Sie sind auf Seite 1von 47

EMV*

Contactless Mobile Payment

EMVCo White Paper on Contactless


Mobile Payment

Version 2.0
September 2011

EMV is a registered trademark in the U.S. and other countries and an unregistered
trademark elsewhere. The EMV trademark is owned by EMVCo.

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications
(Materials) shall be permitted only pursuant to the terms and conditions of the license agreement
between the user and EMVCo found at http://www.emvco.com/specifications.aspx.

EMV
Contactless Mobile Payment

EMVCo White Paper on Contactless


Mobile Payment

Version 2.0
September 2011

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications
(Materials) shall be permitted only pursuant to the terms and conditions of the license agreement
between the user and EMVCo found at http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

Contents
1

Executive Summary............................................................................................. 1

References ........................................................................................................... 3

Contactless Mobile Payment Overview ............................................................. 5

3.1

History........................................................................................................... 5

3.2

Meeting These Goals.................................................................................... 6

3.3

Principles ...................................................................................................... 9

EMVCo Technical Work and Perspective ........................................................ 11


4.1

Contactless Mobile Payment Applications .................................................. 11

4.2

Application Choice and Activation .............................................................. 11

4.3

CMP Application Lifecycle .......................................................................... 12

4.4

Payment Terminals Supporting Contactless Mobile Payment .................... 12

4.5

Secure Elements ........................................................................................ 13

4.6

Personalisation and Provisioning of CMP Applications .............................. 14

4.7

Contactless Communication Modules ........................................................ 15

4.8

Mobile Device Requirements to Support CMP ........................................... 15

Type Approval .................................................................................................... 17


5.2

Mobile Handsets ......................................................................................... 17

5.3

Secure Elements ........................................................................................ 18


5.3.1
5.3.2

Security Evaluation ......................................................................... 18


Functional Evaluation ...................................................................... 18

5.4

CMP Applications ....................................................................................... 19

5.5

Contactless Mobile Payment Terminal Approval ........................................ 19

Looking Forward................................................................................................ 21

Annex A

Summary of Contactless Mobile Payment Areas .............................. 23

Annex B

Frequently Asked Questions ............................................................... 25

Annex C

Actions Taken in Response to Areas Defined in the


Technical Issues and Position Paper ................................................. 27

Annex D

Glossary ................................................................................................ 35

September 2011

v 2.0

Page iii

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

Figures
Figure 1 Simplified Architecture and Areas of Interest ............................................. 8
Figure 2 Simplified Provisioning Architecture ......................................................... 14

Tables
Table 1 Areas Addressed by EMVCo and Other Specification Bodies................... 23
Table 2 Frequently Asked Questions .....................................................................25
Table 3 EMVCo Actions Based on Areas of Work Identified in
Technical Issues and Position Paper ......................................................... 27

Page iv

v 2.0

September 2011

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

Executive Summary

In 2007 EMVCo published two white papers. The first paper, The Role and Scope of
EMVCo in Standardising the Mobile Payments Infrastructure (1) identified the mobile
landscape at the time, and outlined the role and scope of EMVCos involvement in
the standardisation of Contactless Mobile Payment within this landscape. This
involvement was structured around two main areas: Technical Development and
Industry Co-ordination. The second paper, the Technical Issues and Position Paper
(2), highlighted a number of technical issues that EMVCo had identified as requiring
solutions in order to enable the wide scale deployment of Contactless Mobile
Payment, and EMVCos planned actions in addressing these issues.
In the four years since EMVCo set out this vision, there has been significant
movement in the industry. EMVCo has published a number of documents, and other
industry bodies have also been active in the standardisation of technologies and
services related to Contactless Mobile Payment.
Toward meeting the goals of providing technical development and industry
co-ordination, EMVCo has published the following technical documents:

Contactless Mobile Payment Architecture Overview (3) provides an architecture


and context for other EMVCo mobile documents

Handset Requirements for Contactless Mobile Payment (4) provides guidance to


the industry regarding features required for supporting Contactless Mobile
Payment capabilities.

Application Activation User Interface Overview, Usage Guidelines, and PPSE


Requirements (5) defines how to configure a mobile device supporting multiple
Contactless Mobile Payment applications to reflect the users choice and
preferences.

EMV Profiles of GlobalPlatform UICC Configuration (6) specifies a number of


profiles for GlobalPlatform based UICCs which have been agreed upon by
members of EMVCo.

This white paper provides an updated view of the Contactless Mobile Payment
landscape, setting out EMVCos current position and detailing how the issues
identified previously have been addressed. It also identifies where EMVCo has
on-going work in Contactless Mobile Payment, and highlights areas in which other
industry bodies are providing input.

September 2011

v 2.0

Page 1

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

1 Executive Summary

Page 2

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

v 2.0

September 2011

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

References

The following documents are referenced in this white paper. All are available on
www.emvco.com.
1

EMV Mobile Contactless Payment: White Paper: The Role and Scope of
EMVCo in Standardising the Mobile Payments Infrastructure. Version 1.0,
2007.

EMV Mobile Contactless Payment: Technical Issues and Position Paper.


Version 1.0, 2007.

EMVCo Contactless Mobile Payment: Contactless Mobile Payment


Architecture Overview. Version 1.0, 2010.

EMV Contactless Mobile Payment: EMVCo Handset Requirements for


Contactless Mobile Payment. Version 1.0, 2010.

EMVCo Contactless Mobile Payment: Application Activation User Interface


Overview, Usage Guidelines, and PPSE Requirements. Version 1.0,
2010.

EMVCo Contactless Mobile Payment: EMV Profiles of GlobalPlatform


UICC Configuration. Version 1.0, 2010.

EMV Contactless Specifications for Payment Systems. Book C-1. Kernel 1


Specification. Version 2.1, 2011.

EMV Contactless Specifications for Payment Systems. Book C-2. Kernel 2


Specification. Version 2.1, 2011.

EMV Contactless Specifications for Payment Systems. Book C-3. Kernel 3


Specification. Version 2.1, 2011.

10

EMV Contactless Specifications for Payment Systems. Book C-4. Kernel 4


Specification. Version 2.1, 2011.

11

EMV Contactless Specifications for Payment Systems. Book D. EMV


Contactless Communication Protocol Specification. Version 2.1, 2011.

12

EMV Card Personalization Specification. Version 1.1, 2007.

13

EMVCo Card Testing Framework for Contactless. Version 1.0, 2010.

14

EMV Security Guidelines. EMVCo Security Evaluation Process.


Version 4.0, 2010.

September 2011

v 2.0

Page 3

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

2 References

Page 4

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

v 2.0

September 2011

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

Contactless Mobile Payment Overview

The increasing rate of convergence between the mobile telecommunications and


payments industries has led mobile payments to become a growing industry sector in
recent years.
All actors within the value chain are set to benefit from the wide-scale deployment of
mobile payments: the financial community, merchants, network operators, technology
providers, and consumers. These benefits are set to increase as mobile payment
programmes evolve beyond the medium term reality of mass market contactless
mobile payment.

3.1

History

In 2007, after analysis and vetting with its stakeholders, EMVCo decided that its role
in Contactless Mobile Payment standardisation is two-fold. Firstly, with the growth of
the contactless mobile payment sector, there was a need for EMVCo to address and
resolve a number of technical infrastructure issues associated with enabling
contactless payments via mobile phone handsets. This technical development
responsibility was in line with EMVCos traditional role within the payments industry
as a technology standards body. The mobile payment technical focus of EMVCo
would be an adjunct to the organisations work towards the development of
specifications related to contactless payment and the associated common Type
Approval process for cards and terminals.
Secondly, due to the nature and early lifecycle stage of the contactless mobile
payment market there was a need for the payments industry to adopt a collaborative
approach to standardisation. EMVCo would co-ordinate the payments industry
efforts, in standardisation work with other industry groups and market forces in order
that an interoperable contactless mobile payment model for EMV transactions could
be defined and created. EMVCo would provide the common voice of the payments
industry on contactless mobile proximity payment standardisation.
EMVCos role within the standardisation of contactless mobile payment could be
classified under two headings and broken down into a number of key deliverables:

September 2011

v 2.0

Page 5

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

3 Contactless Mobile Payment Overview


EMV Contactless Mobile Payment
EMVCo White Paper on Contactless Mobile Payment

Technical Development:

To define chip data security requirements

To define a framework for Type Approval process

To define global interoperability between Contactless Mobile Payment


devices and payment acceptance infrastructure from a technical perspective

To identify user interface issues

Industry Co-ordination

To standardise contactless mobile proximity payment infrastructure


requirements

To fill in gaps which exist in the standardisation of Over-the-Air (OTA) card


and application management (for both secure elements and user interface
applications)

To actively engage relevant standards organisations in order to ensure EMV


involvement in the standardisation for contactless mobile payment

To speak with a common voice to vendors, operators, banks, and merchants


about contactless mobile payment opportunities, challenges, and the need for
standardisation.

Throughout the process of working towards the creation of a global interoperable


contactless mobile payment infrastructure for EMV transactions, EMVCo has
solicited feedback on its role from the payments industry in order to remain relevant
to, and representative of, the sector.

3.2

Meeting These Goals

In this environment, EMVCo identified the need for common specifications and
common platforms in order to prevent fragmentation, which could in turn become a
barrier to the widespread deployment of Contactless Mobile Payment (CMP). It was
also recognised that mobile devices are not primarily financial instruments. Mobile
devices are primarily communication devices, but are increasingly becoming
multipurpose devices with the advent of location services and the myriad mobile
applications (apps) which are now available. The requirements for CMP are just
one set of requirements which must be balanced with the needs of other application
areas for mobile devices, and it is important for EMVCo to work with the wider mobile
industry in defining specifications and requirements.

Page 6

v 2.0

September 2011

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


3 Contactless Mobile Payment Overview
EMVCo White Paper on Contactless Mobile Payment

It was also clear that the lifecycles of mobile devices are significantly different from
those of payment smart cards. This is the case both in the development timescales
and the time in market. In order for the financial industrys requirements for CMP to
be met by mobile devices it is important that the impact on the mobile device
development lifecycle is minimised. This involved developing pragmatic approaches
to type approval and testing which meet the needs of both the financial and mobile
industries.
In order to identify the areas in which further work was necessary, EMVCo developed
a reference framework for CMP, which has been published in the Contactless Mobile
Payment Architecture Overview (3). That document identified the following areas of
interest in specification work:

Contactless Mobile Payment applications

CMP application choice and activation

CMP application lifecycle maintenance

Secure Elements

Personalisation and provisioning of Contactless Mobile Payment

Contactless communication modules

Mobile device requirements to support CMP

Contactless payment terminals supporting Contactless Mobile Payment

These are illustrated in Figure 1 below.

September 2011

v 2.0

Page 7

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

3 Contactless Mobile Payment Overview


EMV Contactless Mobile Payment
EMVCo White Paper on Contactless Mobile Payment

Figure 1 Simplified Architecture and Areas of Interest

Mobile Device
Provisioning and
Personalisation
Wide Area
Modem

Application Environment
User Interface
Application

CMP Application
Lifecycle
Maintenance
Secure Element

CMP
Application

Contactless
Communication Module

Contactless Payment
Terminal

This white paper provides more detail regarding EMVCos position with respect to
each of these areas.

Page 8

v 2.0

September 2011

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


3 Contactless Mobile Payment Overview
EMVCo White Paper on Contactless Mobile Payment

3.3

Principles

Before starting contactless mobile payment technical development and liaison


activities, EMVCo developed and vetted a set of principles to guide its efforts. These
principles include:

A mobile device may support multiple contactless mobile payment


applications from multiple financial issuers and carrying different brands.

The user determines which payment instrument is to be used for a


transaction.

EMVCo does not mandate a particular Secure Element architecture or policy,


but seeks to provide flexibility in order to allow the deployment the most
appropriate solution for a particular market.

Where possible EMVCo will make use of industry specifications rather than
defining new specifications.

EMVCo will seek to make use of industry type approval programmes for
qualification of mobile devices.

Contactless Mobile Payment must be compatible with existing EMVCo based


contactless payment infrastructure.

September 2011

v 2.0

Page 9

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

3 Contactless Mobile Payment Overview


EMV Contactless Mobile Payment
EMVCo White Paper on Contactless Mobile Payment

Page 10

v 2.0

September 2011

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

EMVCo Technical Work and Perspective

Using EMVCos documented Contactless Mobile Payment architecture as a base,


the following sections provide a summary of EMVCos development activities. Where
EMVCo has not developed specific deliverables this section provides perspective on
the standardisation efforts of other organisations.
Further details of how EMVCo has addressed the areas identified in the Technical
Issues and Position Paper (2) are given in Annex C.

4.1

Contactless Mobile Payment Applications

The heart of a Contactless Mobile Payment transaction is the CMP application. The
definition of the CMP applications is the role of each of the payment systems.
Likewise CMP application approval, both functional and security, is the responsibility
of the payment systems.
Although EMVCo does not define the CMP application itself, the focus of the EMVCo
work is to define a common environment to enable the use of CMP applications. As
per the architecture in Figure 1 above, CMP applications must reside within a Secure
Element in the mobile device, and this Secure Element may be shared with other
applications both CMP and non-payment applications. The EMV specifications
enable the co-existence of this multiplicity of applications.

4.2

Application Choice and Activation

To enable the user to choose the desired application to be used for a CMP
transaction, EMVCo has developed the Application Activation User Interface
specification (5). That specification defines how a user interface may gather
information about the CMP applications present on a device in order to enable the
user to select the application that he or she wishes to use for a transaction.
The specification also covers the method by which the user interface application may
configure the mobile device in order that a contactless POS terminal will initiate a
payment transaction with the users chosen application. The primary means by which
this is done is through the Proximity Payment System Environment (PPSE). While
the location of the PPSE within the mobile device is implementation specific, the
Application Activation User Interface specification includes the specification of the
PPSE application when implemented on a Secure Element.

September 2011

v 2.0

Page 11

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

4 EMVCo Technical Work and Perspective


EMV Contactless Mobile Payment
EMVCo White Paper on Contactless Mobile Payment

4.3

CMP Application Lifecycle

Throughout the life of an EMVCo based CMP application there may be a need to
reset application counters and modify parameters within the application. EMVCo
regards this as a CMP application concern, and therefore the responsibility of the
individual payment systems.

4.4

Payment Terminals Supporting Contactless


Mobile Payment

The mobile phone offers a rich platform for interaction between a user and a CMP
application during and surrounding a CMP transaction. Examples of such interactions
include display of branding, transaction information, and entry of a confirmation code
on the mobile device. Use of these features may require additional functionality in
contactless payment terminals, beyond that which is required for acceptance of
contactless cards.
It is important that CMP applications are able to work (possibly with reduced
functionality) on deployed terminals; however, support of the advanced payment
capabilities of CMP requires existing terminals to be updated. From an EMVCo
perspective, the features being added to support CMP (such as application choice)
are backward compatible with deployed contactless payment terminal infrastructure.
In order to provide interoperability between Contactless Mobile Payment and existing
card payment, both contactless payment terminals and mobile devices supporting
CMP are required to implement the Contactless Communication Protocol
Specification (11) which is also applicable to contactless payment cards.
EMV Contactless Specifications for Payment Systems, Books C-n (7) (8) (9) (10)
define the latest terminal specifications which implement any CMP specific features
from each of the payment systems.
The result of this is that EMVCo will not define new type approval processes for
Contactless Payment Terminals supporting CMP but will follow the standard EMVCo
terminal approval procedures.

Page 12

v 2.0

September 2011

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


4 EMVCo Technical Work and Perspective
EMVCo White Paper on Contactless Mobile Payment

4.5

Secure Elements

Security is important to Contactless Mobile Payment applications, just as it is to card


based payment applications. From an EMVCo perspective, security of CMP should
be at the same level as the security of card products. In order to support this security
requirement, a CMP application must reside in a Secure Element. A Secure Element
is a tamper resistant module capable of hosting applications in a secure manner.
There are a number of options for Secure Elements, including amongst others,
embedded Secure Elements, UICCs (SIMs), microSD, and accessories, each of
which may be based on differing hardware, firmware, operating systems, and
platforms.
EMVCo does not have a requirement or preference for any particular architectural
option or platform, nor does it set requirements around the number of Secure
Elements which are available in a mobile device. Where certain options are widely
deployed, EMVCo may develop work items around a particular platform in order to
facilitate interoperability and co-existence of CMP applications on deployments of
that platform. These work items do not imply an EMVCo requirement that such a
platform be used.
EMVCos specifications around CMP have been developed to be able to support
multiple, simultaneously enabled Secure Elements in a mobile device. Whilst EMVCo
encourages flexibility in the architecture, no particular policy for the number and
activation of Secure Elements is mandated. For example, deployments with a single
active Secure Element are covered by the EMVCo specifications.
Historically, payment cards have been owned by a single issuing bank, typically
carrying a single payment brand. There has been flexibility for payment systems and
issuers to define the requirements on the functionality, configuration, and security
requirements of the card. In the deployment of CMP, multiple CMP applications,
potentially from multiple issuing banks, and carrying multiple payment brands, may
co-exist on the same mobile device. As the number of Secure Elements available in
a mobile device is limited, a Secure Element may host multiple CMP applications. If
payment systems and issuers place incompatible requirements on the Secure
Element, this will fragment the market. In order to avoid this situation, EMVCo has
been addressing common requirements for Secure Elements.
EMVCo has published EMV Profiles of GlobalPlatform UICC Configuration (6), which
uses the GlobalPlatform UICC profile as a basis. EMVCo is preparing a similar profile
for non-UICC GlobalPlatform based Secure Elements, and may consider further
profiles for other widely deployed platforms.

September 2011

v 2.0

Page 13

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

4 EMVCo Technical Work and Perspective


EMV Contactless Mobile Payment
EMVCo White Paper on Contactless Mobile Payment

4.6

Personalisation and Provisioning of CMP


Applications

Installing a CMP application on a mobile device (provisioning) and personalising a


CMP application with data specific to the user is an essential step in the deployment
of Contactless Mobile Payment. There are a number of elements to provisioning and
personalisation. A simplified diagram of the actors is shown in Figure 2.
Figure 2 Simplified Provisioning Architecture

Issuer

Trusted
Service
Manager

Mobile Device

Secure
Element

Although EMVCo had identified this as a gap where work was needed, there has
been ongoing work within the industry to address this area. For example,
GlobalPlatform is defining a messaging specification for the management of MobileNFC Services, and the Association Franaise du Sans Contact Mobile (AFSCM) has
written an interface specification which has been contributed to GlobalPlatform. As
the industry has been addressing these issues, EMVCo will not define the interface
between an issuing bank and a Trusted Service Manager (TSM).
Likewise EMVCo will not define the interface between the TSM and the mobile
device or Secure Element for provisioning and personalisation. The EMV Card
Personalisation Specification (12) may be used as part of the personalisation
process, but is not required by EMVCo.
The GlobalPlatform specifications define mechanisms for personalisation which are
appropriate to GlobalPlatform based Secure Elements. As Secure Elements may be
shared by multiple CMP applications, the EMV Profiles of GlobalPlatform UICC
Configuration specification (6) defines a standard environment into which CMP
applications can be provisioned which is acceptable to the payment systems which
are EMVCo members. EMVCo does not mandate the use of these profiles, but
Secure Elements which make use of these profiles may be qualified through the
EMVCo Compliance programme.

Page 14

v 2.0

September 2011

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


4 EMVCo Technical Work and Perspective
EMVCo White Paper on Contactless Mobile Payment

The Application Activation User Interface specification (5) defines how a Secure
Element Contactless Management system should be configured during
personalisation and provisioning in order to support the co-existence of multiple CMP
applications on one mobile device and in particular the use of the GlobalPlatform
Contactless Registry Service (CRS).

4.7

Contactless Communication Modules

The Contactless Communication Module is responsible for the implementation of the


digital and analogue contactless protocol for the mobile device implementing CMP.
For interoperability between CMP applications and the acceptance infrastructure to
support contactless cards, Contactless Communication Modules are required to
conform to the EMV Contactless Communication Protocol Specification (CCPS) (11)
defined by EMVCo.
EMVCo members have worked with the NFC Forum to ensure that the NFC Forum
specifications are compatible with the CCPS, and that devices implementing the NFC
Forum specifications may also meet the requirements of the CCPS.

4.8

Mobile Device Requirements to Support CMP

Mobile devices support a large number of features, and these vary between devices.
To support a wide scale deployment of CMP across multiple models of devices, it is
helpful if there is a minimum set of core features supported across the board.
In order to provide guidance to the mobile industry about what features are required
for CMP, and also areas in which development work would be helpful, EMVCo has
published Handset Requirements for Contactless Mobile Payment (4). The intent of
that document is to provide the industry with direction around CMP, and unless the
same requirements are identified elsewhere within EMVCo documentation, EMVCo
will not be testing the support of those requirements as part of an approvals
programme.

September 2011

v 2.0

Page 15

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

4 EMVCo Technical Work and Perspective


EMV Contactless Mobile Payment
EMVCo White Paper on Contactless Mobile Payment

Page 16

v 2.0

September 2011

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

Type Approval

EMVCo has for many years offered an extensive type approval programme for
terminals, and since 2007, for chips and CCD/Common Payment Application cards.
In evaluating the role EMVCo should play in type approval for mobile, two particular
areas have been taken into consideration.
1. Mobile industry development cycles: The mobile industry has rapid and time
constrained releases, and it is important that an EMVCo type approval
programme for Contactless Mobile Payment does not negatively impact the
industrys development cycles.
2. Sharing of platforms between issuers and brands: Whereas cards are
typically under the control of a single issuer supporting a single payment
system brand, mobile handsets and Secure Elements may be shared
between multiple issuers and payment brands.

5.2

Mobile Handsets

The mobile industry has a large number of new products being put on the market
each year, and has rapid and time constrained releases. In order to meet the
requirements of the mobile industry, EMVCo will work with other mobile compliance
bodies in order to establish compliance of the Contactless Communication Modules
of mobile devices with the CCPS. EMVCo has a liaison with the NFC Forum which
has recently launched a compliance programme, and is exploring other bodies which
may also be appropriate in this area. The requirements and processes for a form of
EMVCo accreditation in this area are being established.
In the interim a mobile handset may be submitted for Contactless Level 1 evaluation
under the EMVCo Card Testing Framework for Contactless (13).

September 2011

v 2.0

Page 17

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

5 Type Approval

5.3
5.3.1

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

Secure Elements
Security Evaluation

The EMVCo security evaluation programme (described in EMV Security Guidelines


EMVCo Security Evaluation Process (14)) has recently been expanded from chips at
the silicon level and issuance of IC (security) Certificates, to also cover the multiapplication platforms at the operating system level and issuance of Platform
(security) Certificates.
The Secure Elements used for CMP will be shared with non-payment applications,
which may have differing security requirements. As applications may come from
different providers, and may be deployed across different Secure Elements, there is
an industry need for a security evaluation methodology which allows for evaluations
of components (e.g. silicon, operating system, applications) by different laboratories
to be combined into an evaluation of the overall product (i.e. silicon + operating
system + applications). EMVCo has worked through liaison relationships with
GlobalPlatform and the GSM Association to help develop the GlobalPlatform
Composition Model for Security Evaluation. EMVCo will incorporate the Composition
Model into the EMVCo security evaluation process in the future.

5.3.2

Functional Evaluation

EMVCo type approval covers functionality defined in the Application Activation User
Interface specification (5). Where a Secure Element implements the mobile PPSE
and/or Secure Element Contactless Management as defined in the Application
Activation User Interface specification, the PPSE and/or Secure Element Contactless
Management implementation may be submitted for EMVCo testing and type approval
In order to issue an EMVCo Letter of Compliance, EMVCo will require both a
successful functional evaluation of the PPSE and/or Secure Element Contactless
Management implementation and a successful security evaluation of the Platform.
EMVCo has a liaison with GlobalPlatform and has developed PPSE and Secure
Element Contactless Management implementation guidelines for GlobalPlatform
based Secure Elements.
EMVCo type approval recognizes the GlobalPlatform Compliance Program. In order
to be recognized by EMVCo as a GlobalPlatform compliant Secure Element, the
Secure Element provider must select a GlobalPlatform Qualified Laboratory that is
also an EMVCo Accredited Laboratory and pass GlobalPlatform testing
requirements. EMVCo will review the GlobalPlatform Letter of Qualification in
conjunction with the test results of the PPSE and/or Secure Element Contactless
Management (GlobalPlatform Contactless Registry Service) implementation and the
Platform security evaluation before issuing an EMVCo Letter of Compliance.

Page 18

v 2.0

September 2011

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

5.4

5 Type Approval

CMP Applications

Functional and security evaluation of CMP applications is not covered by EMVCo


and remains the responsibility of individual payment systems.

5.5

Contactless Mobile Payment Terminal Approval

Support for Contactless Mobile Payment has been included in the EMVCo terminal
specifications, and will be type approved in the EMVCo Terminal Type Approval
Programme.

September 2011

v 2.0

Page 19

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

5 Type Approval

Page 20

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

v 2.0

September 2011

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

Looking Forward

There has been considerable progress in the area of Contactless Mobile Payment
since EMVCo first began to consider the area. The market has moved from regarding
CMP as a potentially interesting area to a position where CMP is ready for
commercial deployment. The specifications required to deploy interoperable CMP are
in place.
This does not mean that all issues around CMP deployment are fully defined. There
remain many deployment options which are available, and it is not yet clear which of
these options will be most appropriate in various regions around the world. As the
market further matures it is expected that new areas will be identified which need
specifications in order to support continued growth of CMP. EMVCo will continue to
monitor the market, to identify areas where specification work is required, and to
evaluate what role EMVCo should play in developing these specifications.

September 2011

v 2.0

Page 21

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

Page 22

v 2.0

6 Looking Forward

September 2011

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

Annex A

Summary of Contactless Mobile Payment Areas

Table 1 provides a summary of the areas which EMVCo has addressed in its work, and a non-exhaustive list of other specification
bodies which are also contributing.
Table 1 Areas Addressed by EMVCo and Other Specification Bodies
Component

EMVCo Specifications

EMVCo Approval

CMP Application
CMP Application
Choice

Related
Specification
Bodies
Payment Systems

Application Activation User


Interface (5)

PPSE

Related Approval
Bodies and Processes
Payment Systems

GlobalPlatform
NFC Forum
ETSI SCP

CMP Application
Lifecycle
Contactless Payment
Terminals

September 2011

Payment Systems

EMVCo contactless terminal


specifications

Payment Systems

EMVCo contactless terminal


type approval programme

v 2.0

Page 23

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

Component

Secure Element

EMVCo Specifications

EMV Profiles of
GlobalPlatform UICC
Configuration (6)

Provisioning and
Personalisation

EMVCo Card Personalisation


Specification (12)

Contactless
Communication
Modules

EMV Contactless
Communication Protocol
Specification (11)

Mobile Device
Requirements

Handset Requirements for


Contactless Mobile Payment
(4)

September 2011

Annex A

EMVCo Approval

EMVCo Security Evaluation

Summary of Contactless Mobile Payment Areas

Related
Specification
Bodies
GlobalPlatform

GlobalPlatform based
Secure Element functional
testing

Related Approval
Bodies and Processes
GlobalPlatform
Common Criteria

GlobalPlatform
AFSCM
CCPS

NFC Forum

NFC Forum

ETSI SCP
GSMA

v 2.0

Page 24

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

Annex B

Frequently Asked Questions


Table 2 Frequently Asked Questions

Will EMVCo define a common Contactless


Mobile Payment Application?

The specification of Contactless Mobile Payment applications is the responsibility of the


individual Payment Systems, and EMVCo has no plans to define a common Contactless
Mobile Payment Application.

Does EMVCo require a particular type of


Secure Element?

EMVCo does not require a particular type of Secure Element. EMVCo allows for all
different architectural options, e.g. UICC, embedded SE, removable SE.

Does EMVCo have specifications for


terminals which accept Contactless Mobile
Payments?

Terminals which accept Contactless Mobile Payments are covered by the standard EMV
contactless terminal specifications. EMVCo has not defined specific requirements for
terminals supporting CMP.

Will EMVCo type approve mobile devices for


CMP?

EMVCo is exploring options for making use of mobile industry compliance programmes
to provide EMVCo accreditation in this area.

Will EMVCo type approve Secure


Elements?

EMVCo has a Security Evaluation programme for Secure Elements that covers the
silicon and the operating system.
EMVCo has a functional evaluation programme for implementations of the Application
Activation User Interface specification (5) requirements within Secure Elements.

September 2011

v 2.0

Page 25

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

Annex B

Frequently Asked Questions

Does EMVCo require all available Secure


Elements to be active at one time?

EMVCo does not specify any policy regarding the number of Secure Elements or how
many should be active at any one time. EMVCos specifications in this area are designed
to have sufficient flexibility to cover all implementations.

Does EMVCo require the use of


GlobalPlatform based Secure Elements?

EMVCo does not require the use of GlobalPlatform Secure Elements; however, as
GlobalPlatform is a widely deployed standard for Secure Elements, EMVCo has defined
specifications for its use.
As part of the EMVCo type approval programme, EMVCo recognizes the GlobalPlatform
Compliance Program for GlobalPlatform based Secure Elements.

Does EMVCo require that a mobile device


be able to perform a Contactless Mobile
Payment transaction when the device is off
or the battery is low?

September 2011

EMVCo does not require that payment applications shall operate when the mobile device
is in battery off/battery low state. However, for devices that allow communication with the
Secure Element when the device is switched off, the Application Activation User
Interface specification (5) defines methods for intelligent selection of applications based
on the ability of the application to run without the user interface being available. This
issue is discussed further in the Handset Requirements for Contactless Mobile Payment
(4).

v 2.0

Page 26

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

Annex C

Actions Taken in Response to Areas Defined in the Technical


Issues and Position Paper

The EMVCo Technical Issues and Position Paper (2), published in October 2007, identified a number of areas in which EMVCo planned
to undertake work. The actions EMVCo has taken in these areas since the publication of the paper are summarised in Table 3 below.
Table 3 EMVCo Actions Based on Areas of Work Identified in Technical Issues and Position Paper
Identified Area of Work

EMVCo Action

EMVCo to consider a functional requirement that provisioning and personalisation


of the contactless payment application can be in a single or separate sessions.
Additionally, EMVCo is to ensure there is a standard mechanism to personalise a
contactless payment application based on EMV CPS.

Industry standard provisioning methods (for


example, GlobalPlatform) allow for the separate
provisioning and personalisation of CMP
applications.
The details of personalising an application are a
CMP application issue, and therefore the
responsibility of the individual payment systems.
EMV Card Personalization Specification (12) may
be used but is not required.

September 2011

v 2.0

Page 27

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


Annex C
EMVCo White Paper on Contactless Mobile Payment

Actions Taken in Response to Areas Defined in the Technical Issues and Position Paper

Identified Area of Work

EMVCo Action

EMVCo will consider how EMV CPS may be used with secure messaging
protocols such as those of GlobalPlatform and GSM 03.48 in a mobile
environment. If necessary, EMVCo will consider enhancing CPS to provide the
necessary capabilities for the mobile environment, and providing best practice
guidelines as appropriate.

This is supported in the EMV Profiles of


GlobalPlatform UICC Configuration specification
(6).

EMVCo to consider developing requirements of standard methods for registering a


new application on a Secure Element, and collaborating with other bodies such as
GlobalPlatform to define the appropriate method and mechanism for registration.

The Application Activation User Interface


specification (5) defines a standard usage of a
Secure Element Card Management system (such
as GlobalPlatform Contactless Registry Service)
for registering new CMP applications on a Secure
Element.

EMVCo to consider developing User Interface requirements to assist the user in


securely managing and monitoring the processes for provisioning, personalisation,
and update of the payment application on a Secure Element in a mobile device.

The Application Activation User Interface


specification (5) provides User Interface best
practices in this area.

EMVCo to consider identifying the requirements of a standard configuration of


operating systems to support contactless payment applications, and to work with
other industries to develop a de facto standard.

EMVCo has published EMV Profiles of


GlobalPlatform UICC Configuration (6). It is
planned to publish an equivalent document for
non-UICC GlobalPlatform Secure Elements, and
further profiles may be considered.

September 2011

v 2.0

Page 28

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


Annex C
EMVCo White Paper on Contactless Mobile Payment

Actions Taken in Response to Areas Defined in the Technical Issues and Position Paper

Identified Area of Work

EMVCo Action

EMVCo to consider the use of EMV Scripts and EMV CPS in the mobile
environment, in particular for post issuance and post distribution updating of the
payment application and its counters and parameters; additionally, EMVCo to
develop best practice guidelines and User Interface requirements for the
management of post-distribution provisioning mechanisms, such as those offered
by GlobalPlatform. Enhancements to the PPSE will also be considered as
appropriate.

EMVCo considers the use of EMV Scripts to be a


CMP application specific issue, and as such to be
the responsibility of the Payment Systems.
Provisioning and Personalisation is out of scope of
EMVCos work although the EMV Card
Personalisation Specification (12) may be used for
this purpose.
The use of the PPSE for Contactless Mobile
Payment is defined in the Application Activation
User Interface specification (5).

EMVCo to consider best practices guidelines that the methods used to provision
the payment application in a Secure Element also be able to remove the payment
application. In the event that the Secure Element application environment does not
allow for the deletion of the payment application, EMVCo to consider User
Interface requirements and mechanisms to allow for the disablement of the
payment application and the deletion of the payment credentials.

September 2011

v 2.0

Deletion of applications is supported by many of


the Secure Element operating systems, including
GlobalPlatform, and it has not been necessary for
EMVCo to define specific requirements in this
area.
Disablement of a CMP application and deletion of
the payment credentials within an application is a
CMP application issue, and the responsibility of
the Payment Systems.

Page 29

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


Annex C
EMVCo White Paper on Contactless Mobile Payment

Actions Taken in Response to Areas Defined in the Technical Issues and Position Paper

Identified Area of Work

EMVCo Action

EMVCo to consider a best practices guideline that the standard processes for
deletion and provisioning and personalisation should be used to transfer the
credentials from one mobile device Secure Element to another mobile device
Secure Element.

Provisioning and personalisation is out of scope of


EMVCos work at this time.

In order to enable interoperability between removable Secure Elements, EMVCo to


consider the development of requirements for standardised commands from the
user interface application and the payment application along with standard
application labels which may be used to store customised information associated
with the payment application. These requirements will also consider the security
between the user interface application and payment application.

The Application Activation User Interface


specification (5) specifies how the Secure Element
Contactless Management system may be used to
provide information about the CMP application in
a standard manner. It also defines a command for
activating and deactivating a CMP application.

EMVCo to consider development of requirements for management of customised


elements on a mobile device and to collaborate with standards bodies such as the
Open Mobile Alliance to define appropriate device management mechanisms.

EMVCo has a liaison with the NFC Forum which is


defining the NFC Controller Interface.

EMVCo to consider defining the API between the user interface application and the
payment application.

The CMP application is the responsibility of


Payment Systems, and EMVCo has not defined
standardised commands between the user
interface application and the CMP application
except for an optional command for activating and
deactivating an application which is defined in the
Application Activation User Interface specification
(5).

September 2011

v 2.0

Page 30

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


Annex C
EMVCo White Paper on Contactless Mobile Payment

Actions Taken in Response to Areas Defined in the Technical Issues and Position Paper

Identified Area of Work

EMVCo Action

EMVCo to consider a best practices guideline that the standard methods of


provisioning applications on the mobile platform should be used and/or enhanced
for provisioning the user interface application.

Provisioning and personalisation is out of scope of


the work of EMVCo at this time. The use of the
Secure Element Contactless Management system
to provide information to a user interface
application in a standard manner is defined in the
Application Activation User Interface specification
(5).

To assist with customer care interactions, EMVCo to consider defining standard


application labels and/or application commands which may be used to assist in
customer care.

EMVCo has not defined any specific support in


this area.

EMVCo to consider user interface requirements and application commands that


enable the locking and unlocking of a proximity payment application. These
commands should provide for convenient and secure application usage
management of multiple accounts contained on Secure Elements, including
options for locking policies such as frequency of application locking and locking per
application or for all applications.

EMVCo has defined a command which may be


used to activate or deactivate a CMP application
in the Application Activation User Interface
specification (5).

September 2011

v 2.0

The use of Confirmation Codes for locking


applications is considered a CMP application
issue and the responsibility of the individual
Payment Systems.

Page 31

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


Annex C
EMVCo White Paper on Contactless Mobile Payment

Actions Taken in Response to Areas Defined in the Technical Issues and Position Paper

Identified Area of Work

EMVCo Action

The contactless payment application must have a mechanism to enable the POS
terminal to interact with the chosen payment application. It is expected that the
PPSE mechanism defined by EMVCo should provide this capability. This should
include considerations of enhancing the PPSE as appropriate to support the
mobile payment environment

The mechanisms to support a user choosing a


particular CMP application, and the mechanisms
for communicating the choices to the contactless
terminal (including the PPSE) are defined in the
Application Activation User Interface specification
(5).

EMVCo to consider defining commands for a user interface application to manage


the PPSE appropriately in order to reflect the user selection of the payment
instrument.

The use of the PPSE for Contactless Mobile


Payment is described in the Application Activation
User Interface specification (5) which includes the
specification of commands for managing the
PPSE when it is implemented on a Secure
Element.

September 2011

v 2.0

Page 32

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


Annex C
EMVCo White Paper on Contactless Mobile Payment

Actions Taken in Response to Areas Defined in the Technical Issues and Position Paper

Identified Area of Work

EMVCo Action

EMVCo to account for the following set of considerations in the development of


User Interface requirements and best practices guidelines:

Any payment application supporting multiple payment credentials should


provide the user with the ability to select the set of credentials to be used on a
transaction-by-transaction basis. It would also be desirable to allow the user to
select a default set of credentials to be used, unless an alternate set of
credentials is selected for a particular transaction.

The interaction between the mobile device and the POS terminal should not
allow the merchant to override the user preferences, and the behaviour of POS
terminals needs to be defined to respect the user preferences.

Malicious readers seeking to attack the payment application need not follow the
behaviour specified for a POS terminal, so mechanisms to prevent the
activation of non-selected applications should be explored.

The mechanism for selection of a particular account when multiple contactless


payment applications are available should be specified, but not the user
interface (beyond guidelines and recommendations from EMVCo).

The API which the mobile device must send to the contactless payment
application for account selection should be standardised for interoperability
between user interface applications and the payment application.

September 2011

v 2.0

These areas have been taken into consideration


in the development of the Application Activation
User Interface specification (5).

Page 33

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


Annex C
EMVCo White Paper on Contactless Mobile Payment

Actions Taken in Response to Areas Defined in the Technical Issues and Position Paper

Identified Area of Work

EMVCo Action

EMVCo to consider requirements for the mobile contactless payment application


operating when the device is powered down. Such considerations include:

Having a default application selection method, possibly based on the power


state of the mobile device;

Detection of power state and restricting functionality accordingly.

EMVCo to consider how the mobile contactless payment application should


provide a mechanism to the mobile device to indicate when branding should be
displayed, and what branding should be displayed.

September 2011

v 2.0

The Application Activation User Interface


specification (5) provides mechanisms for
identifying CMP applications that are capable of
operating when the User Interface is not available
(for example, when battery power is too low), and
a mechanism for selecting appropriate CMP
applications when the UI is not available.
This is addressed in the Handset Requirements
for Contactless Mobile Payment (4).

Page 34

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be permitted only pursuant to the terms and conditions of the license
agreement between the user and EMVCo found at http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

Annex D

Glossary

AAUI

Application Activation User Interface

AFSCM

Association Franaise du Sans Contact Mobile

API

Application Programming Interface

Application Activation User


Interface (AAUI)

A user interface application on a mobile device


that enables the consumer to manage the use
of their contactless applications.

Association Franaise du
Sans Contact Mobile (AFSCM)

A non-profit organisation which aims to facilitate


the technical development and promotion of
mobile contactless services. The AFSCM was
founded by French mobile operators Bouygues
Telecom, Orange France, and SFR.

CCD

Common Core Definitions

CCPS

Contactless Communication Protocol


Specification

CMP

Contactless Mobile Payment

Common Core Definitions


(CCD)

A minimum common set of card application


implementation options, card application
behaviours, and data element definitions
sufficient to accomplish an EMV transaction, as
defined in EMV Integrated Circuit Card
Specifications for Payment Systems, Book 3:
Application Specification, available at
www.emvco.com.

Common Payment Application

An EMVCo specification that defines the data


elements and functionality for an application
that complies with the EMV Common Core
Definitions (CCD).

Composition Model

See GlobalPlatform Composition Model.

September 2011

v 2.0

Page 35

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

Annex D Glossary

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

Contactless Communication
Module

A module within a mobile device providing a


contactless interface compatible with EMV
Contactless Communication Protocol
Specification (11).

Contactless Mobile Payment


(CMP)

Integration of EMV-based contactless payment


technology in mobile devices.

Contactless Mobile Payment


Application

An application that is hosted in a Secure


Element and that performs information
exchange and processing needed to perform a
Contactless Mobile Payment transaction.

Contactless Payment
Terminal

A contactless reader conforming to EMV


Contactless Communication Protocol
Specification (11) and compliant with EMV
specifications related to the use of the PPSE
that is capable of conducting a payment
transaction with a Contactless Mobile Payment
Application.

Contactless Registry Service


(CRS)

See GlobalPlatform Contactless Registry


Service.

CRS

Contactless Registry Service

EMV

A global standard for credit and debit payment


cards based on chip card technology. The EMV
Integrated Circuit Card Specifications for
Payment Systems are developed and
maintained by EMVCo.

EMV CPS

EMV Card Personalization Specification

Page 36

v 2.0

September 2011

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

Annex D Glossary

EMVCo

EMVCo LLC is the organization of payment


systems that manages, maintains, and
enhances the EMV Integrated Circuit Card
Specifications for chip-based payment cards
and acceptance devices, including point of sale
(POS) terminals and ATMs. EMVCo also
establishes and administers testing and
approval processes to evaluate compliance with
the EMV Specifications. EMVCo is currently
owned by American Express, JCB, MasterCard,
and Visa.

EMVCo Accredited Laboratory

An independent, impartial entity that has


received a Letter of Accreditation from EMVCo,
entitling it to perform testing for specified Type
Approval; in the context of this document, to
perform testing for CMP Type Approval.

EMVCo Compliance
Certificate

A certificate issued by EMVCo when sufficient


assurance has been demonstrated for an IC,
Platform, or Card Product.

EMVCo Letter of Compliance

Written statement that documents the decision


of EMVCo that a specified CMP Product has
demonstrated sufficient conformance to the
EMV Specifications as of its test date.

ETSI SCP

European Telecommunications Standards


Institute technical committee Smart Card
Platform

GlobalPlatform

A cross industry, not-for-profit association which


identifies, develops, and publishes
specifications to facilitate secure and
interoperable deployment and management of
multiple embedded applications on secure chip
technology.

GlobalPlatform Composition
Model

A methodology for the evaluation of composite


products; that is, Secure Elements that include
an open platform and one or more applications.

September 2011

v 2.0

Page 37

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

Annex D Glossary

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

GlobalPlatform Contactless
Registry Service (CRS)

A GlobalPlatform SECM service for managing


the contactless applications on a Secure
Element.

GlobalPlatform Letter of
Qualification

Written statement that documents the decision


of GlobalPlatform that a specified Secure
Element has demonstrated sufficient
conformance to the GlobalPlatform
specifications as of its test date.

GlobalPlatform Qualified
Laboratory

A laboratory facility that has received written


validation by GlobalPlatform that such facility
has satisfied all GlobalPlatform prerequisite
requirements and conditions for the purposes of
performing testing services on Card Products
according to GlobalPlatform Card Qualification
Process procedures.

GSM 03.48

A specification of the structure of Secured


Packets in a general format and in
implementations using Short Message Service
Point to Point and Short Message Service Cell
Broadcast.

GSM Association

An association of mobile operators and related


companies devoted to supporting the
standardizing, deployment, and promotion of
the GSM mobile telephone system.

GSMA

GSM Association

Handset

A type of mobile device, specifically a mobile


phone handset.

IC

Integrated Circuit

IC Certificate

The EMVCo Compliance Certificate of an IC.

Letter of Compliance

See EMVCo Letter of Compliance.

Letter of Qualification

See Global Platform Letter of Qualification.

Page 38

v 2.0

September 2011

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

Annex D Glossary

Mobile Device

A portable electronic device with contactless


and wide area communication capabilities.
Mobile devices include mobile phones and
other consumer electronic devices such as
suitably equipped PDA.

Near Field Communication


(NFC)

A short range contactless proximity technology


based on ISO/IEC 18092, which provides for
ISO/IEC 14443 compatible communications
and enables devices to communicate with each
other when brought into close range.

NFC

Near Field Communication

NFC Forum

A non-profit industry association that promotes


the use of NFC short-range wireless interaction
in consumer electronics, mobile devices, and
PCs.

Open Mobile Alliance

An industry forum for developing market driven,


interoperable mobile service enablers.

OTA

Over-the-Air

Over-the-Air (OTA)

A method of distributing software to mobile


phones and provisioning handsets with the
settings necessary to access messaging
services.

Personalising

Setting selected application data to enable the


use of a card by a particular cardholder.

Platform

The collective name for the integrated circuit


(IC) hardware with its dedicated software,
Operating System (OS), Run Time Environment
(RTE), and Platform environment on which one
or more applications (e.g., CPA) can be
executed.

Platform Certificate

The EMVCo Compliance Certificate of a


Platform.

POS

Point of Sale

September 2011

v 2.0

Page 39

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

Annex D Glossary

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

PPSE

Proximity Payment System Environment

Provisioning

The process of installing a payment application


on a secure element.

Proximity Payment System


Environment (PPSE)

A mechanism for presenting the contactless


applications available for conducting a
transaction to a Contactless Payment Terminal.
The PPSE is the first application selected by a
Contactless Payment Terminal, and based on
the information provided by the PPSE, the
terminal uses the highest priority application it
supports to process a contactless payment.

SE

Secure Element

SECM

Secure Element Contactless Management

Secure Element

A tamper resistant module in a mobile device


capable of hosting applications in a secure
manner. A Secure Element may be an integral
part of the mobile device, or may be a
removable element which is inserted into the
mobile device for use.

Secure Element Contactless


Management (SECM)

A scheme employed by a Secure Element to


manage the contactless applications thereon.
The scheme could vary depending on the
Secure Element implementation.

SIM

Subscriber Identification Module

Subscriber Identification
Module

A smart card that securely stores the key


identifying a mobile phone service subscriber,
as well as subscription information, phone
numbers, preferences, etc. It can also be used
to securely store a Contactless Mobile Payment
application.

Trusted Service Manager


(TSM)

An entity that securely manages contactless


mobile payment applications and other
applications on a Secure Element, for example
to support personalisation and provisioning.

Page 40

v 2.0

September 2011

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.

EMV Contactless Mobile Payment


EMVCo White Paper on Contactless Mobile Payment

Annex D Glossary

TSM

Trusted Service Manager

Type Approval

Acknowledgment by EMVCo that the specified


product has demonstrated sufficient
conformance to applicable EMV specifications
for its stated purpose.

UICC

Universal Integrated Circuit Card

September 2011

v 2.0

Page 41

2011 EMVCo, LLC (EMVCo). All rights reserved. Any and all uses of the EMV Specifications (Materials) shall be
permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at
http://www.emvco.com/specifications.aspx.