PayPass Mag Stripe Vendor Testing Process (Cards & Devices)

Similar documents
Mobile MasterCard PayPass Fully Encapsulated Secure Elements Approval Guide. September Version 1.0

Mastercard Card Quality Management (CQM) - Vendor Certification Process

EMVCo Type Approval. Terminal ESD Evaluation Administrative Process. Version 2.3. July 2014

Chip Card Products. Testing and Approval Requirements. Version 1.0. Effective: September 2007 Security Classification: Visa Public

PayPass M/Chip Requirements. 3 July 2013

Terminal Quality Management Process

PayPass Documentation Index

PayPass Mag Stripe Acquirer Implementation Requirements. Version 1.1 February 2012

Mastercard Card Quality Management Overview. August 2018

Mastercard Card Quality Management Overview. February 2018

Testing Best Practices. Derek Ross ICC Solutions

EMV. Terminal Type Approval IFM Level 1. Administrative Process. Version 4.3b December 2016

Chip Card Testing & Approval Requirements

ISCC 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT. Version 3.0

Finding the Best Route for EMV in the US

Information Request. Card Personalization Validation

EMV Validation (on-behalf of) Service

EMV Chip Cards. Table of Contents GENERAL BACKGROUND GENERAL FAQ FREQUENTLY ASKED QUESTIONS GENERAL BACKGROUND...1 GENERAL FAQ MERCHANT FAQ...

INTERNATIONAL STANDARD

EMV Terminology Guide

CONSULTING TESTING CERTIFICATION EQUIPMENT

UKAS Supplement for the Accreditation of Environmental Verifiers for EMAS (the EU Eco Management and Audit Scheme Regulation 1221/2009)

MasterCard Card Quality Management CQM version ICMA CardTrex 2016 Vienna, 14 th October Presented by: Thies Janczek

eftpos CB Certification services

SAI Global Full Service Team

EMV: Frequently Asked Questions for Merchants

INTERNATIONAL CONFORMITY CERTIFICATION PROGRAM

How Can LuitBiz Help Your Company in ISO 9001:2008 Quality Certifications? Do What You Say. Improve It Say Whay You Do.

1.9 billion. contactless Toolkit for financial institutions ADDING CONTACTLESS. MasterCard and Maestro Contactless

EMV Testing and Certification White Paper: Current Global Payment Network Requirements for the U.S. Acquiring Community

QUALITY AGREEMENT. This Quality Agreement is made between. (Customer Legal Entity Name Hereinafter called CUSTOMER ) And

EMV Testing and Certification White Paper: Current Global Payment Network Requirements for the U.S. Acquiring Community

Frequently Asked Questions (FAQs) Visa Chip Security Program Security Evaluation Testing and Process. Version 1.0

QSS 0 Products and Services without Bespoke Contracts.

APPLICATION PACK FOR THE ECOLABEL

FeliCa Reader/Writer. Digital Protocol Requirements Specification

EMV * Contactless Specifications for Payment Systems

Assessment Information

Request For Information (RFI) For a. Spectrum Management & Monitoring System (SMMS)

BABT 807. A Guide to the Attestation of Equipment to the Machinery Directive by TUV SUD BABT. TUV SUD BABT is a Certification Body of

EMV THE DEFINITIVE GUIDE FOR US MERCHANTS AND POS RESELLERS

Mastercard CPV Customer Guide

Applicant information. Business ID Telephone Fax. EMVCo Letter of Approval - Terminal Level 1. Approval number:

Visa Minimum U.S. Online Only Terminal Configuration

EMV Frequently Asked Questions for Merchants May, 2015

Contactless Toolkit for Acquirers

SIEBEL ORDER MANAGEMENT GUIDE

TÜV SÜD BABT Production Quality Certification Scheme

Information about this Replacement

Mastercard Engage Directory for Digital Wallets

EMV & Fraud POS Fraud Mitigation Tips for Merchants First Data Corporation. All Rights Reserved.

EMV: Strengthen Your Business Through Secure Payments

Application for a New Approval And/or Modification Guide for Completing the Form S-0001

Measurement Assurance and Certification Scotland

Collis/B2 EMV & Contactless Offering

POS Functional Specification

Pinless Transaction Clarifications

RECOMMENDATION FOR USE

WELMEC Application of module D Quality assurance Under directive 2014/32/EU (MID) or directive 2014/31/EU (NAWID)

Principles of the Railway Industry Supplier Qualification Scheme

Green Product Mark Certification Scheme

OP-19 (9) Certification Process & Decision

SYSTEMKARAN ADVISER & INFORMATION CENTER QUALITY MANAGEMENT SYSTEM ISO9001:

Frequently Asked Questions for Merchants May, 2015

EMV and Educational Institutions:

EMV * ContactlessSpecifications for Payment Systems

Application for a New Approval And/or Modification Guide for Completing the Form S-0001

The Hashemite Kingdom of Jordan Jordan Institution for Standards & Metrology. Jordanian Quality Mark

1 Management Responsibility 1 Management Responsibility 1.1 General 1.1 General

Facilitating relationships that build businesses.

Rules for Ship Recycling Management System Certification

APPLICATION FOR COMBINED HEAT AND POWER INCENTIVES

ATM Webinar Questions and Answers May, 2014

ORACLE HOSPITALITY CLOUD CONSULTING SERVICE DESCRIPTIONS October 19, 2017

PASS4TEST IT 인증시험덤프전문사이트

Certificate of Recognition (COR ) COR Program Guidelines. Infrastructure Health & Safety Association (IHSA) 05/17 1

ISO9001:2008 SYSTEM KARAN ADVISER & INFORMATION CENTER QUALITY MANAGEMENT SYSTEM SYSTEM KARAN ADVISER & INFORMATION CENTER

INTEGRATION AND API LICENCE AGREEMENT

CEN Keymark Scheme Rules for Thermostatic Radiator Valves. 2 nd Edition

Supplier Quality Survey. 1. Type of Business: g) Commodities supplied? Supplier Changes/comments: 2. Headcount breakdown by group: Purchasing

Homeland Security Presidential Directive (HSPD-12) Product and Service Components

Odoo Enterprise Subscription Agreement

INTERNATIONAL STANDARD

Crash Course: What are EMV and the EMV Liability Shift?

ORACLE HOSPITALITY HOTEL CONSULTING SERVICE DESCRIPTIONS November 3, 2017

International ISRC Agency ISRC Manager Application Form

REGULATION FOR PRODUCTION CONTROL OF PERSONAL

TAG Certified Against Fraud Guidelines. Version 1.0 Released May 2016

CANADIAN PAYMENTS ASSOCIATION ASSOCIATION CANADIENNE DES PAIEMENTS RULE E4

Space Product Assurance

Railroad Commission of Texas Mentor Protégé Program

Is Your Organization Ready for the EMV Challenge?

ILAC Mutual Recognition Arrangement: Policy and Management ILAC-P4:06/2017

INTERNATIONAL STANDARD

nbn Platform Interfacing Service Module

In this Document: EMV Payment Tokenisation Payment Account Reference (PAR) FAQ EMV Payment Tokenisation Technical FAQ

BUSINESS TRAVEL SOLUTION

MITIGATE THE RISK OF FRAUD AND COMPLIANCE COSTS with EMV mandates. An NCR white paper

No. Question from Bidder(s) OPCW Response 1 When looking to document Annex B paragraph 8:

Transcription:

PayPass Mag Stripe Vendor Testing Process (Cards & Devices)

Copyright The information contained in this manual is proprietary and confidential to MasterCard International Incorporated (MasterCard) and its members. This material may not be duplicated, published, or disclosed, in whole or in part, without the prior written permission of MasterCard. Media This document is available in both electronic and printed format. 2 PayPass - Mag Stripe Vendor Testing Process (Cards & Devices)

Table of Contents Using this Manual... 7 Scope...7 Audience...7 Related Information...7 Abbreviations...8 Terminology...8 Revisions...10 Revision history...10 1 Introduction...11 1.1 Background...11 1.2 Who needs to use this process?...11 1.3 When is this process used?...11 1.4 How this process is used?...12 2 Card Vendor Testing Process...13 2.1 Vendor Registration...14 2.2 Product Development Cycle...14 2.3 Design Review...14 2.4 Change Management...15 2.5 Product or Renewal Registration...15 2.6 Configuration Assessment...15 2.7 Test Processes...16 2.7.1 Analogue Interface Testing (AIT)...16 2.7.2 Digital Interface Testing & Application Testing (DAT)...16 2.7.3 Combination Testing...16 2.7.4 Compatibility Testing...16 2.7.5 User Evaluations...17 2.7.6 Card Quality Management (CQM)...17 2.7.7 Compliance Assessment and Security Testing (CAST)...17 2.8 Waiver Review...17 2.9 Approval Review...17 PayPass - Mag Stripe Vendor Testing Process (Cards & Devices) 3

3 Vendor Registration...19 3.1 Purpose...19 3.2 Requirement Level...19 3.3 Procedure...19 3.4 Contacts...19 4 Product Development Cycle...20 4.1 Purpose...20 4.2 Procedure...20 4.3 Contacts...20 5 Design Review...21 5.1 Purpose...21 5.2 Requirement Level...21 5.3 Procedure...21 5.4 Requirements...21 5.4.1 Design Drawings...21 5.4.2 Design Description...21 5.5 Contacts...22 6 Product or Renewal Registration...23 6.1 Purpose...23 6.2 Requirement Level...23 6.3 Procedure...23 6.4 Contacts...23 7 Configuration Assessment...24 7.1 Purpose...24 7.2 Requirement Level...24 7.3 Procedure...24 7.4 Contacts...25 8 Test Processes...26 4 PayPass - Mag Stripe Vendor Testing Process (Cards & Devices)

Table of Contents 8.1 Digital & Application Testing...26 8.1.1 Purpose...26 8.1.2 Requirement Level...26 8.1.3 Procedure...26 8.1.4 Sample Requirements...26 8.1.5 Contacts...27 8.2 Analogue Interface Testing...28 8.2.1 Purpose...28 8.2.2 Requirement Level...28 8.2.3 Procedure...28 8.2.4 Sample Requirements...29 8.2.5 Contacts...29 8.3 Combination Testing...30 8.3.1 Purpose...30 8.3.2 Requirement Level...30 8.3.3 Procedure...30 8.3.4 Contacts...30 8.4 Compatibility Testing...31 8.4.1 Purpose...31 8.4.2 Requirement Level...31 8.4.3 Procedure...31 8.4.4 Contacts...32 8.5 User Evaluations...33 8.5.1 Purpose...33 8.5.2 Requirement Level...33 8.5.3 Procedure...33 8.5.4 Contacts...34 8.6 Card Quality Management...35 8.6.1 Purpose...35 8.6.2 Requirement Level...35 8.6.3 Procedure...35 8.7 Compliance Assessment and Security Testing...36 8.7.1 Purpose...36 8.7.2 Requirement Level...36 8.7.3 Procedure...36 9 Waiver Review...37 9.1 Purpose...37 9.2 Requirement Level...37 9.3 Procedure...37 PayPass - Mag Stripe Vendor Testing Process (Cards & Devices) 5

9.4 Contacts...37 10 Approval Review...38 10.1 Purpose...38 10.2 Requirement Level...38 10.3 Pre-requisites...38 10.4 Procedure...38 10.5 Contacts...39 11 Change Management...40 11.1 Changes introduced by MasterCard...40 11.2 Changes introduced by Vendor...40 11.3 Changes of Identification Details of the Vendor...41 Annex A Card/Device Design Review Form...42 Annex B Registration Request Form...45 Annex C Technology Identifier...46 Annex D AIT Personalization Profile...47 D.1 Physical Personalization Profile...47 D.2 Mag Stripe Personalization Profile...47 D.3 Chip Personalization Profile...47 Annex E DAT Profile...48 Annex F Card Vendor Testing Process Summary...49 Annex G Global Vendor Certification Program...50 6 PayPass - Mag Stripe Vendor Testing Process (Cards & Devices)

Using this Manual Scope Using this Manual Scope This document describes the process which vendors wishing to supply PayPass Mag Stripe cardholder products (cards, fobs, mobile phones, etc) must follow before the product can be approved and sold to MasterCard issuers and deployed in the field. It also defines the circumstances where an individual component of a PayPass product (chip, inlay, operating system, application, etc) may gain compliance to specific areas of testing therefore potentially reducing the overall cost of testing the final product. Audience This document is intended for use by: PayPass Mag Stripe card and device vendors wishing to supply PayPass approved products for MasterCard issuers Manufacturers wishing to supply components of PayPass Mag Stripe products that conform to PayPass Mag Stripe specifications for subsequent use in assembly of complete PayPass Mag Stripe products. Related Information The following reference materials may be of use to the reader of this manual or are referred to within the text of this manual. PAYPASS PRODUCT GUIDE MasterCard PayPass Product Guide, August 2005. PAYPASS MAGSTRIPE PayPass Mag Stripe Technical Specifications, November 2003. PAYPASS IMPLEMENTATION GUIDE PAYPASS ISO/IEC 14443 PAYPASS ISO/IEC 14443 COMBINATION TESTING MasterCard PayPass Mag Stripe, Issuer Implementation Guide PayPass ISO/IEC 14443 Implementation Specification, June 2004. PayPass ISO/IEC 14443 Combination Testing, September 2004. CQM-CERPR Card Quality Management - Certification Procedure, March 2003 PayPass - Mag Stripe Vendor Testing Process (Cards & Devices) 7

Using this Manual Abbreviations CQM-IQR CAST Card Quality Management - Infrastructure Quality Requirements, February 2004 Compliance Assessment and Security Testing Program- Version 2.0 MSSV MasterCard Security Standards for vendors- April 2000 Abbreviations The following abbreviations are used in this manual: Abbreviation AIT CAST CQM DAT IC MasterCard NDU PIC PICC PICM PIL Description Analogue Interface Testing Compliance Assessment and Security Testing Card Quality Management Digital and Application Testing Integrated Circuit MasterCard International Non Disclosure Undertaking PayPass Integrated Circuit PayPass Integrated Circuit Card or Device PayPass Integrated Card Module PayPass Inlay Terminology This section explains a number of key terms and concepts used in this manual. Card - a PayPass cardholder product in ID-1 format. Card Vendor Testing Process - execution of a defined set of tests on submitted samples, claimed representative for a product, against requirements identified in [PAYPASS MAGSTRIPE] and [PAYPASS ISO/IEC 14443]. The process defined by this document. CAST Process the process that tests whether the chip, operating system and application(s) meet the security requirements as documented in [CAST]. Component any part or combination of parts used in the construction of a PayPass product. 8 PayPass - Mag Stripe Vendor Testing Process (Cards & Devices)

Using this Manual Conformity Statement(s) generic term used to refer to the formal approval documentation issued by MasterCard to indicate conformity to specific sets of PayPass requirements. Conformity to Analogue Interface Requirement acknowledgement by MasterCard that specified components of the submitted samples were compliant with the analogue requirements of [PAYPASS MAGSTRIPE] and [PAYPASS ISO/IEC 14443] at the time of testing. Conformity to Digital and Application Requirement acknowledgement by MasterCard that specified components of the submitted samples were compliant with the digital and application requirements of [PAYPASS MAGSTRIPE] and [PAYPASS ISO/IEC 14443] at the time of testing. CQM Label acknowledgment by MasterCard that the identified vendor has demonstrated sufficient compliance with [CQM-IQR] for its stated purpose. The CQM Label is the result of a successful completion of the CQM Process. CQM Process the process that certifies a vendor as being compliant with [CQM-IQR]. The process itself is documented in [CQM-CERPR]. Design Review Process visual check of a submitted PayPass product design Design Review Report the results of the design review process. Device a PayPass cardholder product in any non ID-1 format. PayPass Letter of Approval acknowledgment by MasterCard International that the submitted samples of the specified product demonstrated sufficient compliance to requirement for its stated purpose at the time of testing. PayPass Specification - MasterCard requirements of PayPass products as identified in [PAYPASS MAGSTRIPE], [PAYPASS ISO/IEC 14443], [PAYPASS ISO/IEC 14443 COMBINATION TESTING], [CQM-IQR] and [CAST]. Product a complete PayPass cardholder card or device Test Report summary of test results, issued by a Testing Laboratory as a result of testing a PayPass Mag Stripe products Testing Laboratory a facility accredited by MasterCard International to perform tests on PayPass Mag Stripe products PayPass - Mag Stripe Vendor Testing Process (Cards & Devices) 9

Using this Manual Revisions Revisions The information in this manual supersedes and replaces all previous versions issued. Information in this book is subject to change. Any such changes will update the current version of the document. Revision history Version History Impact 1.1 Final draft 1.2 Change requirement for personalized cards for AIT to pre-personalized cards 2.0 Amended to reflect MasterCard PayPass Approval Policy 0, D.3 10 PayPass - Mag Stripe Vendor Testing Process (Cards & Devices)

Introduction Background 1 1.1 1.2 1.3 Introduction Background MasterCard has developed a comprehensive test and validation process for PayPass Mag Stripe cards and devices in order to ensure world-wide interoperability and quality at an acceptable time and cost. This document describes the MasterCard processes that support vendors wishing to produce PayPass Mag Stripe products or components. These processes are used during development, testing and approval and are known as the PayPass Mag Stripe Card Vendor Testing Process. Completing this process will allow all parties involved in the manufacturing supply chain to demonstrate conformity to the published PayPass specifications and requirements. Individual PayPass product components will receive statements of conformity to the requirements. Only complete PayPass products will receive a formal MasterCard PayPass Vendor Product Letter of Approval. Who needs to use this process? PayPass product vendors who wish to demonstrate MasterCard product approval to currently published specifications and requirements. PayPass component vendors who wish to demonstrate MasterCard component conformity to currently published specifications and requirements. When is this process used? Following vendor registration and any product/component development: 1. a complete PayPass product must be submitted to the Card Vendor Testing Process in the following circumstances: Product is new or previously unapproved. Any change to a currently approved product. (as defined in Change Management section 11 of this document) A renewal i.e. where a currently approved PayPass Mag Stripe product has a Letter of Approval which is due to expire. 2. a PayPass component may be submitted to the Card Vendor Testing Process in the following circumstances: Component is new or untested against current requirements. The component has changed since gaining conformity to requirements. (as defined in Change Management section 11 of this document) A renewal i.e. where a current PayPass Mag Stripe conformity statement is due to expire. PayPass - Mag Stripe Vendor Testing Process (Cards & Devices) 11

Introduction How this process is used? 1.4 How this process is used? The process outlined in this document is managed, controlled and driven by the Vendor. It is the vendors responsibility to carry out the actions required to achieve approval. This process is not managed by MasterCard staff but works on a basis of MasterCard reacting to the information received from the vendor via the email addresses or contact names provided. It is recommended that the vendor appoints a project manager for the duration of the process that becomes the single point of contact with MasterCard or any associated testing service providers. 12 PayPass - Mag Stripe Vendor Testing Process (Cards & Devices)

Card Vendor Testing Process How this process is used? 2 Card Vendor Testing Process This chapter outlines the PayPass Mag Stripe Card Vendor Testing Process. Following chapters give detailed descriptions of each process. Figure 2.1 identifies the individual processes and their relationships. Figure 2.1 Card Vendor Testing Process Vendor Registration (one time only) Design Review Product Development Cycle (vendor process) Change Management Product or Renewal Registration Configuration Assessment Test Processes Digital and Application Testing Analogue Interface Testing Combination Testing Compatibility Testing Card Quality Management Compliance Assessment & Security Test User Evaluations Waiver Review (if required) Approval Review PayPass - Mag Stripe Vendor Testing Process (Cards & Devices) 13

Card Vendor Testing Process Vendor Registration Annex F Card Vendor Testing Process Summary provides a more complete summary diagram of the processes, outputs and roles. The process is modular allowing flexibility for: Multiple component manufacturers within a single PayPass product. Manufacturers of different components seeking compliance for various combinations of components as well as full product approval. The product registration and configuration assessment stage will determine the overall testing requirements for the submitted PayPass component or product: 2.1 Vendor Registration This is a one-off process for each vendor wishing to develop PayPass products or components. To use the PayPass brands and receive the relevant MasterCard specifications for PayPass Mag Stripe products, vendors must obtain a PayPass vendor license. This permits the licensee to supply PayPass products or components compliant with the specifications and brand standards to: Other licensed vendors MasterCard PayPass Mag Stripe issuers and acquirers End users i.e. cardholders Note The Global Vendor Certification Program (GVCP) verifies physical and logical security of the vendor premises. This document assumes that GVCP has been completed. For more information, see Annex G 2.2 Product Development Cycle This process represents a vendor s internal development cycle. Facilities are available to allow a vendor to test PayPass Mag Stripe products during development in an ad-hoc manner against MasterCard supplied tools and simulators or using accredited Test Laboratories. There is no MasterCard involvement unless the vendor requires tools or support. 2.3 Design Review This process reviews the design of PayPass Mag Stripe products. 14 PayPass - Mag Stripe Vendor Testing Process (Cards & Devices)

Card Vendor Testing Process Change Management Due to the flexibility allowed in PayPass Mag Stripe product design, it is important to ensure that the designs meet MasterCard requirements and that the form factor can be handled by MasterCard accredited testing services. This process is mandatory for a vendor requiring a PayPass Letter of Approval for a product. It is not required for component manufacturers seeking conformity statements only. The Design Review is not a review of the technical design of the product, but is a review of the: Product viability and ease of use PayPass implementation requirements Ability to complete the Card Vendor Testing Process The main considerations for PayPass product design are based on recommendations or requirements outlined in the PayPass Implementation Guides [PAYPASS IMPLEMENTATION GUIDE]. As a result of this process MasterCard records some design features e.g. antenna size/shape, which help in determining the expected operating characteristics of the card or device during testing and approval. 2.4 2.5 Change Management During a PayPass products or components lifecycle there are likely to be various sources of change which must be handled. These are: Changes introduced by MasterCard i.e. as a result of amended reference specifications or revised test cases etc. Change or development within an approved PayPass product or component Change of identification details All changes to approved PayPass products or components must be notified to MasterCard. If the changes are considered minor then approval may be granted without any re-testing being required. Some changes i.e. as a result of a change of component or significant product development may result in a requirement to re-submit the product for testing and approval. Product or Renewal Registration On conclusion of any development, the vendor registers a product or component using the Registration Request and Technology Identifier forms. The process is mandatory for vendors seeking formal approval of products or components. The process is also used to apply for a renewal when a PayPass Letter of Approval or a conformity statement is due to expire. 2.6 Configuration Assessment MasterCard will assess the components identified on the submitted forms to determine which test processes are required. This results in a MasterCard issuing a PayPass Vendor Evaluation Plan detailing the action to be undertaken by the vendor during the test process. The plan will also detail: PayPass - Mag Stripe Vendor Testing Process (Cards & Devices) 15

Card Vendor Testing Process Test Processes Recommended accredited test laboratories for formal evaluation Dates by which testing must be completed and approval requested. The PayPass Vendor Evaluation Plan allows the vendor to agree the required test contracts/schedules with Test Laboratories. 2.7 2.7.1 Test Processes Analogue Interface Testing (AIT) Tests conformity to PayPass ISO 14443 specification [PAYPASS ISO/IEC 14443]. This testing is performed on representative samples of the product or component being submitted for formal evaluation. It is a test of the electro-magnetic behavior of the sample. Electro-magnetic behavior is dependent on assembly therefore hardware modifications may alter this behavior. If the product passes AIT, a Conformity to Analogue Interface Requirements is issued. 2.7.2 2.7.3 2.7.4 Digital Interface Testing & Application Testing (DAT) Tests conformity to [PAYPASS ISO/IEC 14443 AND PAYPASS MAG STRIPE]. This testing is performed on representative samples of the product or component being submitted for formal evaluation. It is a test of the electronic and PayPass Mag Stripe application behavior of the sample. If the product passes DAT, a Conformity to Digital and Application Testing Requirements will be issued. Combination Testing Tests conformity to [COMBINATION TESTING]. This testing is used to assist in the evaluation of the interoperability of a PayPass product when used against real PayPass terminals. Compatibility Testing With the flexibility offered in PayPass Mag Stripe product design it is essential to gain a level of understanding on how products will be used in real life. Additionally, the introduction of contactless payment requires a change in cardholder behavior as the main focus of this type of product is in a cardholder activated environment. Compatibility testing indicates how products will be received and identifies problems that many exist in using these new products in a live environment before large scale implementation take place. A requirement for Compatibility Testing will be determined during the design review and configuration assessment stages or may be requested during the evaluation of a waiver request to determine the impact of any non-conformity found during formal evaluation. 16 PayPass - Mag Stripe Vendor Testing Process (Cards & Devices)

Card Vendor Testing Process Waiver Review This testing is designed to assist in the decision process of approving PayPass products by providing a straightforward assessment of a new PayPass product s compatibility with existing approved and deployed PayPass terminals and readers. 2.7.5 User Evaluations The purpose of a user evaluation is for MasterCard to gain a clear understanding of consumer reactions to PayPass products, identifying any common points of concern with the products to allow a plan of corrective action to be introduced to address any high risk issues raised. The tests will determine if PayPass products developed to the existing PayPass specifications and implementation guidelines meet the intended aims when measured from a users (cardholder) perspective. A requirement for User Evaluations will be determined during the design review and configuration assessment stages or may be requested during the evaluation of a waiver request to determine the impact of any non-conformity found during formal evaluation. 2.7.6 2.7.7 Card Quality Management (CQM) Tests conformity to [CQM-IQR]. The CQM process is an audit of the manufacturing site to ensure that samples received by the Testing Laboratory are representative of the final product or component. The process also carries out a review of the vendors existing change management procedures. The process results in the unique identification of key components and subsequent sets of components that form a PayPass product. Compliance Assessment and Security Testing (CAST) Tests conformity to [CAST]. CAST is an evaluation of security aspects of the hardware (chip), operating systems and all applications on MasterCard branded devices. 2.8 Waiver Review If a product fails one or more of the required testing processes, it may still be submitted for a PayPass approval. In these circumstances, the vendor may raise a Waiver Request which is submitted with required supporting documentation to MasterCard for technical assessment. Technical waiver assessment reviews the evidence and assesses the impact of the waiver request and will result in a recommendation to the approval review process. It may also result in a request for additional testing to be performed in support of the approval review. 2.9 Approval Review When all required test processes have been completed for the product, the vendor can apply for a MasterCard PayPass Vendor Product - Letter of Approval. PayPass - Mag Stripe Vendor Testing Process (Cards & Devices) 17

Card Vendor Testing Process Approval Review If the Approval Review is positive a letter of approval is issued and the product is listed on the PayPass approved products website. The Approval Review may result in an approval with specified conditions. The vendor must agree to adhere to these conditions for the approval to be valid. A negative evaluation will result in no PayPass Letter of Approval and no entry on the PayPass approved products website. The approval is valid for 12 months. Renewal of a PayPass Approval may be requested for products which are still in production and meet the approval requirements in place at the time of the renewal. Renewal will start with the Product or Renewal Registration process and the forms submitted will be subject to Configuration Assessment to determine if all the components of the product are still conformant and to determine the testing, if any, that is required for the approval to be renewed. 18 PayPass - Mag Stripe Vendor Testing Process (Cards & Devices)

Vendor Registration Purpose 3 3.1 3.2 3.3 3.4 Vendor Registration Purpose To register interest with MasterCard for the development of PayPass products or components. A MasterCard license must be signed in order to receive the relevant MasterCard specifications and support for the development of PayPass Mag Stripe cardholder products. The license issue date is included on any MasterCard PayPass Vendor Product - Letter of Approval. A vendor is only required to sign a PayPass license once. Requirement Level The process is mandatory. Procedure The procedure is: 1. The vendor makes a license request to MasterCard by sending an email to the contact below. 2. MasterCard and the vendor agree and sign a license agreement. 3. PayPass specifications and support documentation is released to the vendor. Contacts The MasterCard contact during Vendor Registration is: PayPass@mastercard.com PayPass - Mag Stripe Vendor Testing Process (Cards & Devices) 19

Product Development Cycle Purpose 4 4.1 Product Development Cycle Purpose The Product Development Cycle represents a vendor s internal development procedures for a PayPass Mag Stripe product or component. MasterCard has made accredited Test Laboratories and MasterCard services and simulators available to assist with vendor development of PayPass. MasterCard recommends that the vendors use these services to ensure that subsequent formal testing is as efficient as possible. However, the use of these services is at the discretion of the vendor. Any ad-hoc testing performed during the Product Development Cycle is known as prevalidation and should be considered as a de-bugging exercise and does not form any part of the formal testing process. 4.2 4.3 Procedure Information about support services and ad-hoc testing can be obtained by sending an email to the relevant contact below. Contacts MasterCard contacts during the Product Development Cycle are: For queries regarding PayPass Specifications, application notes, etc specifications@paypass.com For information on available testing and support services testing@paypass.com 20 PayPass - Mag Stripe Vendor Testing Process (Cards & Devices)

Design Review Purpose 5 5.1 Design Review Purpose Design Review checks that a proposed PayPass product meets the requirements of the PayPass implementation guides. Design Review is a review of the proposed product design; this includes a review of the layout of antenna, inlay and module, proposed areas of branding and any other product features. 5.2 5.3 Requirement Level The process is mandatory for vendors producing complete PayPass cards or devices. Procedure The procedure is: 1. Vendor submits Card/Device Design Review form (Annex A), design drawings and design descriptions (see requirements below). 2. MasterCard generates a Design Review Report for the vendor. 3. The Design Review Report indicates areas of design that may not satisfy PayPass Implementation Guidelines requirements and highlights any potential issues with regard to formal testing. 5.4 5.4.1 Requirements Design Drawings The submitted documents will include drawings of the product showing: External design including dimensions Layout of branding (does not need to show final branding as this may be customer specific) Internal component layout including the position of the PayPass chip Antenna layout and dimensions 5.4.2 Design Description The submitted documents will include written descriptions of the product defining: Method of PayPass chip personalization required for the card/device How the product meets the requirements of the PayPass Implementation Guidelines. These requirements are outlined in the card /device design review form Any special usage instructions required by the user PayPass - Mag Stripe Vendor Testing Process (Cards & Devices) 21

Design Review Contacts 5.5 Contacts The completed Card/Device Design Review form and supporting documentation shall be sent electronically to: testing@paypass.com 22 PayPass - Mag Stripe Vendor Testing Process (Cards & Devices)

Product or Renewal Registration Purpose 6 6.1 Product or Renewal Registration Purpose Product Registration is designed to: Request registration of a component or product for testing. Request registration of a product or component for the renewal of product approval or a component conformity. Record details of the product or component to be tested. As far as possible, full details of the product components (Chip, Module, Inlay, Operating System, Application software) that have been submitted for testing purposes are recorded. This information is held for reference to indicate the full tested set of components. In the case of a renewal, it is the vendors responsibility to ensure that all supporting prerequisite statements are valid and remain applicable. The subsequent Configuration Assessment process will determine if any testing needs to be completed to support the renewal request. 6.2 6.3 6.4 Requirement Level The process is mandatory. Procedure The procedure is: 1. The vendor completes: Registration Request Form, Annex B. Technology Identifier, Annex C. 2. Any existing conformity statements for the components of the product should be submitted as detailed on the registration request form. 3. The documentation is emailed to MasterCard as detailed below. Contacts The MasterCard contact during product or renewal registration is: testing@paypass.com PayPass - Mag Stripe Vendor Testing Process (Cards & Devices) 23

Configuration Assessment Purpose 7 7.1 Configuration Assessment Purpose Configuration Assessment has the following objectives: To identify the specific tests that the product or component must be subject to. To identify Test Laboratories to execute the tests To identify the formal outputs from the tests To allow the vendor to initiate the ordering process for third party testing services e.g. Test Laboratories To indicate to the Test Laboratories that MasterCard has given the green light to the vendor to begin formal testing. To document a date by which testing must be completed and approval requested. For a product, to confirm the set of formal documents to be submitted to support a request for a Letter of Approval. To allow MasterCard to allocate a Product Registration Number. The process output is a Product Vendor Evaluation Plan which documents the result of the Configuration Assessment against the objectives above. In the event of a product PayPass Letter of Approval renewal request with a full set of valid supporting pre-requisite documentation where no further testing is identified on the PayPass Vendor Evaluation Plan the process will trigger the Approval Review process. 7.2 Requirement Level The process is mandatory. 7.3 Procedure The procedure is: 1. MasterCard will analyze the following: Registration Request Form Technology Identifier Supporting conformity statements (if available) 2. The content of the forms is evaluated to determine which test processes are applicable. This will depend upon: Formal statements required Specific component or product submitted for testing New product New version of component New combination of previously tested components 24 PayPass - Mag Stripe Vendor Testing Process (Cards & Devices)

Configuration Assessment Contacts Letter of Approval expiry Conformity Statement expiry New manufacturing process/premises 3. A PayPass Vendor Evaluation Plan is generated indicating the list of test processes that the product must be submitted to and the list of formal documents that must be obtained in order to achieve a PayPass Letter of Approval for the submitted product. Where MasterCard indicate that it is allowable this list may include conformity statements, CQM labels or CAST certificates from previous product/component tests. 4. MasterCard will allocate the item under test a Product Reference Number which should be recorded by the vendor on the relevant Technology Identifier form prior to future communications and reference. 5. Using the PayPass Vendor Evaluation Plan a vendor can agree test contracts with Test Laboratories. Note The PayPass Vendor Evaluation Plan contains a date by which testing should be completed and a Letter of Approval or conformity statement applied for. Failure to meet this date may require the product to be re-submitted for testing. 7.4 Contacts The MasterCard contact during Configuration Assessment is: testing@paypass.com PayPass - Mag Stripe Vendor Testing Process (Cards & Devices) 25

Test Processes Digital & Application Testing 8 8.1 8.1.1 Test Processes Digital & Application Testing Purpose The purpose of Digital and Application Testing (DAT) is to verify whether the application held on the PayPass Integrated Circuit (PIC) is compliant with the digital interface specifications [PAYPASS ISO/IEC 14443] and the application specifications [PAYPASS MAGSTRIPE]. DAT is performed in an accredited Test Laboratory or MasterCard. Therefore in this section, Test Laboratory may also refer to MasterCard. Note The DAT Report and any associated Conformity to Digital and Application requirements statement is not valid if any field in the Technology Identifier form changes. 8.1.2 8.1.3 Note Requirement Level The process is mandatory. Procedure The procedure is: 1. The vendor provides samples and a Technology Identifier form to the Test Laboratory. 2. The Test Laboratory performs the tests and issues a Digital and Application Test Report to the vendor. 3. If the result is positive, the vendor submits a copy of the Digital and Application Test Report to MasterCard for assessment. 4. If the assessment is positive, a statement of Conformity to Digital and Application Requirements is issued. 5. The items detailed on the Conformity to Digital and Application Requirements are: Chip (PIC) Software operating system Software - application 6. If the Digital and Application Test Report is negative, the vendor may choose to stop formal testing while the product re-enters the vendors Product Development Cycle. If the Digital and Application Test Report is negative the vendor may submit the report to the Waiver Request Process for technical waiver assessment. In this case a Conformity to Digital and Application Requirements will not be issued. 26 PayPass - Mag Stripe Vendor Testing Process (Cards & Devices)

Test Processes Digital & Application Testing 8.1.4 Sample Requirements Samples presented for DAT shall be: 18 samples of "pre-personalized" Profile A 5 samples of "pre-personalized" Profile B. For more information on Profile A and Profile B, see Annex E. Note A vendor submitting samples supporting Type A and Type B communication protocols must send two times (18+5) samples. 8.1.5 Contacts DAT samples will be sent directly to the contracted Testing Laboratory. Submissions for Conformity to Digital and Application Requirements statements shall be sent to: testing@paypass.com PayPass - Mag Stripe Vendor Testing Process (Cards & Devices) 27

Test Processes Analogue Interface Testing 8.2 8.2.1 Analogue Interface Testing Purpose The purpose of Analogue Interface Testing (AIT) is to check whether the analogue behavior of a sample conforms to the document [PAYPASS ISO/IEC 14443]. AIT is performed in an accredited Testing Laboratory and is based on sample testing. AIT ensures that the sample: Works correctly with a terminal that delivers energy to the product. Can interpret the digital bit-strings sent by the terminal. Sends correct bit-strings to the terminal. Note The AIT Test Report and any associated Conformity to Analogue Interface requirements statement is not valid if any field in the Technology Identifier form changes. Note CQM Label 1 for the configuration indicated in the Technology Identifier is a pre-requisite for the issue of a Conformity to Analogue Interface requirements 8.2.2 8.2.3 Requirement Level The process is mandatory. Procedure The procedure is: 1. The vendor provides samples and Technology Identifier form to the Test Laboratory. 2. The Test Laboratory performs the tests and issues an Analogue Interface Test Report to the vendor. 3. If the result is positive, the vendor submits two originals of the Analogue Interface Test Report and the CQM label 1 to MasterCard for assessment. 4. If the assessment is positive, a statement of Conformity to Analogue Interface Requirements is issued. 5. The items detailed on the Conformity to Analogue Interface Requirements are: PayPass card or device (PICC) Chip (PIC) Software operating system Software application Module (PICM) 28 PayPass - Mag Stripe Vendor Testing Process (Cards & Devices)

Test Processes Analogue Interface Testing Inlay (PIL) 6. If the Analogue Interface Test Report is negative, the vendor may choose to stop formal testing while the product re-enters the vendors Product Development Cycle. Note If the Analogue Interface Test Report is negative the vendor may submit the report to the Waiver Request Process for technical waiver assessment. In this case a Conformity to Analogue Interface Requirements will not be issued. 8.2.4 Sample Requirements Samples presented for AIT shall be: Personalized as documented in Annex D. Additionally: 10 samples will be provided to the Testing Laboratory. After testing, the samples will be held by MasterCard for reference purposes and will not be returned to the vendor. 8.2.5 Contacts AIT samples will be sent directly to the contracted Testing Laboratory. Submissions for Conformity to Analogue Interface statements shall be sent to: testing@paypass.com PayPass - Mag Stripe Vendor Testing Process (Cards & Devices) 29

Test Processes Combination Testing 8.3 8.3.1 Combination Testing Purpose Combination Testing shows whether a transaction takes place when a PayPass cardholder device is presented in a full range of normal ways within the Operating Volume of a range of specified terminals. For the purpose of this testing, the full range of normal ways is limited to a finite number of specific, repeatable ways a device is presented on a terminal. For the purposes of standardization and repeatability, these are defined by parameters. A PayPass Mag Stripe product must be able to conduct PayPass Mag Stripe initiated transactions within the timing and consistency limits set by the testing specifications [COMBINATION TESTING]. 8.3.2 8.3.3 Requirement Level The requirement for this testing is determine during the Configuration assessment or as a result of a waiver request. Procedure The procedure is: 1. The vendor provides the product and a Technology Identifier form to the Test Laboratory. The numbers of the product required for testing may vary depending upon the product form factor and will be confirmed by the Testing Laboratory. 2. The Test Laboratory performs the tests and issues a Combination Test Report to the vendor. 3. The vendor submits the Combination Test Report to MasterCard for assessment. 8.3.4 Contacts Combination testing samples will be sent directly to the contracted Testing Laboratory. For further general information relating to Combination Testing, please contact: testing@paypass.com 30 PayPass - Mag Stripe Vendor Testing Process (Cards & Devices)

Test Processes Compatibility Testing 8.4 Compatibility Testing 8.4.1 8.4.2 8.4.3 8.4.4 Purpose Compatibility Testing determines if a PayPass cardholder product can be used in a consistent and effective manner across a range of terminals/readers. Cardholders must be able to conduct PayPass Mag Stripe initiated transactions at least as quickly as and with equal or better consistency than, that of magnetic stripe initiated transactions. Compatibility Testing is not required for every product but may be requested: If a product has a form which makes it advisable to test its compatibility with a variety of PayPass terminal types. As a result of potential issues identified in the Design Review e.g. antennae size/location. Where formal sample testing highlights difficulties in conducting PayPass transactions effectively. If a product has a form which makes it impractical to perform one or more of the prerequisite formal tests. In this situation the components of the product must have the pre-requisite formal statements from previous submissions. The specific test requirements will be advised as a result of Design Review and Configuration Assessment. Where a Compatibility Test requirement is identified, a sample of the PayPass product will be requested from the vendor and submitted to the MasterCard PayPass Compatibility Testing process. The Approval Review will make use of results from this process during product assessment. Requirement Level When required by MasterCard. Procedure The procedure is: 1. MasterCard will determine where product samples should be sent for Compatibility Testing. The number of samples required for testing may vary depending upon the product form factor and will be confirmed by MasterCard prior to submission. 2. MasterCard performs the tests and generates a Compatibility Test Report. 3. The result captured on the Compatibility Test Report may be used by MasterCard as input to the product Approval Review. Contacts testing@paypass.com PayPass - Mag Stripe Vendor Testing Process (Cards & Devices) 31

Test Processes User Evaluations 8.5 User Evaluations 8.5.1 Purpose User Evaluations allow feedback on the acceptability of the product in a customer environment. It records: The reactions of users of PayPass cards and devices where the users are representative of consumers that would use the product. The PayPass products reaction to different usage; male, female, left-handed, righthanded, etc. Evaluations capture: The first user reaction to using a PayPass card or device i.e. is it obvious what PayPass is and how to use it, was a successful transaction achieved at the first attempt, if not why not etc. The initial approach to attempting a payment transaction. i.e. how did they interpret what to do How many attempts did it take before the user understood how to use the card/device successfully i.e. How quickly did they learn what to do from any instructions provided Could the user consistently achieve a successful transaction across a range of terminals having gained confidence in using the product? Was the card / device suitable for all users or more suitable to a particular user group What was the reaction to the cards/devices not working? i.e. is the experience of using PayPass user friendly If required, The Approval Review will make use of results from this process during product Approval Review. 8.5.2 8.5.3 Requirement Level User Evaluations are not required for all PayPass products. The requirements for a User Evaluation will be determine by MasterCard either during a Design Review or as additional information to support an approval request. Procedure The procedure is: 1. MasterCard will determine where product samples should be sent for User Evaluations. The numbers of the product required for testing may vary depending upon the product form factor and will be confirmed prior to submission. 2. MasterCard performs the tests and issues a User Evaluation Test Report to the vendor. 3. The result captured on the User Evaluation Test Report may be used by MasterCard as input to the product Approval Review. 32 PayPass - Mag Stripe Vendor Testing Process (Cards & Devices)

Test Processes User Evaluations 8.5.4 Contacts User Evaluations - PayPass Product Development Mobile Wireless Centre of Excellence MasterCard UK Inc 47-53 Cannon Street London EC4M 5SH England testing@paypass.com PayPass - Mag Stripe Vendor Testing Process (Cards & Devices) 33

Test Processes Card Quality Management 8.6 8.6.1 Card Quality Management Purpose CQM ensures quality and reliability levels for PayPass products via an audit process. Card vendor compliance with CQM ensures that all products have sufficient overall quality to guarantee future reliability and repeatability during the production process. Individual components of PayPass products receive a quality label when they comply with CQM requirements. All MasterCard PayPass products must have the CQM labels. CQM requirements cover all stages of the production and preparation of a PayPass product. Table 12.1 provides a summary of the CQM label requirements. Table 8.1 CQM Labels and Components Component(s) Abbreviation Activity Label Chip PIC Production of the PIC CQM label 1 Module (incl. chip) PICM Assembly of the PIC into a micro-module CQM label 2 Inlay PIL Assembly of micro-module and antenna, production of the inlay Body or Casing PICC Lamination of the card body or completion of the device CQM label 3 CQM label 4 Note Specific CQM requirements related to PayPass products are detailed in Sections 13, 14, 15 and 16 of [CQM-IQR]. 8.6.2 Requirement Level The process is mandatory. 8.6.3 Procedure The CQM process requires a separate registration, NDU and contract with MasterCard. For further information about the CQM process or to request CQM application forms, please contact: CQM@mastercard.com 34 PayPass - Mag Stripe Vendor Testing Process (Cards & Devices)

Test Processes Compliance Assessment and Security Testing 8.7 Compliance Assessment and Security Testing 8.7.1 8.7.2 Purpose CAST reflects the latest developments in security evaluation methodology and unites independent evaluations with internal security testing. The process allows MasterCard to maintain high levels of security assurance while minimizing vendor costs. An application is built on an operating system, which is built on an integrated circuit (IC). The process reflects this by awarding certificates at product and IC levels: IC Certificates - The process considers the IC, providing assurance in the security functions designed to deal with known attack methods. Account is taken of the security in the design, development, and delivery processes. PayPass Product Certificates - The process considers vendorsthat develop operating systems/applications. This testing will include checks on secondary defenses against potential physical vulnerabilities and correctness of implementation. MasterCard will remove products from the CAST Approved Products list after three years. In order for a vendor to extend a certificate, the product must undergo a delta evaluation against any new threats identified since the original evaluation. Requirement Level The process is mandatory. 8.7.3 Procedure CAST requires a separate registration and a completed CAST agreement between MasterCard and the vendor. For more information about the CAST process or to request a CAST application form, please contact: Gary_hemmings@mastercard.com MasertCard UK Inc St Andrew House, The Links, Kelvin House, Birchwood Warrington Cheshire UK WA1 1TPB PayPass - Mag Stripe Vendor Testing Process (Cards & Devices) 35

Waiver Review Purpose 9 9.1 Waiver Review Purpose Waiver Review is the assessment of a vendors request for a waiver from one or more of the test processes i.e. one or more of the pre-requisites for the Approval Review process are not available. The full set of Approval Review pre-requisites is: Conformity to Digital and Application Requirements Conformity to Analogue Interface Requirements. Certification Number (CAST). CQM label 4 assessment for the product. When one or more of these items is not available the vendor must apply for a waiver. 9.2 9.3 9.4 Requirement Level The process is mandatory where one of the Approval Review pre-requisites is not available. Procedure The procedure is: 1. Vendor submits a waiver request supported by a Technology Identifier form and with any of the supporting documents that are available (as listed in section 9.1 above). 2. The waiver request is subject to a technical waiver review 3. The impact of the specific issues that have caused the waiver request to be made is assessed 4. The technical waiver review results in one of the following recommendations: Request for additional testing, such as compatibility testing before making a decision on the waiver request Approve the product Do not approve the product. 5. The Approval Review process will be initiated on the vendor s behalf. Contacts The waiver request shall be submitted to: testing@paypass.com 36 PayPass - Mag Stripe Vendor Testing Process (Cards & Devices)

Approval Review Purpose 10 10.1 Approval Review Purpose Note Approval Review is an assessment of an application for a MasterCard PayPass Vendor - Letter of Approval for a PayPass cardholder product. A MasterCard PayPass Vendor - Letter of Approval is only granted to the final assembled product when it has completed all the necessary testing. 10.2 10.3 Requirement Level The process is mandatory. Pre-requisites A MasterCard PayPass Vendor - Letter of Approval requires a Technology Identifier form supported by: Completion of a Design Review Conformity to Analogue Interface Requirements. Conformity to Digital and Application Requirements CAST Certification Number. CQM Label 4. Where a vendor has used the Waiver Review process, there will in addition be: A waiver request The recommendation of the technical waiver review. 10.4 Procedure The procedure is: Or 1. Vendor submits a file with the pre-requisite documents 2. MasterCard via the Waiver Review process submits a file with the pre-requisite documents plus the waiver request and the recommendation of the technical waiver review. 3. MasterCard assesses the request and will either Issue a MasterCard PayPass Vendor - Product Letter of Approval to the vendor and list the device on the approved PayPass products website. Not approve the product. PayPass - Mag Stripe Vendor Testing Process (Cards & Devices) 37

Approval Review Contacts 10.5 Contacts The approval documentation must be submitted to: approvals@paypass.com PayPass Product Approval Mobile Wireless Centre of Excellence MasterCard UK Inc 47-53 Cannon Street London EC4M 5SH England 38 PayPass - Mag Stripe Vendor Testing Process (Cards & Devices)

Change Management Changes introduced by MasterCard 11 Change Management PayPass products will be subject to change during their lifecycle, including software changes or revisions. Change needs to be managed in the case of: MasterCard changes to: - Test cases with/without a new reference specification Vendor changes to: - Components - Production process - Product specification/components - PayPass Application Vendor identification details 11.1 Changes introduced by MasterCard To reflect changes to PayPass Specifications or improve the integrity of tests, MasterCard reserves the right to change the PayPass Vendor Testing Process and test cases at any time. When change occurs, MasterCard will: Inform all participants of the new tests Fix the date(s) for activation of the new tests Fix the date for deactivation of the old test cases. There may be a time period during which either the old or new test version may be used in the PayPass Vendor Testing Process. However, MasterCard shall not be under any obligation to permit a phase-out of old tests. 11.2 Changes introduced by Vendor The vendor is responsible for declaring changes in design, application, manufacturing process or personalization to approved products or their components. The principle is that any change to design, production or personalization process requires the PayPass component to be re-submitted for approval. However, if the vendor can provide proof and documentation that the changes are minor and do not result in a different behavior with respect to specifications and the Technology Identifier, MasterCard may decide that no additional testing is required, or that only a subset of the tests need to be performed. MasterCard reserves the right to require a full resubmission to the PayPass Vendor Testing Process following any changes. If MasterCard determines that the change is major, then the product will be considered a new product. In this case MasterCard will require the product to complete the MasterCard PayPass Card Vendor Testing Process. PayPass - Mag Stripe Vendor Testing Process (Cards & Devices) 39

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback