EMV card payment scheme certification for transit
Here are some pointers if you are considering adding EMV contactless payments to your transit scheme.
The process to bring a new EMV card scheme / payment network on to your ecosystem can sometimes be a complicated and drawn-out process. Certification is required from the card schemes and card acquirer, so it is important to ensure that time for this is built into any delivery program.
At times, programs may struggle to determine which certifications are required, when they are required and which party to secure them from. To assist, we have set out the levels of testing required below:
- Level 1 testing and certification ensures the device meets the communication protocol requirements, card proximity tests, frequency band tests etc. It is the responsibility of the device hardware supplier to seek certification from EMVCo.
- Level 2 testing and certification concerns validation of the software that implements the payment functionality (the relevant software kernel) on the Level 1-certified device. It is the responsibility of the device software supplier to seek certification from EMVCo.
- Level 3 testing and certification ensures that the configuration of the software on that device meets the requirements of a particular brand / scheme. It is effectively end-to-end testing of the hardware, software and integration. It is dependent on Level 1 and Level 2 certification having been secured. It is typically sought by the agency or their integrator from the card acquirer.
For the purposes of this article, we will assume the chosen device has already achieved both Level 1 (hardware) and Level 2 (software kernel) EMV certifications from EMVCo.
The typical schemes to certify for Level 3 could include Mastercard, Visa, American Express, Discover, JCB and UnionPay. For transportation agencies, Level 3 testing will equate to between 20-30 tests that will need to be performed for each scheme. The number of tests may be lower because transit devices generally do not have a keypad / pin entry and the maximum charge is relatively low.
Running the required certification tests will require multiple test cards that can be used for different test scenarios and a connection to the scheme’s test systems. Each scheme will generally only supply a small set of standard test cards (if at all), making it difficult to achieve Level 3 certification without access to a specialist card emulation tool.
The two main options here are:
- To purchase the toolset required yourself (which can be expensive) and have your staff trained to operate;
- Engage a specialist organisation on a with the experience and tooling to undertake the testing on your behalf.
Once the test-set is agreed, it will generally take several test iterations to get all required configuration correct. You should assume this will be a 2-4 week process per scheme as you will need to wait for scheme feedback for each run. There may also be some dialogue required for clarification on issues raised.
Once the certification process is complete, the scheme will issue a Letter-of Approval (LoA). This can be several weeks after testing has completed. In some situations, waivers may need to be negotiated allowing you to proceed on condition that any remaining issues are resolved in an agreed timeframe. This LoA will then allow you to go live and connect to their production systems. It is worth noting that this LoA will have an expiry date which may be less than 12 months away. It is therefore imperative to keep on top of this to ensure you remain compliant after the project has completed.
From experience, we would advise allowing at least three months for Level 3 certification to ensure there is adequate time in your project schedule and that the process is commenced early enough to meet the planned go-live dates.
If you would like to know more, please reach out to Osmodal group.