37 C
Sunday, April 21, 2024

Insight into the Chip-based Payment Card and Terminal Certification—an integral part of the journey to Secured EMV

  • By Abdullah Al-Shamim

Issuance of the very first bank card in Bangladesh dates to more than two decades ago. It was a magnetic stripe card. Despite its characteristic of having comparatively lower security, the magnetic stripe cards prevailed for a significant period. Then came chip cards along the path of evolution of bank cards.With a higher degree of security by incorporating cryptographic mechanisms and storage of sensitive data inside the embedded integrated circuit (IC) module, chip cards are currently considered the safest medium of card payment in the industry, to fight and prevent the card fraud, especially for the card-present environment.

At the heart of the chip-based transactions lies EMV—a standard originally created by Europay, Mastercard and Visa, currently managed by EMVCo—for the stakeholders of payment ecosystem to ensure security and global acceptance.The EMV standard encompasses not only the chip-based cards but also the payment acceptance devices like point of sale (POS) terminals and automated teller machines (ATM).

Over couple of years now Bangladesh started adopting EMV technology to enhance the security of the growing card transactions and almost 60% of the banks in Bangladesh are estimated to be EMV-ready now.

From a broad perspective, EMV migration involves the entire testing and certification of an EMV solution which is to be conducted prior to the deployment. This process consists of testing payment card,issuer and acquirer host systems, card personalization,payment acceptance terminal,and most importantly the interface testing with corresponding payment network, along with the required certifications at various stages.

Certification of EMV payment cards and terminals are covered by EMVCo certification and payment brand certification. For years EMVCo has been managing the Level-1 (L1) and Level-2 (L2) certificates, collectively known as Type Approval.The certification scope varies based on the card interface—contact and contactless. On top of EMVCo L1 and L2 certification, the payment brands got their own product certification process known as Level-3 (L3) and they provide the final approval given that their specific requirements are properly met.

Once the payment application for a card product is approved, it is personalized and tested according to the payment brand specification. Personalization verification can either be tested by the payment brand itself or through their accredited test laboratories.The issuer can also use test tools developed by the test laboratories during their product preparation phase to reduce the number of iterations for evaluation with the payment brands, which will eventually reduce time,as well as the certification cost.

Among the accredited test laboratories of the payment brands, the Underwriters Laboratories (UL) is vastly experienced and well-reputed. Their test tools passed the qualification processes and requirements for functional evaluations of major payment brands.For validation of the chip card personalization, UL offers Personalization Validation Tool (PVT) and for the terminal testing they have Brand Test Tool (BTT) for years now.

Kona Software Lab Ltd. is the authorized regional reseller of UL test tools and services; and is closely working with the banks and financial institutes to accompany them in their EMV testing & certification services. Kona has around 100 plus trained and experienced engineers to provide all sorts of required support to the banks and financial institutions. Kona has already provided these sorts of services to more than 15 banks and financial institutions in Bangladesh.


The author is the Senior Manager, Research & Development at Kona Software Lab Limited. 

Related Articles


Cloud Computing Security Issues, Threats and Controls

Cloud Computing and service models  The official NIST definition (NIST 800-145) of cloud computing says, “Cloud Computing is a model for enabling ubiquitous, convenient, on-demand...
API and Open Banking

API and Open Banking: Way for New Service Innovation for Banks and FinTech Companies

The people who gathered at a hall room of a city hotel in last month had one thing in common—they all are working in...
ISO 2001

ISO 27002: 2022 Implementation vs Reality

After almost a decade, ISO27001: 2013 is going to publish its new iteration of ISO27001:2022 in second (2nd) Quarter this year1. But prior to...
Deepfakes: The Synthetic Media I want to believe

Deepfakes: The Synthetic Media I want to believe

What Are Deepfakes? A deepfake is a sort of "synthetic media," which refers to material (such as images, audio, and video) that has been modified...
The power of API platforms

The power of API platforms brings the open banking promise into sharper focus

Open banking is a global phenomenon whose merits are felt in virtually every time zone, including those in the Asia-Pacific region. In contrast to...
Blockchains Gaming and Collusion

“Blockchains: Gaming and Collusion- A Reading in Political Economy”:  Futuristic Exploration with Fact-based Analysis

In this digital age, it has become quite common for us to constantly remain mesmerized by fascinating technologies.  However, deeper thoughts about those technologies,...