Download American Express EMV Certification Guide...
AMERICAN EXPRESS EMV CERTIFICATION GUIDE V2.8
Revision History Version name Revision V2.3
Version date October 2003
Commentary/reason for revision a) EMV Certification Guide V2.3 replaces American Express EMV Acceptance Manual V2.2 b) The EMV Certification Request form, covering both device & E2E requirements, will be issued as a separate document & not included as an Appendix to this document c) Terminal Parameters Information Pack: V1.0 July 2003 included as an Appendix d) Other changes in line with current American Express EMV processes
Revision V2.4
February 2004
a) EMV Certification Guide V2.4 has been produced to reflect the streamlined certification process and replaces American Express EMV Acceptance Manual V2.3 b) The EMV Certification Request form, covering both device & E2E requirements, will be issued as a separate document & not included as an Appendix to this document c) Terminal Parameters Information Pack: V1.0 July 2003 included as an Appendix d) Other changes in line with current American Express EMV processes
Revision V2.5 Revision V2.6
May 2004 June 2004
Revision V2.7
July 2004
Revision V2.8
July 2004
a) Removal of ‘Terminal Parameter’ appendix a) Editorial clarifications b) Formatting changes a) Addition of header note explaining the need for testers to use identical kit in conditions that exactly replicate the live environment b) Removal of reference to Electronic Business Guide under Submissions Testing section a) Editorial clarifications
AmeX EMV Certification Guide V2.8.doc
CONTENTS 1 Introduction.................................................................................................................................. 3 1.1 Certification and why it is necessary 3 1.2 American Express Certification Process 4 2 Target Audience........................................................................................................................... 4 3 Glossary ....................................................................................................................................... 5 4 American Express EMV Acceptance .......................................................................................... 6 4.1 AEIPS (American Express ICC Payment Specification) 6 4.2 How do I obtain AEIPS? 6 4.3 EMEA EMV Authorisation 6 4.4 EMEA EMV Submission 6 4.5 Terminal parameters and CAPKs (Certification Authority Public Keys) 6 4.6 The Certification Process 6 4.7 When do I need to certify my EMV solution? 7 5 American Express EMV Authorisation Certification.................................................................. 8 5.1 Authorisation Certification Process / sample time frame 8 5.2 Pre-requisites 9 5.3 Requesting certification 9 5.4 Authorisation Certification 10 5.5 What Tests do I need to perform? 10 5.6 Authorisation testing 10 5.7 Test Fails 10 5.8 Test Passes 10 5.9 What do I do now? 10 6 American Express EMV Submissions Testing.......................................................................... 12 6.1 Testing Process 12 6.2 Pre-requisites 13 6.3 Requesting submissions testing 13 6.4 What Tests do I need to perform? 13 6.5 Submission certification Fails 13 6.6 Submission certification Passes 14 6.7 What do I do now? 14 6.8 What do I do when I achieve Approval status? 14
AmeX EMV Certification Guide V2.8.doc
Important Note: In describing the following EMV certification process American Express assumes that in all cases testers are not emulating part or all of the merchant's POS/IPOS system but are using the identical hardware/software that will be used in the merchant's live system and that the transaction is routed using identical connection methods and the same equipment where applicable, e.g. the merchant host. Unless informed otherwise American Express assumes that all testing will be carried out at the merchant’s site – if this is not the case please inform the EMV Certification Unit via
[email protected].
1 Introduction American Express understands the complexity of EMV acceptance, the EMV specifications, and the work required by companies to bring products to market or upgrade their Point of Sale (POS) environment. American Express is keen to make the development of EMV acceptance on the POS as straight forward as possible. To this end, American Express has a certification process and supporting documentation.
1.1 Certification and why it is necessary The purpose of American Express certification is to ensure interoperability between EMV cards, terminals and the authorising and switching host systems, not only within a given market but internationally. By having an American Express certified product in the marketplace, you are ensuring this interoperability to your customers. Certification is a process for testing conformance with a pre-defined specification or set of requirements. The card industry has a strong interest in certification to uphold the following tenants of the industry: 1. To support the card brand by delivering confidence to merchants and cardmembers that transactions by chip and pin (EMV) will work as expected. 2. To deliver interoperability so that cards issued in one part of the world successfully complete transactions in POS terminals or merchant POS systems in another part of the world, with no prior engagement between the card issuer and the developer/acquirer of these systems. 3. To provide future proofing for the card issuer. Successful EMV certification of the Point of Sale terminal gives the card issuer the confidence that changes made to EMV card applications, residing within the architecture of EMV, will successfully function at existing points of sale, without further testing. Without a strong EMV certification programme we would expect to find many processing issues at the point of sale, which would negatively impact both our cardmembers and merchant customers.
AmeX EMV Certification Guide V2.8.doc
EMV is highly complex and contains many different processing options from which the card issuer can select. The POS terminal supports these options and effectively makes EMV work. It interacts with the card at the application level (to select an application and process the transaction according to the needs of the application) and with both the cardmember and merchant via terminal and pin pad messages and receipts. It also handles the online interface to the acquirer/issuer. To implement EMV effectively, we need a rigorous approach to EMV certification. American Express requires EMVCo Level 1 and Level 2 approval as a pre-requisite for building American Express EMV functionality. This should reduce the likelihood of problems occurring during certification. This document describes the procedures and related information required to complete EMV certification approval for card accepting devices.
1.2 American Express Certification Process Certification for the acceptance of American Express EMV payment transactions is split into two distinct processes: 1) Authorisation certification 2) Submission testing Authorisation certification includes a number of off-line and online tests between a POS device and American Express test cards to test the terminal application and to ensure that the device handles and operates American Express cards correctly. In addition the process tests the end-to-end EMV transaction process and ensures that the correct messages are being passed to the cards through the acceptance and issuer systems. This is the American Express equivalent to the EMVCo Level 2 certification. Submission testing is to ensure EMV transactions can be sent to American Express in the correct message format, through the acceptance systems. This is required by any merchant or third party submitting transactions to American Express. These tests are to be executed by the vendor normally, but occasionally we may request a sample device to be provided to execute these tests ourselves. By adopting the procedures within this document, you will be able to have your new EMV device or acquiring software product certified by American Express.
2 Target Audience The target audience for this document are POS device vendors, host system developers, merchants and third parties who wish to obtain American Express EMV certification for their products. Additionally this document targets Acquiring banks and processors that process transactions on behalf of American Express.
AmeX EMV Certification Guide V2.8.doc
3 Glossary AAC AEIPS AC AFL AID AIP ARPC ARQC AUC CAPK DDA EMV EMVCo
End-to-end Certification IAC ICC IIN LCOL NDA PAN PIN POS PSE SDA Self test TC Tester
Application Authentication Cryptogram American Express ICC Payment Specification Application Cryptogram Application File Locator Application Identifier Application Interchange Profile Authorisation Response Cryptogram Authorisation Request Cryptogram Application Usage Control Certificate Authority Public Key Dynamic Data Authentication Europay Mastercard Visa EMVCo, LLC formed in February 1999 by Europay International, MasterCard International and Visa International to manage, maintain and enhance the EMV™ Integrated Circuit Card Specifications for Payment Systems. Also known as acquirer certification Issuer Action Codes Integrated Chip Card Issuer Identification Number Lower Consecutive Offline Limit Non-Disclosure Agreement Primary Application Number Personal Identification Number Point Of Sale Payment Systems Environment Static Data Authentication American Express provide the tools to allow the testing to be performed by the tester Transaction Certificate The person who participates with Amex to execute the certification process for Vendor/Merchant/nominated third party
AmeX EMV Certification Guide V2.8.doc
4 American Express EMV Acceptance 4.1 AEIPS (American Express ICC Payment Specification) American Express complies with the global EMV specifications for EMV payment transactions. AEIPS is American Express’s EMV payment specification. The purpose of AEIPS include detailing the American Express (and American Express entities) specific requirements where variations are allowed within EMV, when implementing EMV (ICC) technology. AEIPS is primarily a technical specification, but it also states the business requirements that the technical solutions address.
4.2 How do I obtain AEIPS? If you wish to obtain the AEIPS documentation please contact your American Express representative.
4.3 EMEA EMV Authorisation American Express supports national message standards for authorisation of transactions. For information on what authorisation standards are supported in a particular country, please contact your local American Express representative.
4.4 EMEA EMV Submission American Express supports national message standards for submission of charges and its own submission formats. For information on what submission standards are supported in a particular country, or situation, please contact your local American Express representative. Part of our certification process includes a submission test.
4.5 Terminal parameters and CAPKs (Certification Authority Public Keys) All terminal parameters, CAPKs and CAPKs related information are covered in the TERMINAL PARAMETERS document issued as part of the test pack components. If these settings are required prior to entering the formal approvals phase please contact
[email protected] who will provide the necessary information.
4.6 The Certification Process The certification process follows a number of distinct steps. All of these must be executed, in order, to complete a certification for American Express card acceptance. AmeX EMV Certification Guide V2.8.doc
1 2 3 4
Completion of EMVCo Level 1 and Level 2 certification American Express Authorisation Certification (offline & online EMV and magnetic stripe tests) Submissions testing American Express issues a certification letter when all of the above steps have been completed. This concludes the certification process Please note: American Express provide the tools to allow the Vendor/merchant/ nominated thirty party (from here on referred to as tester) to perform the testing.
4.7 When do I need to certify my EMV solution? The ‘EMV solution’ requires certifying prior to deployment and the acceptance of American Express branded cards. The software components within a POS terminal applicable to certification are the terminal application and the EMV kernel •
Terminal application. This provides the transaction processing software for handling the authorisation request, refund transaction etc, interfaces with the drivers for the peripherals (i.e. screen display, printer, pin pad etc) and handles the acquirer message interface.
•
The EMV kernel. This provides the EMV capability and may be developed by the vendor or bought in from another supplier.
Note: When we certify a terminal we are certifying one implementation of each of the above components, effectively as a black box. As we are not aware of where the boundary lies between the individual software components, we can only certify the complete software package. Therefore a change to the POS terminal application software and/or the EMV kernel would require re-certification.
AmeX EMV Certification Guide V2.8.doc
5 American Express EMV Authorisation Certification 5.1 Authorisation Certification Process / sample time frame Detailed below is the process flow for American Express EMV certification. This diagram is an overview of the testing process. The boxes indicate the steps taken for American Express EMV certification, who executes the step (Tester or American Express) & provides a sample time frame. Tester
1. Certification information is requested from the American Express representative.
Direction
American Express
Sample time frame
2. American Express representative sends certification procedures document and EMV Certification Request form.
3. Tester completes the EMV Certification request form and returns this to the American Express representative. 4. EMV Certification Unit reviews the Certification Request form and provisionally schedules testing slots for testing. EMV Certification Unit contacts the Tester and provides test plan, ICCSim test scripts (or ICCSim cards) and White Plastic cards needed to perform certification. Note: Test Cards will be issued shortly before the confirmed testing slot. 5. Tester reviews scripts and information to be submitted for certification and raises any questions on content or process. 6. Tester uses cards/scripts to prepare their device/systems for certification. Tester configures POS terminal with appropriate parameters. Tester performs a successful communication link test to Amex EMV test environment 7 Tester confirms the testing slot with EMV Certification Unit giving two weeks notice. 8. Tester executes test scripts as per agreed schedule. When all tests have passed, tester collates the information we require for certification and returns completed scripts (or cards), receipts, display messages etc. All test output for each section (offline, online chip & pin, magnetic stripe) must be returned in one batch.
Week 1
Week 2 EMV Certification Unit provides the tester with support as required Week 2 EMV Certification Unit provides the tester with support as required
EMV Certification Unit issues ICCSim cards and White Plastic cards for testing.
Week 2
EMV Certification Unit provides the tester with support as required
Week 3, 4
AmeX EMV Certification Guide V2.8.doc
10 Tester fixes faults and re-tests with American Express. 12. Vendor/Merchant receives certificate allowing them to accept American Express EMV transactions using their EMV components, and returns signed copy.
9. EMV Certification Unit validates test results, communicates outcomes; issuing certificate (action 12) if no faults or queries found & if submissions tests are not required (if they are please refer to Section 6 – Submissions Testing). If faults are found errors are returned to tester with list of issues 11. When no faults are found in transaction scripts or submission details, the device / EMV kernel is certified and a certificate is sent to the tester.
Week 5
Variable: Timescales dependant outcome of review between tester & Amex.
The time frame indicated in column 4 of this process flow is a sample only. Your American Express EMV certification representative will discuss time frames and schedules with you in more detail. The timings in this process flow are dependent upon the testing being completed according to agreed schedules, thereby allowing the results to be reviewed by American Express during the pre-arranged time slots. Please ensure that slots are booked as early as possible and that your American Express representative is informed of any changes to submission dates.
5.2 Pre-requisites Before the authorisation testing begins, the following must be in place: 1. The POS device or other EMV kernel has been upgraded to support EMV transaction data. 2. POS Device or EMV kernel processing has EMVCo Level 1 and level 2 certification. 3. The POS device is configured with American Express terminal parameters. 4. The American Express test host is available for EMV testing. 5. End-to-end certification test slots are agreed between the tester and American Express. 6. It is essential that a communications test to our test system has been completed. American Express will not normally issue a Certification approval letter (which allows the acceptance of American Express EMV transactions) until the submission route for the EMV transactions has been certified. (Reference Section 6 on EMV submission testing.)
5.3 Requesting certification Authorisation Certification is initiated by completing the EMV Certification Request form, which can be obtained from your American Express representative. Once you have sent this form to American Express, it will be reviewed for accurate completion.
AmeX EMV Certification Guide V2.8.doc
You will be forwarded the authorisation certification Pack. This will include the test plan and cards, as required, so that the Tester can prepare for the certification.
5.4 Authorisation Certification Authorisation certification involves testing the transaction between the POS device and American Express test authorisation host. Normally the tests can be executed at anytime, without prior notification, using our special test host facility. For authorisation certification on POS terminals the device is self-tested.
5.5 What Tests do I need to perform? The tests in the end-to-end Certification are split up into various sections: • • • •
Offline Tests - There are approx 30-40 test scripts but the exact number will vary from time to time, depending on industry requirements. Generic Online Tests – These Chip & Pin tests must be completed in all certifications. There are approx 20-30 test scripts, again the number will vary from time to time. Market specific Online Tests – Only the tests relative to the specific market of the systems / device being certified need to be performed, therefore, the number will vary. Mag Stripe regression tests – there are approximately 30 test scripts, depending on the specification of the device under test.
5.6 Authorisation testing During testing the tester will run through the test plan using the test scripts, the ICCSim test cards/or the ICCSim tool and the white plastic test cards. Once these are completed, the tester passes the ICCSim card result logs and the completed test plan (with device transaction display information and relevant EMV transaction logs provided and receipts attached) to American Express for review. If the ICCSim test cards are supplied by American Express, they must be returned as they form part of the results needed for review.
5.7 Test Fails If the testing fails for any reason all fault reports will be sent to you together with any logs and appropriate evidence. A re-testing slot will then be arranged.
5.8 Test Passes Upon successful completion of all internal test scripts and submissions testing an approval certificate will be issued to the Tester.
5.9 What do I do now? •
Contact your local American Express representative for all the supporting documentation. AmeX EMV Certification Guide V2.8.doc
• Read and complete the EMV Certification Request form • Submit the EMV Certification Request form to your local American Express representative. • Perform a communications test with our test system • Arrange a test slot with American Express • Follow the authorisation test plan and use the cards supplied Note: Following authorisation certification, submissions testing would normally be completed. After completion of these steps your EMV implementation would be certified for American Express EMV processing.
AmeX EMV Certification Guide V2.8.doc
6 American Express EMV Submissions Testing This is required of all submitters of American Express transactions The correct submission of EMV data is very important to the whole process of EMV acceptance and certification. American Express would not normally complete end-to-end authorisation certification until EMV submissions testing has been completed successfully.
6.1 Testing Process The testing process for EMV submission fil B* s detailed below: Tester
Direction
American Express
1. Tester contacts American Express representative to request Submissions testing. For the UK the submissions format specification is available in the Electronic Business Guide (EBG)
2. The American Express representative collects relevant submission information from the tester.
3 The tester develops their systems to handle the new submission format
4 American Express representative contacts the tester to
The tester performs a satisfactory submissions test via the submissions test link with American Express
a) set up the submission test link and
5. Tester sends submission test file to American Express at the confirmed time.
6.American Express receives test file in the test submission system
If required, Tester fixes faults and resubmits a submission test file at a confirmed time
8 Vendor/merchant receives certificate allowing them to accept American Express EMV transactions using their EMV components, and returns signed copy.
b) arrange for the submission of test file.
American Express reviews and validates the submission test file providing feedback to tester
7 Once the certification processes for device, end-to-end authorisation and submissions are completed satisfactorily by the tester, an American Express EMV certification approval letter is issued to the vendor/merchant
*1 For the UK there is more detail on certification testing in the ‘Electronic Business Guide’ AmeX EMV Certification Guide V2.8.doc
6.2 Pre-requisites There are several pre-requisites to the submission testing, one of the most significant being that the test transactions are generated using a POS device that has already received American Authorisation certification (EMV and mag stripe). Before the submissions testing can begin, the following must be in place: 1. The POS device or other EMV kernel has been upgraded to support EMV transaction data. 2. POS Device or EMV kernel processing has EMVCo Level 1 and level 2 certification. 3. Transactions are generated using a POS device or EMV kernel that has passed American Express EMV Authorisation certification. 4. The American Express test host is available for EMV testing. 5. Submissions certification test slots are agreed between tester and American Express. Note: It is essential that a communications test to our test system is completed before submission testing commences. American Express will not issue our Certification letter which allows the acceptance of American Express EMV transactions until the submission route for the EMV transactions has been tested satisfactorily.
6.3 Requesting submissions testing Submissions testing is initiated by your American Express representative who will contact you to collect relevant submission information. Your representative will later contact you to set up test links and arrange submission of test file.
6.4 What Tests do I need to perform? We would prefer the submission file to be created from the tests carried out during authorisations certification. If this is not possible please contact your American Express representative. Please notify your American Express representative before sending the submission file via your submission test link.
6.5 Submission certification Fails Your American Express representative will provide you with a fault report. For minor changes we require you to re-submit within 48 hours. If the changes are more complex an indication of the time frame required to fix and resubmit is requested.
AmeX EMV Certification Guide V2.8.doc
6.6 Submission certification Passes End-to-end certification approval will not be given to any tester until the submission route for the EMV transactions has been completed. Upon successful completion of all internal end-to-end test scripts and submissions testing an approval certificate will be issued to the Vendor/merchant.
6.7 What do I do now? •
Wait to be contacted by your American Express representative who will collect submissions information from you. • Complete any technical development required to handle the new submission format • As confirmed with American Express perform a submission link test • Send submissions test file in a timeframe agreed with the American Express representative. Note: once we have received a valid test submission file and all other test processes are completed an endto-end Certification Approval will be issued to the vendor/merchant
6.8 What do I do when I achieve Approval status? • •
Return a signed copy of your approval letter Remember to use your live authorisation NUA, live merchant number & live keys
AmeX EMV Certification Guide V2.8.doc