EMVCo - Experts & Thought Leaders

Latest EMVCo news & announcements

EMVCo publishes security requirements for MFA payment solutions

EMVCo has released security requirements to support the development of multi-factor authentication (MFA) solutions capable of preventing or detecting attacks that could compromise the security of payment authentication. The "multi-factor authentication solutions for payments security requirements" document is publicly available from the EMVCo website.  MFA is an authentication method that requires the payee to provide two or more factors to confirm their identity. There are three types of authentication factors: "knowledge" (things know), such as a PIN or password; "possession" (things have), such as a smartphone; and "inherence" (things are) such as biometrics. MFA solutions As the use of MFA solutions in payments increases, EMVCo has defined a set of security requirements for MFA solutions to address the security threats that could compromise the security of those solutions. The work leverages EMVCo’s existing Security Evaluation Infrastructure, enabling solution providers to test their products and demonstrate that they meet payment industry expectations. Author's quote EMVCo recognises that MFA plays a crucial role in not only achieving this" “As remote payments continue to gain traction, such as e-commerce transactions, it is paramount for consumers to be able to securely prove their identity and authenticate their transactions,” explains Joy Huang, Chair of the EMVCo Executive Committee. He adds, “EMVCo recognises that MFA plays a crucial role in not only achieving this, but also giving the industry flexibility in how it wants to authenticate consumers using different credential combinations in different payment scenarios.” MFA security requirements EMVCo MFA security requirements support:  Developers of MFA solutions for payments, to enable them to gain security evaluation certificates for their product components and solutions. Testing laboratories, to offer a clear evaluation process. Merchants, acquirers, and payment service providers, share valuable and practical information on security performance characteristics and the "suitability" of MFA products.  EMVCo’s laboratory network Optimising EMVCo’s expertise and framework is an effective way to address this issue" Huang adds: “It is vital to recognise why this is important – the evaluation process essentially works to assist developers in preventing and protecting against attacks using their devices or infrastructure, which could adversely impact other payment participants." He adds, "Optimising EMVCo’s expertise and framework is an effective way to address this issue. EMVCo MFA Security Requirements builds on an established and proven infrastructure offering vendors access to EMVCo’s laboratory network to achieve the standards needed to protect consumers and the wider payments ecosystem.” Security evaluation process EMVCo MFA Security Requirements cover payment authenticators used in a variety of consumer devices, including smartphones, laptops, vehicles, and IoT devices.  The supporting security evaluation processes test software and hardware components involved in the collection, processing, storage, transmission, and verification of data used for authentication during payment use cases. 

EMVCo issues milestone 100th security evaluation certificate for software-based mobile payment solutions

Global technical body EMVCo has issued its 100th Security Evaluation Certificate for Software-Based Mobile Payments (SBMP) solutions. This milestone reflects significant industry uptake from device manufacturers and product vendors to demonstrate the security of their solutions through a globally recognised programme, promoting trust and confidence across the payments ecosystem and simplifying the deployment of safe and secure mobile wallet solutions. Different security components The continued growth of mobile payments has increased the number of solutions deployed that use software applications to enable consumers to pay in-store. As these software-based solutions operate in the more vulnerable consumer device environment, mobile wallet providers use a layered security approach comprising various software and device components to combat threats. EMVCo introduced a dedicated Security Evaluation Process for SBMP in 2018 To support this layered security approach while ensuring flexibility and efficiencies, EMVCo introduced a dedicated Security Evaluation Process for SBMP in 2018 to assess the different security components that can be integrated into a SBMP solution. Specific components evaluated by EMVCo include software development kits (SDK), trusted execution environments (TEE), consumer device cardholder verification methods (CDCVM) such as biometrics/authenticators, attestation mechanisms, and software protection tools. Full mobile payment applications comprising various individual components can also be evaluated. Realise significant efficiencies “Advancing testing and evaluation processes is integral to enabling more consistent, convenient, and secure payment experiences,” comments Alisa Ellis, EMVCo Executive Committee Chair. “Issuing 100 Security Evaluation Certificates for SBMP Solutions is testament to increasing demand for secure mobile payments worldwide, and this is enabling mobile wallet providers to realise significant efficiencies and accelerate deployment by easily identifying the products that have been evaluated.” EMVCo Security Evaluations ensure that a payment product or solution has been assessed against the common EMVCo evaluation methodology and includes mechanisms and protections to withstand known attacks. SBMP Security Evaluations are conducted by a global network of 9 accredited laboratories, with EMVCo acting as a trusted authority. Approved products are listed on the EMVCo website.

PACE Anti-Piracy, Inc. raises the bar in white-box encryption protection for banks, PSPs and payment scheme applications

Banks, payment service providers (PSPs), schemes, and other financial institutions can now benefit from a uniquely high level of sensitive data protection and application attack resistance, following the launch of White-Box Works, a next-generation EMVCo-evaluated White-Box code generator, from PACE Anti-Piracy, Inc. Unlike traditional solutions, White-Box Works gives the customer complete and independent control over their protected code, thereby ensuring their encryption keys and proprietary algorithms never leaves the customer’s premises. Enhanced flexibility, security, and efficiency White-Box Works can transform any C-code into a protected white-box variant in a single step White-Box Works can transform any C-code into a protected white-box variant in a single step, offering unparalleled flexibility, security, and efficiency. This level of in-house control also promises to increase operational efficiency for the customer, since they are no longer beholden to a white-box library vendor’s build schedule and can develop their application, in accordance with their internal schedules. White-Box Works also enables the customer to use, replace and update their deployed encryption keys, and algorithms at will, with no need to re-engage PACE Anti-Piracy, or any other third-party vendor, to do so. White-Box Works White-Box Works has been designed to defeat a variety of sophisticated attacks, including those involving reverse engineering, fault injection, and advanced statistical analysis, such as Differential Computation Analysis. White-Box Works outputs code that has been designed to defeat a range of attacks, to which many encryption-dependent financial apps remain vulnerable, including, for example, those supporting mobile payments, digital identity, self-service retail, and soft POS use-cases. Achieved EMVCo SBMP security evaluation certificate White-Box Works, developed by PACE Anti-Piracy, Inc., has also achieved the EMVCo Software-Based Mobile Payment (SBMP) security evaluation certificate, following a successful EMVCo SBMP evaluation, which was conducted by global security lab, Riscure. Allen Cronce, the Chief Executive Officer (CEO) of PACE Anti-Piracy, Inc., said “Statistical Analysis attacks are the bane of all white-box encryption protection solutions. We are very proud to be equipping the financial services industry with a solution that is capable of addressing these and other vulnerabilities.” Major step forward in the encryption protection space White-Box Works represents a significant step forward in the encryption protection space" Allen Cronce adds, “White-Box Works represents a significant step forward in the encryption protection space and will give banks, PSPs, schemes, and other financial sector users greater confidence, in the security of their sensitive data. We’re also delighted to accompany the launch with news of White-Box Works’ EMVCo SBMP evaluation certificate and are grateful to Riscure’s talented penetration testers. The entire Riscure team has been a pleasure to work with, throughout the rigorous EMVCo evaluation process.” Maarten Bron, the Managing Director of Riscure North America, said “Riscure is proud to have assisted PACE Anti-Piracy in achieving an EMVCo SBMP evaluation certificate for White-Box Works.” Unique security capability for solution developers Maarten Bron adds, “This innovative technology provides a unique security capability for solution developers, as it supports the creation of white-box instances for any algorithm, allowing for optimal flexibility and developer freedom, when the protection of cryptographic keys is vital. This makes White-Box Works not only useful in payments, but also in other fields, such as digital rights management, eHealth, IoT (Internet of Things), automotive and more.” PACE Anti-Piracy, Inc.’s Chief Executive Officer (CEO) Allen Cronce stated, “It’s also noteworthy that White-Box Works was evaluated as a stand-alone technology and did not require the additional protection of binary hardening, and tamper-proofing technology, to receive an EMVCo security evaluation certificate. I believe this is another industry first for White-Box Works. It’s an unmatched achievement that we are immensely proud to highlight.”

Quick poll
What is the most significant challenge facing smart building security today?