Certification is the process of evaluating the payment product against the standards as defined by EMVCo, PCI, and the payment brands. These products encompass anything that can accept and process financial transactions in exchange for goods and services through an authorized acquirer.
EMV point of sale solutions generally undergo the following certifications:
EMV Level-1: Certification for the Terminal hardware.
EMV Level-2: Certification for the EMV kernel.
EMV Level-3: End-to-end certification for the merchant point of sale system.
PCI PTS: PCI PIN Transaction Security (PTS) is required for validating the physical and logical security of PIN capable point-of-sale devices or terminals, whether attended or unattended.
MasterCard TQM: Terminal Quality Management (TQM) is a MasterCard process that validates the overall security and performance of payment terminal hardware.
Re-certification (Level 3) is required if a change is made to the payment product that affects the handling of the EMV portion of the transaction. EMVCo Type Approval Bulletin #11 provides guidelines on what constitutes a major or minor change. Major changes require re-certification.
Examples of major changes that would require a re-certification include, but are not limited to:
Terminal hardware changes requiring a Level 1 re-certification with EMVCo
Software Kernel changes that require a Level 2 re-certification with EMVCo
Selecting a different kernel configuration from that which was originally certified
Payment Application Software changes that effect the handling of EMV data
Elavon Front-End modifications that require corresponding changes to the terminal
Support for additional brands or support for new card products
A change to country of Deployment
The system under test for a Level 3 certification includes the terminal and connectivity to Elavon's front-end.
Figure 5 System under test
The client must procure a UL Brand Test Tool (BTT) (Note: For merchants or third party processors using a different tool, please contact your Elavon certification representative). The tool uses a test plan, defined in discussion between the client and Elavon, to validate the implementation.
During the validation and formal certification phases, the test execution results are exported from the BTT and loaded into Elavon STP (Self-Test Platform). The logs from the host simulator – simulating the behavior of the brand's networks and issuers – will be loaded in STP as well and matched against the client logs.
The certification follows a 5-step process, described below:
Figure 6 Certification Process overview
Step 1 - Onboarding
Onboarding is the process of gathering information about the client configuration and defining the scope of the EMV certification. Significant information is required prior to initiating a project within STP and is obtained through various contact methods with the client.
This step is labeled Dashboard in STP and identifies the project, users, contacts, and assembling the pre-requisite documents.
Step 2 - Configuration
In Step 2, the Client sets up a certification project for each specific configuration of the system under test.
This step is labeled Settings in STP and includes identifying and verifying the connectivity settings (MID/TID) of the solution under test.
Step 3 – Test Plan settings
In Step 3, the intake form is uploaded into the STP by the Elavon Certification Analyst and the brand test plan is generated according to the POS configuration.
The client can export the test plan from STP and import it into their Brand Test Tool.
If the project scope changes once this step is completed, the client must re-submit the intake forms and provide them to the Elavon Certification analyst.
This step is labeled Scoping in STP.
Step 4 – Pre-certification
In Step 4, the client executes all the test cases defined by the brands and Elavon in order to validate its development.
The test execution results are exported from the Brand Test Tool and uploaded in the Self-Test Platform. STP automatically matches the host logs to the card-terminal logs and uploads the corresponding host log to STP. STP then performs validation checks on (a) the card-terminal logs, (b) host logs and (c) User validation results.
Any issues found during this phase should be resolved before moving on to the Certification phase. In case any of the issues cannot be resolved, a waiver must be obtained with Elavon.
If there is any code change once this step is completed, the Pre-Certification phase must be repeated.
Client should perform timeout, reversals, regressions and settlement testing as part of pre-certification phase
Step 5 - Certification
To complete Step 5, the client must be able to perform a clean execution of the entire test plan and upload the logs and receipts to the Self-Test Platform. Clearing and Settlement logs must be provided to Elavon as well.
Elavon performs a formal validation for each brand and issues a Letter of Approval (LoA).
At the end of this phase, the client solution is officially EMV certified and can prepare for a production roll-out with Elavon.
Specific certification scenarios
Contact without contactless
Elavon recommends that merchants complete contactless EMV certification along with contact EMV certification in order to avoid additional certification efforts and related costs.
This applies to terminals which have contact and contactless capabilities.
Having the terminals certified for both the interfaces enables merchants to provide customers with alternative forms of payment.
Contact with MSD contactless
Contactless MSD-only is discouraged.
Contactless MSD continues to be phased out around the world, with a planned retirement date of April 13, 2019 in the U.S.
Elavon recommends merchants to upgrade their current contactless MSD functionality. Contactless EMV provides additional security features over traditional MSD and ensures the functionality will be available to your clients.
Faster EMV solutions including Quick Chip and M/Chip Fast
Quick Chip and M/Chip Fast are supported by Elavon. Clients who have already certified for classic EMV need only perform regression testing with Elavon to enable the Quick Chip and/or M/Chip Fast functionality.
Clients who have not yet certified EMV can choose to certify Quick Chip / M/Chip Fast only.
Both classic EMV and Quick Chip / M/Chip Fast can certify at the same time, but requires two separate certifications.
Quick Chip and M/Chip Fast are supported by Elavon. In the scenario where no amount is specified by the brand, high-ticket value (high ticket value is the maximum transaction amount at a merchant during the day) should be used as the pre-dip amount.
Kernel Management (kernel expiration)
Merchants must ensure that before certifying payment terminals, they have at least 6 months before the Level-1 (hardware) and Level-2 (software) certifications expire. This provides sufficient time to complete the certification and move devices to production.
The kernel vendor is responsible for maintaining active Level-1 and Level-2 certifications. If the kernel expires, merchants must re-certify their terminals before deploying them in production.
In case merchants are in the process of certification and they receive a new EMV kernel, they will be required to re-execute the certification testing and submit the results to Elavon.
Merchants must contact Elavon’s representative for any questions on kernel management and certification.
During the certification process, clients may come across scenarios or transaction processing conditions that do not comply with either Elavon or brand-specific requirements. In such a case, the Certification Analyst will discuss the alternatives to allow compliance or the means by which a waiver may be granted. Merchants may be required to submit evidence along with their request for a waiver. Waivers shall be granted at the discretion of Elavon and in compliance with brand-specific payment regulations.