Organizations Join Forces to Launch a Cross-Industry Certification Model for Smart Cards with Post-Issuance Functionality
17 November 2009 – EMVCo, GlobalPlatform and the GSM Association (GSMA) have announced plans to develop a common, cross-industry certification model for secure elements with post-issuance capabilities. The aim is to simplify and speed up testing processes for pre-certified applications and certified UICC platforms, when they are redeployed.
The EMV standards body EMVCo, the international smart card infrastructure body GlobalPlatform, and global telecoms association the GSMA, have agreed to work together to define functional and security requirements for a common certification process. The resulting document will enable Mobile Network Operators (MNOs) and the payments industry to develop cross-industry certification schemes, for mobile platforms and payments applications respectively.
When fully developed and operational, these schemes will work together to ensure that any certified payment application will work with any certified UICC platform, reducing the incidence of certification failures when new application / platform combinations are subsequently added for testing.
The result will be significantly reduced testing and development costs and a faster time to market. Additionally, no further certifications will be necessary when loading applications with less stringent security requirements onto new UICC platforms.
The activity has been welcomed by the Association of French Mobile Operators (AFOM), the European Payments Council, the European Telecommunications Standards Institute (ETSI) and SIMalliance.
GlobalPlatform has been chosen to lead the initiative due to its cross-industry technical expertise. Gil Bernabeu, GlobalPlatform’s Technical Director, explains: “With an increasing number of parties delivering smart card solutions combining multiple applications from different sectors, the certification model will streamline testing requirements across the advancing smart card ecosystem. We believe that the creation of the model will increase overall market confidence. Although industry bodies such as MNOs and payment organizations will remain responsible for certifying technology compliance, GlobalPlatform hopes that adherence to the model and relevant security configurations will become commonplace.”
Brian Byrne, Chair of the EMVCo Board of Managers, comments: “A common type approval approach for contactless mobile payment UICCs will avoid redundancy and conflicting efforts between different parties with approval authorities and interests. We see this as a natural extension of EMVCo’s commitment to provide a globally interoperable acceptance environment for secure payments. Our participation is aimed at ensuring the resulting type approval process is not only cost-effective and efficient, but that it is secure and flexible enough to meet the requirements of the payment and telecommunications industries.”
“Developing a UICC certification model for NFC services, that is cost effective and results in a short time to market will be critical for the commercial rollout of mobile NFC services worldwide”, adds Alex Sinclair, Chief Technology Officer, GSMA.
AFOM has indicated its intent to incorporate in the existing UICC Protection Profile the necessary items from the common industry certification model once it has been developed.
** Enquiries will be re-directed to the appropriate association**
NOTES TO EDITORS:
Quotes from the supporting associations:
Association of French Mobile Operators (AFOM):
Mr Danjou, Managing Director of AFOM, comments: “All three French MNOs deal with the security of their SIM cards according to a common security model elaborated inside AFOM. They directly address the different risks related to the future opening up of SIM cards to multiple stakeholders and joined their efforts to produce AFOM Protection Profile for (U)SIM. Its CC certification is currently on-going by an independent lab. AFOM will monitor the evolution of the document in 2010, in order to deliver a new version that will be interoperable with private security schemes.”
European Payments Council (EPC)
Dag-Inge Flatraaker, Chair of the EPC M-Channel Group, comments: “This initiative fully supports the objectives of the EPC as regards the creation of a standardized and interoperable environment for mobile payments. The composite certification will improve the timeliness of the approval process and ease related procedures for banks and payments service suppliers. This initiative allows the banks to manage and control the security of their applications when operating in the mobile payments environment.
European Telecommunications Standards Institute
Dr Klaus Vedder, Giesecke & Devrient GmbH, Chairman of the ETSI Smart Card Platform, comments: “ETSI is very happy to support this activity as the UICC, the smart card platform specified by its Technical Committee SCP, has been developed all along with the aim to support cross sector usage. Of the billions of SIMs distributed to the mobile communications market quite a number support payment and other applications using certified solutions.”
“SIMalliance welcomes this step forward for the industry. Dissociating the certification of the platform from the application is a great initiative to not only accelerate the development and deployment of applications especially in multi-issuer environments but also avoid technology fragmentation,” says Michel Canitrot, Chairman of the Board – SIMalliance. “It is a guarantee for the issuer that whatever the platform the application will be deployed seamlessly and securely. NFC is typically a use case where this guarantee is essential for mass market deployment!” he adds.
About the Association of French Mobile Operators (AFOM):
AFOM was created in 2002 by the French MNOs, then joined by nine new members (MVNOs). AFOM deals with societal and non commercial issues concerning mobile telephony and calling for collective response on the part of mobile phone operators. It defines with them responsible practices on these issues and keeps the public informed about them. It liaises with the competent institutions and represents the industry’s point of view on subjects concerning mobile phone regulation.
AFOM Protection Profile has been developed inside the Security Group, gathering all French MNOs, whose dedicated mission is mainly two-fold:
- Specifying recommendations ensuring a minimum security level common to all French MNOs;
- Defining security specifications enabling the opening up of the SIM to various stakeholders, with a view to a secure and coordinated roll-out of contactless services on mobiles phones and mobile transactions.
EMVCo LLC was formed in February 1999 by Europay, MasterCard and Visa to manage, maintain and enhance the EMV™ Integrated Circuit Card Specifications for Payment Systems. With the acquisition of Europay by MasterCard in 2002, JCB joining the organisation in 2004 and American Express becoming its fourth member in 2009, EMVCo is currently operated by American Express, JCB, MasterCard and Visa. EMVCo’s primary role is to manage, maintain and enhance the EMV Integrated Circuit Card Specifications to ensure interoperability and acceptance of payment system integrated circuit cards on a worldwide basis.
EMVCo also maintains type approval processes for terminal compliance testing and Common Core Definitions (CCD) and Common Payment Application (CPA) card compliance testing. These testing processes ensure that a single terminal and card approval process is developed at a level that will allow cross payment system interoperability through compliance with the EMV specifications. Additional information can be found at www.emvco.com.
About the European Payments Council
The European Payments Council (EPC) is the decision-making and coordination body of the European banking industry in relation to payments. The EPC defines common positions for core payments services, provides strategic guidance for standardisation, formulates best practices and supports and monitors implementation of decisions taken. The EPC consists of 74 members comprising banks and banking communities. More than 300 professionals from 32 countries are directly engaged in the work programme of the EPC, representing all sizes and sectors of the banking industry within Europe.
The EPC develops the payment schemes and frameworks necessary to realise the Single Euro Payments Area (SEPA). SEPA is an EU integration initiative in the area of payments designed to achieve the completion of the EU internal market and monetary union. SEPA is the area where citizens, companies and other economic participants can make and receive payments in euro, within Europe, whether within or across national boundaries under the same basic conditions, rights and obligations, regardless of their location. SEPA is currently defined as consisting of the EU 27 member states plus Iceland, Norway, Liechtenstein, Switzerland and Monaco.
For further media information, please contact Meral Ruesing at the EPC Secretariat:
firstname.lastname@example.org or on +32 2 733 35 33.
About European Telecommunications Standards Institute (ETSI)
ETSI produces globally-applicable standards for Information and Communications Technologies (ICT), including fixed, mobile, radio, converged, aeronautical, broadcast and internet technologies and is officially recognized by the European Union as a European Standards Organization. ETSI is an independent, not-for-profit association whose 766 member companies and organizations, drawn from 63 countries across 5 continents worldwide, determine its work programme and participate directly in its work.
For more information please visit: www.etsi.org.
GlobalPlatform is the global leader in smart card infrastructure development and its proven, technical specifications for cards, devices and systems are known as the standard for smart card infrastructure.
GlobalPlatform is a member driven association with cross-industry representation from all world continents. For further information visit: www.globalplatform.org.
About GSM Association
The GSMA represents the interests of the worldwide mobile communications industry. Spanning 219 countries, the GSMA unites nearly 800 of the world’s mobile operators, as well as more than 200 companies in the broader mobile ecosystem, including handset makers, software companies, equipment providers, Internet companies, and media and entertainment organisations. The GSMA is focused on innovating, incubating and creating new opportunities for its membership, all with the end goal of driving the growth of the mobile communications industry.
About SIMalliance: Putting the SIM at the heart of the new mobile eco-system
Over the past five years SIMalliance has become one of the world’s foremost commentators in the mobile business. By operating outside the singular commercial interests of any individual SIM card player, the association has been able to pinpoint the mission critical services on the horizon and help steer their development to meet the practical needs of the mobile market.
With SIMalliance members* now responsible for nine in every ten SIM cards sold worldwide, the collective vision of the association is uniquely placed to shape SIM developments and the impact they will have on the new generation of mobile services. From their standpoint, the challenge couldn’t be clearer for the protagonists in the mobile eco-system. For further information visit: www.simalliance.org.
*SIMalliance members are: Datang, Eastcompeace, Gemalto, Giesecke & Devrient, Incard, Oberthur Technologies, Prism, Sagem Orga, SanDisk, Watchdata and Wuhan Tianyu
*SIMalliance strategic partners are FCI & Movenda
For further media information, please contact Stephanie de Labriolle, Marketing Consultant email@example.com or on +33 6 85