in this FAQ. Table 1 Abbreviations and Notations Abbreviation DCVV2 IAL ICCN LOA LOQ PCN SE VCSP VSDC VMPA Description Dynamic Card Verification Value Initial Assessment Letter Integrated Circuit Certification Number (EMVCo) Letter of Approval Letter of Qualification (GlobalPlatform) Platform Certification Number (EMVCo) Secure Element Visa Chip Security Program Visa Smart Debit/Credit Visa Mobile Payment Application References The following are the references used in this FAQ. 1. Visa Chip Security Program, Security Testing Process Version 2.1, January Visa Chip Security Program VSDC Applet Security Guidelines, February Visa Chip Security Program VMPA Applet Security Guidelines, December 2016 June, 2018 Page 1 of 12

6 Support and Contact Information Support and Contact Information Table 2 shows Approval Services Support and Contact information. Table 2 Support and Contact Information Communication Method Visa Technology Partner Website Approval Services Website Contact Information ApprovalServices@visa.com June, 2018 Page 2 of 12

7 General Questions 1 General Questions 1.1 Where can I find the Visa Approved Products Lists? The Visa Approved Products list is located on the Visa Technology Partners website at: Where can I find a list of Visa s approved security laboratories? The Visa Recognized Testing Laboratories list is located on the Visa Technology Partners website at: Where can I find the most recent Security Testing Process document? The most recent Security Testing Process document is located on the Visa Technology Partners website at: I have a product submission. Where can I find the Chip Card and Mobile questionnaires? The most recent Chip Card Questionnaire and Mobile Questionnaire is located on the Visa Technology Partners website at: I have a new product for submission. Does the product require security testing? All new chip card and mobile products require full security testing. Wearables and handsets using a previously approved chip or SE may not require security testing. June, 2018 Page 3 of 12

8 General Questions 1.6 I have a product that is a derivative of a previously approved product. Does the product require security testing? Testing depends on the type of changes made to the base approved product. Visa Approval Services and the Visa Security team will review the questionnaire and make a determination based on the type of change being made. 1. Minor changes: If the changes are minor and do not impact product security, per VCSP policy, no security testing is required. A Letter of Approval (LoA) (paper approval) will be issued. EXAMPLES OF MINOR CHANGES: Changes that do not impact product security, e.g. changing the module, antenna, etc. 2. Changes requiring additional review: If the changes are not minor and require additional information or analysis, Visa Approval Service will request an Initial Assessment Letter (IAL) from the security laboratory to determine the scope of security testing. The Visa Security team will review the IAL and approve the security testing scope or suggest appropriate modifications. EXAMPLES OF CHANGES REQUIRING ADDITIONAL REVIEW: Change to the OS, Changes to the payment application, etc. 1.7 How long does Visa Approval Services take to review an IAL? Up to five (5) business days. Review time increases if the security laboratory requires additional clarification. Clarifications may include: Security evaluation scope Important dates (e.g. ICCN, PCN expiration and site audit date) Reuse of security test results, etc. 1.8 How long does Visa Approval Services take to review a security report? Up to ten (10) business days. Review time increases if, e.g.: One or more security issue(s) are found by the laboratory Any additional clarification is required regarding Security test results, reuse of evidences, JIL scores, etc. June, 2018 Page 4 of 12

9 General Questions 1.9 My product has gone through security testing. Due to functional issues, some minor changes are made to the product before getting the approval. Does the product require additional security testing? Any change to the product before getting the approval must be officially specified and declared by the vendor. Depending on the changes that Visa Approval Services and the security laboratory will review, delta security testing may be required I have a product that has one or more security issue(s). What are the required next steps? All Visa primary and secondary assets are required to be protected against high potential attacks with JIL ranking over 31. Based on the security evaluation report, if the product suffers from several security issues on primary or secondary assets, the product cannot be approved. The vendor is required to fix the issues for the next cycle of security evaluation. In case of maximum of two issues with secondary assets, Visa chip security team will analyze the risk of the attack path. The product might be approved with technical comments on LOA. Please note that with technical comments on LOA: o The product cannot have derivatives. o If the security issue involves Visa s primary assets, the product cannot be approved. For more information regarding primary and secondary assets, please refer to the VMPA and VSDC security guidance documents (see References) I have a product that requires security testing. None of the EMVCo accredited security laboratories have available time slots. Can I submit the product to a security laboratory that is not EMVCo accredited? No. The security evaluation must be completed by one of the EMVCo accredited security laboratories. Vendors are responsible for scheduling a time slot for security testing. Approval Services cannot facilitate this process or provide any guidance regarding scheduling. Please refer to the VCSP requirements in Visa Chip Security Program, Security Testing Process Version 2.1, January June, 2018 Page 5 of 12

10 PCN and ICCN 2 PCN and ICCN 2.1 Is a valid ICCN required before submitting a product to Approval Services? Chip card, mobile and wearable form factors require a valid ICCN at the time of product submission. Derivatives may be submitted with an expired ICCN. All other form factors require a valid ICCN. Products pending EMVCo approval are not accepted. 2.2 Is a valid PCN required before submitting a product to Approval Services? A valid PCN is required for mobile (SE) and wearable form factors. o For mobile and wearable products that are based on composite security evaluation, we require a valid PCN from EMVCo. We cannot accept mobile or wearable products with a pending or expired PCN. A valid PCN is not required for chip card products. The security laboratory conducts a comprehensive security evaluation that consists of code review and audit of the entire OS, etc. for chip card products that do not have a valid PCN. Valid PCNs for chip card products facilitates the security testing and reduce the security evaluation time. 2.3 I have a product with a pending PCN number. Can I submit the product for security testing while waiting for the PCN to be approved? Conducting the security evaluation while the PCN is pending is risky. If the PCN is not subsequently approved, the product may require additional security evaluation. Mobile products cannot be subsequently approved. Approval Services is not responsible for any risks, costs or delays associated with a pending PCN. June, 2018 Page 6 of 12

11 Visa Chip Card and SE Lifecycle Management 3 Visa Chip Card and SE Lifecycle Management 3.1 Where can I find the most recent version of the complete Visa Chip Card and SE Lifecycle Management Policy? The following documents address the Visa Chip Card and SE Lifecycle Management policy and are located at For chip card products: Visa Chip Card Life Cycle Management For mobile and wearable products: Visa Secure Element Renewal and Lifecycle Management 3.2 When was the last update to Visa Chip Card and SE Lifecycle Management Policy? January How does the current policy differ from the old one? Pre-2016 policy: o A card product is approved for three (3) years. During this period vendors can sell, and issuers can issue the product. There is no restriction on how long a card may stay in the field. After 3 years, the vendor may choose to submit the product for renewal. If successful, the product remains approved for an additional three (3) years. Visa Chip Card Lifecycle Management policy (post-2016) o Accounts for a product s entire life cycle, from approval of the chip until expiry of the final card using the product from the field. o This total usage period is twelve (12) years in length and begins on the date the cards chip ICCN (EMVCo Integrated Chip Certificate Number) was issued. There is no renewal process, so once a card product is approved issuers have far greater certainty as to how long they will be able to use the product. Vendors may sell and issuers may issue cards based on approved products at any point during the usage period, however all cards must expire and surplus stock must be destroyed at or before the end of the usage period. Issuers need to be mindful of the date their card product is scheduled to be removed from the approved list, and ensure all cards are replaced or cancelled before that date during the standard re-issuance cycle, to avoid the expense of forced reissuance and wasted stock. Visa SE Lifecycle Management policy (post-2016) The expiry date for the Visa mobile payment account must be set by the issuer to maximum of 10 years from the EMVCo assigned ICCN issue date. The renewal testing is no longer required and the maximum compliance period, which is defined as the time that a vendor can June, 2018 Page 7 of 12

12 Visa Chip Card and SE Lifecycle Management sell their secure element product, is 7 years after the EMVCo ICCN issue date. Visa mobile payment application can be provisioned on the SE and instantiated any time starting from the issue of the ICCN + 10 years. As before, a Visa mobile payment application on a new SE requires a valid EMVCo PCN to be compliant. 3.4 What is the impact on the approved chip card and mobile products based on the old policy? There is no impact on products issued with a LOA prior to 1 January However, no more LOAs will be issued based on the old policy for new products after this date. 3.5 Will my LOA be valid if the GlobalPlatform certification is not renewed? Yes. The LOA will remain valid if the GlobalPlatform Letter of Qualification (LOQ) is not renewed. NOTE: A product must have a valid LOQ to submit a derivative. 3.6 Are there any changes to the testing requirements? No. The testing requirements remain the same. 3.7 What is the policy for chip card and mobile products issued with an LOA after 1 January 2016, but using a chip with an ICCN issued before 1 January 2016? Card products issued with a LOA after 1 January 2016 will be approved based on the new policy, regardless of when the ICCN was issued for the chip used in the product. EXAMPLE: A card product with an LOA issued on 1 February 2016, that uses a chip with an ICCN that was issued on 10 June 2014, will have a usage period ending 9 June 2026, which is 12 years from the date the ICCN was issued. All cards using this product must expire and be cancelled and replaced by this date. NOTE: A derivative submission will fall under the same policy as its parent/base product regardless of when it is approved. If the base product is under the renewal policy, it will be approved under the renewal policy too. June, 2018 Page 8 of 12

13 Visa Chip Card and SE Lifecycle Management 3.8 Will an approval be invalid if an ICCN is not renewed? No. A current ICCN is only required on the date the product is submitted to Visa for testing. 3.9 How are derivative products impacted by the Visa Card Lifecycle Management policy? Derivative product approval timelines continue to be based on the parent product. If the parent product is under the pre policy, then derivative products is also under the policy, even if the derivative gets approved after 1 January EXAMPLES: A derivative product with an LOA issued on 17 March 2016 based on a parent product that was approved on 14 August 2015, would have a renewal date of 13 August 2018 (3 years from approval of the parent product). There would be no restrictions on the expiry term an issuer could use for these products. A derivative product with an LOA issued on 14 April 2017 and based on a parent product with a usage period ending 10 January 2028, would have a usage period ending 10 January All cards issued on this product would need to expire or be cancelled and replaced by 10 January What happens if a bug or security flaw is identified after approval? If the issue is significant, Visa continues to reserve the right to remove products from the approved list ahead of the scheduled removal date. Under the pre policy, removal of a card product from the approved list meant that no further issuance may take place, however existing cards were allowed to remain in the field until their natural expiry unless Visa communicated that accelerated replacement/cancellation was required. For card products approved under the current policy, removal from the approved list will trigger the requirement for immediate replacement/cancellation of cards in the field based on the product concerned, as well the destruction of stock of the product. In this extremely rare situation, Visa would work closely with impacted issuers and vendors I have a new card (mobile) product that uses a chip with an expired ICCN. Can I submit the product for testing? No. A valid ICCN is required in order to accept the card (mobile) product for testing. June, 2018 Page 9 of 12

14 Visa Chip Card and SE Lifecycle Management 3.12 What happens if the EMVCo ICCN validity period changes? Under the pre policy and the new policy, Visa will only accept products for testing/approval if they use a chip with a current/valid ICCN. Currently, EMVCo issues ICCNs for one year and they are renewable annually a maximum of five (5) times. If EMVCo shortens or extends the validity period of ICCNs, Visa will continue to require a valid ICCN at the time a product is submitted for testing What are the card vendor s responsibilities to ensure Issuers comply with the current policy? What are the Issuers responsibilities? Card vendors: Are required to be completely transparent about the approval timeline and usage period of their products. Avoid inadvertently misleading issuers about their product lifecycle under Visa rules Must comply with the terms of their Visa specification and applet licenses. May not sell and/or ship products that are not on the Visa approved list. Issuers: Must comply with new policy and ensure that cards expire and are replaced before the product is removed from the Visa approved products list How does the new policy affect Chip Bulletin 16, i.e. how are specification and applet sunset dates impacted? Visa chip specifications and applets continue to be introduced and sunset independently of the card product approval process. Visa only accepts card products for testing/approval if they are based on a specification and/or applet version for which testing is still supported on the date of submission Does the Lifecycle policy have a grace period (comparable to Chip Bulletin 17 s grace period ) for products that are no longer allowed on the approved products list? No. When a product is removed from the Visa approved product list it may no longer be sold, shipped or issued. Existing products in the field must be cancelled or replaced Can card vendors continue to sell products after the ICCN has expired? Yes, if the product is on the Visa Approved Products list. June, 2018 Page 10 of 12

15 Visa Chip Card and SE Lifecycle Management 3.17 Are issuers required to support decreasing card-in-field or expiry timelines as their card products get older? Not necessarily. Issuers have this option, however, Visa recommends using a consistent card-in-field duration of three (3) to five (5) years and planning for issuing a new product by the time the current one is reaching its end of life. For example, Issuers that use a 3 year card-in-field duration must stop using the product 3 years before it is schedule to be removed from the approved list Are Common Payment Application (CPA) based products covered by the current policy? No. For all questions regarding Common Payment Application (CPA) based products, contact VECPATypeApproval@visa.com. June, 2018 Page 11 of 12

16 Visa Chip Card and SE Lifecycle Management 4 DCVV2 Security Test Requirements 4.1 What are the security requirements for dcvv2 based products? If the dcvv2 generation is performed on a separate chip not connected to the Visa payment application, then the dcvv2 key shall be protected against side-channel and non-invasive perturbation attacks. Any key recovery shall be limited to a level that would still classify the protection as Basic (16-20) resistant according to the JIL rating. The dcvv2 key within the chip product must be tested by a Visa recognized security lab to provide basic resistance against recovery via side-channel and non-invasive perturbation attacks. The security lab provides Visa with a security evaluation report. The product passes if the JIL rating is 16 or higher. The security evaluation report cannot be older than one (1) year. You declare it with the Visa product (VTF#) that you are submitting. 5 Flash Memory 5.1 Can we used a flash memory instead of ROM in a Chip Card product? Yes. Flash memory can be used as an alternative of mask-programmed ROM. Visa allows flash memory to be used as ROM as long as sensitive data and code can be locked down securely and sensitive data and code are loaded in secure and controlled environment. For using flash memory, the following VCSP Requirements must be satisfied: The lock down mechanism needs to be evaluated during Visa chip security testing. When the chip card product is submitted for testing, the product needs to be in final configuration and locked down securely. Loading sensitive data and code in flash memory and the lock down procedure needs to take place in a secure and controlled environment at a Visa approved facility. 6 Biometric Sensor on Chip Card 6.1 Where can I find the security testing requirements for Biometric Sensor on Chip products? The security requirements for this type of product is defined and handled by Visa Ready. Please contact Visa Ready Program at visaready@visa.com to access the related document. June, 2018 Page 12 of 12