The PURE certification scheme aims at providing assesment and certification services to solutions based on PURE specifications. The process presented below descibes all the steps leading to the certification of :
- IC Card Products compliant with PURE Dual-interface Cards Specifications,
- IC Card Products compliant with PURE Contact Cards Specifications,
- Contactless Kernels compliant with PURE Reader Application Specifications,
- Cloud-Based Mobile Payment Application compliant with PURE Cloud-Based Payment Solution Specifications.
Nominal process
Registration
The certification process is initiated upon reception of the following set of documents:
- a signed certification request,
- a completed Implementation Conformance Statement (ICS),
- the PURE licence information,
- an EMVco Level 1 proof of compliance,
- a Security Certificate delivered by the PURE Security certification scheme (for PURE IC Card Products),
- a Security Assessment Letter delivered by a PURE Security Evaluation Laboratory (for PURE Cloud-Based MPA Products).
After validation of the request by the Certification Body reviewer, a validated version of the ICS is sent to the Vendor and to the Test Laboratory to start the product evaluation.
Evaluation
Based on information present in the ICS, the Test Laboratory can start the test session on samples provided by the Vendor, and using a Qualified Test Suite.
After the evaluation, a test report is issued by the Test Laboratory to the Vendor, copy the Certification Body.
Note the Terminal configurations and Card profiles are provided by the Test Laboratory to the Vendor in the format corresponding to the lab’s evaluation process.
Evaluation Review
The evaluation report is then reviewed by the Certification Body in regards of definition of the product and the appropriate PURE specifications.
After analysis of the evaluation report, the certification body evaluator determines whether the product has shown critical discrepancies or not.
The review is formalized in a certification report then sent to the decision maker. At the end of the process, the certification report is sent to the vendor independently of the certification decision.
Certification Decision
The Decision maker receives the certification report in order to take the decision of certification. In case of positive assessment, a certification letter is issued to the vendor and the certified product is published on the PURE Certification Website in the Certified Product section.
Particular cases
Renewal (No product change)
In some situations vendors may need to provide a recent assessment for an already certified product. To manage these situations a particular process is defined to allow renewal of a certificate assuming that no changes have been made on the PURE product and that the elements provided for the initial certification are still valid or renewed (PURE licence, Level 1, Security certificate …).
Depending on the situation (e.g. impacting modification of the specifications or the test plan since initial submission), the Certification Body may require an additional evaluation on a reduced scope.
In most cases, if the certification request is valid and consistent with the elements of the certification for which the renewal is requested, a certification letter is issued to the vendor and the certified product is published on the PURE Certification Website in the Certified Product section.
Product Change (for Kernel)
To address the need of some vendors, a process is defined to obtain a proof of compliance for terminals using a previously certified kernel with different configurations (different device, OS, L1…).
Range Recognition:
A vendor has the possibility to declare a Range of terminals, that is to say a list of terminals with common characteristics. Terminals recognized as part of the same range of a previously tested terminal are eligible for an assessment without additional tests in a laboratory (decided by the Certification Body). All terminals of a range shall present a valid EMVCo Level 1 contactless approval and have the same:
- PURE Kernel;
- PURE Reader module or Entry Point module;
- Operating System;
- Physical architecture (Terminal Type as defined in EMV Book 4, Fully integrated Terminal, Intelligent Card Reader or Transparent Card Reader)
The Terminal Type depends on Environment (Attended /unattended), Communication (Online only / offline only / offline with online capability) and Operational control (Financial institution / merchant)
After decision of the certification body, the vendor receives a Range Recognition Letter.
Terminals not eligible for the range are evaluated on a reduced scope (cf. Incremental Certification).
Incremental Certification:
For a terminal implementing an already certified kernel, whether eligible or not to a Range, a vendor has the possibility to start a new certification process on a reduced scope. If the certification process is successful, this terminal obtains a Certification Letter.
Product Change (for IC Card product)
This particular process is defined for minor change certification on a card product such as antenna change or adding/removal of a non-pure EMV application on a previously certified product.
In this case, the process is the same as for a renewal.
Service Level Agreements
After reception of a complete registration and recption of a valid Evaluation Report, the vendor will receive the certification decision notification within 3 weeks.