EMV Certifications - Context, Purpose and Responsibility
EMV (Europay, Mastercard and Visa) certification is a governing process that determines the security criteria for all payment acceptance systems. EMV Certification is a process that verifies the compliance of a payment terminal or device with EMV standards and ensures that the terminal is capable of securely processing EMV chip card transactions. This includes both physical payment terminals and SoftPOS technology. EMV certification is essential for businesses that accept card payments and want to provide their customers with a secure payment experience.
EMV certification is categorised into different levels – each representing a specific set of requirements and capabilities, focusing on different aspects of the payment terminal’s functionality and security.
During the certification process, the payment terminal is tested to ensure that it meets various requirements, such as supporting chip card reading, encryption and secure communication protocols. The certification involves rigorous testing by accredited laboratories or certification bodies to ensure the terminals compliance with EMV standards.
Types of Testing
The three different levels of testing required apply to different contexts and have different purposes. Because of this, different parties are responsible for ensuring that they are compliant against that test.
Level 1 (L1) – Hardware Testing Certification (Terminal Integration Process)
Context: Payment devices have a clear specification as to how they should process payments and read different methods of payment e.g. a magstripe to swipe your card, a chip to insert your card or a chip to perform a contactless payment.
Purpose: L1 tests to ensure that the hardware protects the keys adequately, that the card readers behave as expected and adhere to the hardware requirements set out by EMVCo.
Responsibility: This certification is the responsibility of the Hardware Device. The L1 certification is waived for SoftPOS vendors as most commercial devices that are used for SoftPOS would not achieve an aspect of the certification, specifically relating to proximity of a contactless payment. Other policies and procedures are required by SoftPOS vendors to deal with attestation, monitoring and device integrity.
Once the hardware passes the Level 1 certification, it is EMV-compliant at the hardware level and will proceed to Level 2 certification.
Level 2 (L2) – Functional Testing Certification (Kernel Integration Process)
Context: Each payment scheme as adapted the EMV specifications for how a payment kernel should perform. The payment kernel needs to perform the payment logic in the exact sequence that the card scheme has prescribed. Each card scheme has slightly different logic and rules for how they expect a card payment to be created, signed and verified. You can either develop your own kernel to process a scheme card, or you can make use of a scheme kernel and simply integrate it. But this does mean that you need to integrate a different payment kernel for each card scheme and certify each of them. When a new card scheme kernel is added to the device or software, an L2 certification needs to be completed to ensure that the EMV kernel functions correctly.
Purpose: The L2 Certification tests to ensure that each payment kernel within the payment application functions as required by its respective card scheme specifications.
Responsibility: The L2 certification is the responsibility of hardware vendors or software vendors to achieve. They develop and test the EMV kernel that runs on the device and ensure that it functions correctly.
By completing the L2 certification, it means the device’s EMV software meets the necessary standards and can handle and process EMV transactions.
Level 3 (L3) – End to End Testing
Context: The L3 certification focuses on end-to-end testing, focusing on the integration of the payment solution’s EMV software with specific payment applications and payment networks. This needs to be performed once the payment solution has been embedded in the final application used by merchants.
Purpose: The certification is done to ensure that the app is secure, that payment kernels work as expected and the end-to-end flow of payment data is validated.
Responsibility: The application owner is responsible for performing the L3 testing in conjunction with the acquirer. Successfully completing an L3 certification means that the device is ready for deployment and can confidently process EMV transactions.
The three levels of EMV Certifications ensure that the payment device and software adhere to the EMV standards – including the hardware (waived for SoftPOS providers), the software to process payments and the integration with payment applications and networks. For more information on our regulatory compliance at Halo Dot, contact us at sales@halodot.io.