Brightsight has defined an evaluation approach where service packages are combined and presented to take our customers through the Common Criteria (CC), EMVCo, and certification process of specific payment brands smoothly while minimizing risks, overall costs, evaluation time and time to market.
Common Criteria (ISO/IEC 15408) is the most widely recognized and comprehensive IT security standard in the world, and can be used to certify any IT system or device providing security functions. More than 25 countries are participating in the mutual recognition scheme known as the Common Criteria Recognition Arrangement. A Common Criteria certification for IC / Smart Card product is usually required for application of the product in national identification documents (e-Passport, national ID card) and other general-purpose usages. Typically, a security level of EAL4+ or higher is required for IC / Smart Card products.
If the application of your product will only be in the financial/payment industry, then it is probably sufficient to get an EMVCo certification. EMVCo is a joint venture of Visa, MasterCard, UnionPay, JCB, American Express, and Discover. Compared to a Common Criteria evaluation, an EMVCo evaluation concentrates on the security and the life cycle of the product and less on the formal documentation, which makes the evaluation usually shorter than a Common Criteria evaluation. EMVCo IC certification can be obtained for your IC product, and EMVCo platform certification for your smart card product.
Each payment brand has its own application which is built on top of a smart-card platform. These payment-brand-specific applications also require security evaluations/certifications to ensure the security of the assets of the individual users. A security certification of the specific payment brand is required if your product is going to be used in the network of that specific payment brand. Brightsight is accredited by Visa, MasterCard, JCB, American Express, and Discover to perform security evaluation of their applications.
Brightsight is experienced in supporting developers in getting (the first) Common Criteria, EMVCo, and certification of specific payment brand for their products. We have created an approach consisting of three main parts:
The formal evaluation constitutes the Common Criteria, EMVCo, or payment-brand-specific evaluation with the involvement of a Common Criteria, EMVCo or payment brand certification body.
The approach is shown in the figure on a time axis. The services that are only relevant to Common Criteria evaluation/certification are marked in orange. Brightsight is able to support you at any stage of development and has a proven concept and track record in supporting you in getting the certifications while minimizing risks, overall costs, evaluation time and time to market.