EMV in transit: What are these 'EMV Level 1, 2, 3' certifications?

Written by: Ivo van Vessem

August 21, 2017 - When it comes to EMV in transit certifications, it is often unclear what certifications apply, which parties have which role to obtain the certifications, what the certification requirements are, how long the process takes, when a re-certification is required, and which are the typical certification pitfalls.

Across the globe many transit schemes are upgrading their acceptance infrastructure to allow travelers to pay with a contactless EMV payment card, rather than the traditional transit-specific card. London is often cited as the example of a successful large scale roll-out of EMV in transit. Among the benefits of EMV in transit are removing the transit enrollment process for the occasional and foreign traveler, lowering card issuance costs, reliance on financial-grade security, and reducing the need for a dedicated top-up infrastructure for transit stored value.

 

Acceptance of EMV payment cards implies an integration of the transit infrastructure with the payment networks. Therefore, transit schemes, public transport operators, and device manufacturers are faced with the need to comply with the payment certification requirements. These certifications are known as EMV Level 1 and Level 2. The term “Level 3 certification” is also often used, although this is more aptly named “brand certification”. Besides these functional certification requirements, there is another notable certification challenge in the form of the Payment Card Industry (PCI) requirements that aim to protect cardholder data against unauthorized disclosure. The PCI certification implications for a transit environment are explored in a separate UL blog post.

 

When it comes to EMV in transit certifications, it is often unclear what certifications apply, which parties have which role to obtain the certifications, what the certification requirements are, how long the process takes, when a re-certification is required, and which are the typical certification pitfalls.

 

EMV certification levels

EMV contactless Level 1 certification ensures that the device (also: terminal) meets the lower level electromagnetic and communication protocol requirements. It includes operating distance tests where reference cards are placed at a set of predefined positions in proximity to the device’s antenna. It further covers analogue tests on the used frequency and digital tests on the low-level communication protocol, for example.

 Contactless Level 2 certification is concerned with the validation of the software that implements the payment functionality and that runs on the Level 1-certified device. This software is referred to as a payment kernel. The contactless payment brands to be supported (e.g. Mastercard/Maestro Contactless, VISA payWave, or American Express contactless) determine which of the payment kernels are to be implemented.

 Contactless Level 3 certification, or brand certification, ensures that the configuration of the software on the devices meets the brand requirements. In the case multiple payment brands are to be supported, all of the respective Level 3 certifications will have to be performed. [1] [2]

 

Who does what?

Level 1 certification is the responsibility of the device hardware supplier, whereas Level 2 certification is the responsibility of the device software supplier. It is important to note that for contactless EMVCo certification, there is no self-standing Level 2 certification. This means that a Level 2 certification is for contactless products, being a combination of a particular Level 1-certified hardware platform and 1 or more software kernels.

 When it comes to brand certification this is formally the responsibility of the acquirer[3]. For EMV in transit there typically is centralized fare calculation, often with aggregation based on the taps performed throughout the transit infrastructure. In such a setting, the party performing the centralized fare calculation (often the ticketing scheme operator) can be regarded as the merchant processor – in payment terms – whereas the Public Transport Operator can be considered a merchant. The acquirer can then delegate the Level 3 certification responsibilities to the merchants or the merchant processor. The latter options aligns nicely with the role that the ticketing scheme operator has in the traditional model with transit specific certification of contactless cards and acceptance devices.

 

To modularize or not to modularize, and other L2 options

For Level 2 certification, there is a choice between the EMVCo route and the payment scheme specific certification route. When opting for the EMVCo route, there is a further choice to be made between a modular terminal architecture and a non-modular architecture. The modular architecture involves more certification and auditing effort for an initial submission. However, for subsequent submissions, e.g. when support of another kernel is added, the certification effort is reduced. For non-modular architectures, subsequent submissions require most previously certified functionality to be retested. The modular architecture should be considered especially for newly developed devices or where the introduction of more payment schemes is expected in later phases.

 As an alternative to the EMVCo certification route, the payment scheme specific routes can be chosen. Each payment scheme has its own Level 2 certification approach that differ to some extent in scope. These Level 2 certifications will have to be completed for each of the contactless payment products that are to be supported. The payment scheme specific route is recommended for existing implementations and revisions thereof.

 It is good to note that even when opting for the EMVCo route, there are still some scheme-specific tests required by the schemes.

 

Certify yet again?

The validity of the certification in relation to changes or updates to the transit device is among the top frequently asked questions. EMVCo makes a distinction between minor and major changes. Unsurprisingly, the former do not require recertification whereas the latter do. Of course the interesting question is: what makes a change minor or major? Unfortunately, there is no clear-cut answer here. EMVCo provides some guidance and examples of major (e.g. firmware change) and minor changes (e.g. transistor change)[4], but ultimately it is the responsibility of the vendor (i.e. device hardware/software supplier) to determine whether a change qualifies as major or minor.

 For devices that have been certified following the payment scheme specific route, the situation depends on the payment scheme but is largely comparable to the EMVCo route. For EMV in transit it is good to highlight that any software changes that do not affect the payment processing functionality normally do not require a recertification.

Once a device has been successfully certified, a Letter-of-Approval is issued. This LoA has an expiry date after which the device is no longer certified. Continued use of the device requires an extension of the LoA or a recertification.

 

Common pitfalls

Regular retail payment terminals that offer a contactless interface also offer a contact interface[5]. As a contact interface is generally out of the question in a transit environment due to passenger throughput requirements, EMV in transit implies contactless. There can be some restrictions regarding the allowance of contactless-only transit devices, especially mobile devices that are used for inspection/ticket validation purposes.

 Some products are marketed as being “EMV ready” or something similar. Although this may offer a good starting point, it is good to be aware that this can very well mean that the product has not yet undergone or passed a formal EMV Level 1 (or 2) certification. Worst case this could mean that (hardware) changes to the product are required to have it pass EMV certification. Therefore, the exact certification status of a product or solution should be properly understood including agreement on the plan to obtain to required certification(s), before making any purchase decisions.

 EMV certifications are construed as a stack, meaning that the Level 2 certification builds on the prior Level 1 certification of the same device. So it is generally expected that in order to meet the functional/software Level 2 requirements, no hardware level features (certified at Level 1) need to be modified. In practice this proves not to always hold true. In such a case, the integration of Level 2 functionality in a Level 1 certified device, requires changes to the Level 1 functionality voiding its certification.

 Despite the rigidity of the EMV certification, using EMV certified components is not guaranteed to result in a functionally working solution. It is therefore recommended to implement a holistic quality assurance and testing strategy focused primarily on the correct functioning of the EMV in transit solution. Done properly, this should result in the (external) compliance requirements to be easily fulfilled due to the (internal) quality assurance strategy.

Conclusion

EMV certification in transit can be an intricate process involving many parties. The following can all contribute to a smooth and timely market introduction of EMV in transit:

  • Addressing certification timely,
  • making certification an explicit part of device procurement and vendor selection,
  • choosing a Level-2 certification route that fits the solution (both initially and forward-looking),
  • allocating certification lead times in project plans, and
  • giving due focus to achieving contactless transaction times that meet the tight passenger throughput requirements that are so characteristic for transit.

 

[1] Note that under the Mastercard scheme there are both the Mastercard and the Maestro brand. This implies two L3 certifications and just one L2 certification as both brands share the same kernel.

[2] Besides the certifications that involve the device, a Host & Clearing System certification is also required for the network up to the payment scheme.

[3] In a payment scheme, the acquirer is the party that processes payment transactions from merchants and routes those to issuing banks via a payment network.

[4] Refer to EMVCo TTA Bulletin 11

[5] There are some exceptions like contactless-only vending machines or turnstiles at paid sanitary facilities.

Disclaimer

These are the personal opinions of UL’s employees and its guests and should not be misunderstood as representing the opinion of UL's clients, suppliers or other relations.