GlobalPlatform Defines New Certification Model for Mobile Secure Elements
23 May 2011 - GlobalPlatform has released a cross-industry certification model, which defines the security evaluation necessary for secure elements with post-issuance capabilities to achieve certification from EMVCo and Common Criteria. The model developed in association with EMVCo, the EMV® payments standards body, and the GSMA, which represents the interests of mobile operators worldwide, will speed up the certification process and simplify the deployment of mobile secure elements offering a faster product time to market.
GlobalPlatform, the international organization which standardizes the management of applications on secure chip technology, has developed its Composition Model v1.0 for the benefit of application and product issuers, such as mobile network operators (MNOs) and financial institutions. The model establishes – for the first time – a streamlined methodology for addressing security requirements from different markets and re-using certification results of applications and secure elements that have previously been achieved. The resulting methodology, therefore, enables the telecom and payment industries to more easily test and redeploy mobile platforms and secure applications once they have been certified.
This first version of the model identifies the common certification process applicable to both EMVCo security evaluation and Common Criteria – the international standard for evaluating the security of products and systems. The model defines how to manage the security certification of any certified secure application – such as payment - and any certified secure element platform – for example a UICC. This optimizes the testing requirements of these certification bodies when a new secure application or a new platform is combined with a previously certified platform or application. Additionally, a specific methodology is proposed for loading applications with less stringent security requirements onto certified platforms without impacting the platforms’ certification.
The GlobalPlatform Composition Model v1.0 has been supported by the Association of French Mobile Operators (AFOM), the European Payments Council, the European Telecommunications Standard Institute (ETSI) and SIMAlliance. The document has also received a contribution from the International Security Certification Initiative.
Gil Bernabeu, GlobalPlatform Technical Director and Technical Advisor for the Standardization and Technology Department at Gemalto, comments: “GlobalPlatform recognizes that as more markets converge and multiple applications are delivered via a single device, streamlining the certification process is key to facilitating a manageable and profitable development process. Although industry bodies such as MNOs and payment organizations will remain responsible for certifying technology compliance, GlobalPlatform believes that adherence to the model and relevant security configurations will become commonplace. The industry engagement demonstrates the importance of common-cross certification processes, and we aim to address this need by creating further relevant models in the future.”
Sean Conroy, Chair of the EMVCo Board of Managers, adds: “EMVCo recognises that this composition model which addresses EMVCo security evaluation is a significant step forward for the contactless payments landscape, and will enhance EMVCo’s process in streamlining evaluations supporting mobile payments across all platforms. Working with other industry associations to align technology advancements of this nature is important to avoid redundancy and deliver a truly interoperable and secure mobile payments environment.”
“Establishing a UICC certification model for NFC services is an important step that is required to support the increasing roll out of commercial NFC services,” said Dr. Nav Bains, Senior Director, Mobile Money for the GSMA.
The GlobalPlatform Composition Model v1.0 aligns with applications based on Java Card™ and deployed using the GlobalPlatform UICC Configuration – the implementation guide for GlobalPlatform Card Specification v2.2 within the mobile services sector. The GlobalPlatform Composition Model v1.0 does not replace other methods of certification; it is a model for performing certifications that can be adopted at the discretion of the issuer. To download the document without charge visit: www.globalplatform.org.
GlobalPlatform is a cross industry, not-for-profit association which identifies, develops and publishes specifications which facilitate the secure and interoperable deployment and management of multiple embedded applications on secure chip technology. Its proven technical specifications are regarded as the international industry standard for building a trusted end-to-end solution which serves multiple actors and supports several business models.
The freely available specifications provide the foundation for market convergence and innovative new cross-sector partnerships. The technology has been adopted globally across finance, mobile/telecom, government, healthcare, retail and transit sectors. GlobalPlatform also supports an open compliance program ecosystem to ensure the long-term interoperability of secure chip technology.
As a member-driven association with cross-market representation from all world continents, GlobalPlatform membership is open to any organization operating within this landscape. Its 60+ members contribute to technical committees and market-led task forces. www.globalplatform.org.