Getting Common Criteria, EMVCo or certification of specific payment brand for your product

I need a certification for my IC/Smart Card products

Brightsight has defined an evaluation approach where service packages are combined and presented to take our customers through the Common Criteria (CC), EMVCo, and certification process of specific payment brands smoothly while minimizing risks, overall costs, evaluation time and time to market.

Fields of expertise

  • Financial Industry
  • Identification
  • Transportation
  • Secure Element
  • USIM

Some of our customers

  • DMT
  • G&D
  • Feitian
  • NXP
  • SHHIC
  • SONY
  • TOSHIBA

The process of getting a certificate

Common Criteria Certification

Common Criteria (ISO/IEC 15408) is the most widely recognized and comprehensive IT security standard in the world, and can be used to certify any IT system or device providing security functions. More than 25 countries are participating in the mutual recognition scheme known as the Common Criteria Recognition Arrangement. A Common Criteria certification for IC / Smart Card product is usually required for application of the product in national identification documents (e-Passport, national ID card) and other general-purpose usages. Typically, a security level of EAL4+ or higher is required for IC / Smart Card products.

Official website Common Criteria

EMVCo certification

If the application of your product will only be in the financial/payment industry, then it is probably sufficient to get an EMVCo certification. EMVCo is a joint venture of Visa, MasterCard, UnionPay, JCB, American Express, and Discover. Compared to a Common Criteria evaluation, an EMVCo evaluation concentrates on the security and the life cycle of the product and less on the formal documentation, which makes the evaluation usually shorter than a Common Criteria evaluation. EMVCo IC certification can be obtained for your IC product, and EMVCo platform certification for your smart card product.

EMVCo security evaluation website

Certification of specific payment brand

Each payment brand has its own application which is built on top of a smart-card platform. These payment-brand-specific applications also require security evaluations/certifications to ensure the security of the assets of the individual users. A security certification of the specific payment brand is required if your product is going to be used in the network of that specific payment brand. Brightsight is accredited by Visa, MasterCard, JCB, American Express, and Discover to perform security evaluation of their applications.

Brightsight service scope

Brightsight is experienced in supporting developers in getting (the first) Common Criteria, EMVCo, and certification of specific payment brand for their products. We have created an approach consisting of three main parts:

Customised training

  • Smart Card security training
  • CC training
  • CC evidence and documents training

Pre-evaluation

  • Design and / or code review
    The goal of the design review is to identify potential weaknesses in the security architecture of the IC / Smart Card in an early stage.
  • Document review
    The goal of the document review is to evaluate the completeness in content, presentation and readability of CC evidence.
  • Pre-testing
    The goal of the pre-testing is to assess in depth the real-world strength of the security functionalities/countermeasure and to see how the product responds to real state-of-the-art attacks.
  • Site pre-audit
    The goal of the Site pre-audit is to explore the gap between the current security level of the site with respect to the JIL Minimum Site Security Requirements, and draw up a concrete proposal of the steps needed to get the site ready for a formal site audit evaluation.

Formal evaluation

The formal evaluation constitutes the Common Criteria, EMVCo, or payment-brand-specific evaluation with the involvement of a Common Criteria, EMVCo or payment brand certification body.

The approach is shown in the figure on a time axis. The services that are only relevant to Common Criteria evaluation/certification are marked in orange. Brightsight is able to support you at any stage of development and has a proven concept and track record in supporting you in getting the certifications while minimizing risks, overall costs, evaluation time and time to market.