AMERICAN EXPRESS EMV CERTIFICATION GUIDE V2.8
Revision History
Version name Version date Commentary/reason for revision Revision V2.3 October 2003 a) EMV Certification Guide V2.3 replaces American Express EMV Acceptance Manual V2.2 b) The EMV Certification Request form, covering both device & E2E requirements, will be issued as a separate document & not included as an Appendix to this document c) Terminal Parameters Information Pack: V1.0 July 2003 included as an Appendix d) Other changes in line with current American Express EMV processes
Revision V2.4 February a) EMV Certification Guide V2.4 has been 2004 produced to reflect the streamlined certification process and replaces American Express EMV Acceptance Manual V2.3 b) The EMV Certification Request form, covering both device & E2E requirements, will be issued as a separate document & not included as an Appendix to this document c) Terminal Parameters Information Pack: V1.0 July 2003 included as an Appendix d) Other changes in line with current American Express EMV processes
Revision V2.5 May 2004 a) Removal of ‘Terminal Parameter’ appendix Revision V2.6 June 2004 a) Editorial clarifications b) Formatting changes Revision V2.7 July 2004 a) Addition of header note explaining the need for testers to use identical kit in conditions that exactly replicate the live environment b) Removal of reference to Electronic Business Guide under Submissions Testing section Revision V2.8 July 2004 a) Editorial clarifications
AmeX EMV Certification Guide V2.8.doc
CONTENTS 1 Introduction...... 3 1.1 Certification and why it is necessary 3 1.2 American Express Certification Process 4 2 Target Audience...... 4 3 Glossary ...... 5 4 American Express EMV Acceptance ...... 6 4.1 AEIPS (American Express ICC Payment Specification) 6 4.2 How do I obtain AEIPS? 6 4.3 EMEA EMV Authorisation 6 4.4 EMEA EMV Submission 6 4.5 Terminal parameters and CAPKs (Certification Authority Public Keys) 6 4.6 The Certification Process 6 4.7 When do I need to certify my EMV solution? 7 5 American Express EMV Authorisation Certification...... 8 5.1 Authorisation Certification Process / sample time frame 8 5.2 Pre-requisites 9 5.3 Requesting certification 9 5.4 Authorisation Certification 10 5.5 What Tests do I need to perform? 10 5.6 Authorisation testing 10 5.7 Test Fails 10 5.8 Test Passes 10 5.9 What do I do now? 10 6 American Express EMV Submissions Testing...... 12 6.1 Testing Process 12 6.2 Pre-requisites 13 6.3 Requesting submissions testing 13 6.4 What Tests do I need to perform? 13 6.5 Submission certification Fails 13 6.6 Submission certification Passes 14 6.7 What do I do now? 14 6.8 What do I do when I achieve Approval status? 14
AmeX EMV Certification Guide V2.8.doc
Important Note:
In describing the following EMV certification process American Express assumes that in all cases testers are not emulating part or all of the merchant's POS/IPOS system but are using the identical hardware/software that will be used in the merchant's live system and that the transaction is routed using identical connection methods and the same equipment where applicable, e.g. the merchant host. Unless informed otherwise American Express assumes that all testing will be carried out at the merchant’s site – if this is not the case please inform the EMV Certification Unit via [email protected].
1 Introduction
American Express understands the complexity of EMV acceptance, the EMV specifications, and the work required by companies to bring products to market or upgrade their Point of Sale (POS) environment. American Express is keen to make the development of EMV acceptance on the POS as straight forward as possible. To this end, American Express has a certification process and supporting documentation.
1.1 Certification and why it is necessary
The purpose of American Express certification is to ensure interoperability between EMV cards, terminals and the authorising and switching host systems, not only within a given market but internationally. By having an American Express certified product in the marketplace, you are ensuring this interoperability to your customers.
Certification is a process for testing conformance with a pre-defined specification or set of requirements. The card industry has a strong interest in certification to uphold the following tenants of the industry:
1. To support the card brand by delivering confidence to merchants and cardmembers that transactions by chip and pin (EMV) will work as expected. 2. To deliver interoperability so that cards issued in one part of the world successfully complete transactions in POS terminals or merchant POS systems in another part of the world, with no prior engagement between the card issuer and the developer/acquirer of these systems. 3. To provide future proofing for the card issuer. Successful EMV certification of the Point of Sale terminal gives the card issuer the confidence that changes made to EMV card applications, residing within the architecture of EMV, will successfully function at existing points of sale, without further testing.
Without a strong EMV certification programme we would expect to find many processing issues at the point of sale, which would negatively impact both our cardmembers and merchant customers.
AmeX EMV Certification Guide V2.8.doc
EMV is highly complex and contains many different processing options from which the card issuer can select. The POS terminal supports these options and effectively makes EMV work. It interacts with the card at the application level (to select an application and process the transaction according to the needs of the application) and with both the cardmember and merchant via terminal and pin pad messages and receipts. It also handles the online interface to the acquirer/issuer.
To implement EMV effectively, we need a rigorous approach to EMV certification.
American Express requires EMVCo Level 1 and Level 2 approval as a pre-requisite for building American Express EMV functionality. This should reduce the likelihood of problems occurring during certification.
This document describes the procedures and related information required to complete EMV certification approval for card accepting devices.
1.2 American Express Certification Process Certification for the acceptance of American Express EMV payment transactions is split into two distinct processes: 1) Authorisation certification 2) Submission testing
Authorisation certification includes a number of off-line and online tests between a POS device and American Express test cards to test the terminal application and to ensure that the device handles and operates American Express cards correctly. In addition the process tests the end-to-end EMV transaction process and ensures that the correct messages are being passed to the cards through the acceptance and issuer systems. This is the American Express equivalent to the EMVCo Level 2 certification.
Submission testing is to ensure EMV transactions can be sent to American Express in the correct message format, through the acceptance systems. This is required by any merchant or third party submitting transactions to American Express.
These tests are to be executed by the vendor normally, but occasionally we may request a sample device to be provided to execute these tests ourselves. By adopting the procedures within this document, you will be able to have your new EMV device or acquiring software product certified by American Express.
2 Target Audience
The target audience for this document are POS device vendors, host system developers, merchants and third parties who wish to obtain American Express EMV certification for their products. Additionally this document targets Acquiring banks and processors that process transactions on behalf of American Express.
AmeX EMV Certification Guide V2.8.doc
3 Glossary
AAC Application Authentication Cryptogram AEIPS American Express ICC Payment Specification AC Application Cryptogram AFL Application File Locator AID Application Identifier AIP Application Interchange Profile ARPC Authorisation Response Cryptogram ARQC Authorisation Request Cryptogram AUC Application Usage Control CAPK Certificate Authority Public Key DDA Dynamic Data Authentication EMV Europay Mastercard Visa EMVCo EMVCo, LLC formed in February 1999 by Europay International, MasterCard International and Visa International to manage, maintain and enhance the EMV™ Integrated Circuit Card Specifications for Payment Systems. End-to-end Certification Also known as acquirer certification IAC Issuer Action Codes ICC Integrated Chip Card IIN Issuer Identification Number LCOL Lower Consecutive Offline Limit NDA Non-Disclosure Agreement PAN Primary Application Number PIN Personal Identification Number POS Point Of Sale PSE Payment Systems Environment SDA Static Data Authentication Self test American Express provide the tools to allow the testing to be performed by the tester TC Transaction Certificate Tester The person who participates with Amex to execute the certification process for Vendor/Merchant/nominated third party
AmeX EMV Certification Guide V2.8.doc
4 American Express EMV Acceptance
4.1 AEIPS (American Express ICC Payment Specification)
American Express complies with the global EMV specifications for EMV payment transactions. AEIPS is American Express’s EMV payment specification. The purpose of AEIPS include detailing the American Express (and American Express entities) specific requirements where variations are allowed within EMV, when implementing EMV (ICC) technology. AEIPS is primarily a technical specification, but it also states the business requirements that the technical solutions address.
4.2 How do I obtain AEIPS? If you wish to obtain the AEIPS documentation please contact your American Express representative.
4.3 EMEA EMV Authorisation
American Express supports national message standards for authorisation of transactions. For information on what authorisation standards are supported in a particular country, please contact your local American Express representative.
4.4 EMEA EMV Submission
American Express supports national message standards for submission of charges and its own submission formats. For information on what submission standards are supported in a particular country, or situation, please contact your local American Express representative. Part of our certification process includes a submission test.
4.5 Terminal parameters and CAPKs (Certification Authority Public Keys)
All terminal parameters, CAPKs and CAPKs related information are covered in the TERMINAL PARAMETERS document issued as part of the test pack components. If these settings are required prior to entering the formal approvals phase please contact [email protected] who will provide the necessary information.
4.6 The Certification Process The certification process follows a number of distinct steps. All of these must be executed, in order, to complete a certification for American Express card acceptance.
AmeX EMV Certification Guide V2.8.doc
1 Completion of EMVCo Level 1 and Level 2 certification 2 American Express Authorisation Certification (offline & online EMV and magnetic stripe tests) 3 Submissions testing 4 American Express issues a certification letter when all of the above steps have been completed. This concludes the certification process Please note: American Express provide the tools to allow the Vendor/merchant/ nominated thirty party (from here on referred to as tester) to perform the testing.
4.7 When do I need to certify my EMV solution? The ‘EMV solution’ requires certifying prior to deployment and the acceptance of American Express branded cards.
The software components within a POS terminal applicable to certification are the terminal application and the EMV kernel
• Terminal application. This provides the transaction processing software for handling the authorisation request, refund transaction etc, interfaces with the drivers for the peripherals (i.e. screen display, printer, pin pad etc) and handles the acquirer message interface.
• The EMV kernel. This provides the EMV capability and may be developed by the vendor or bought in from another supplier.
Note: When we certify a terminal we are certifying one implementation of each of the above components, effectively as a black box. As we are not aware of where the boundary lies between the individual software components, we can only certify the complete software package. Therefore a change to the POS terminal application software and/or the EMV kernel would require re-certification.
AmeX EMV Certification Guide V2.8.doc
5 American Express EMV Authorisation Certification
5.1 Authorisation Certification Process / sample time frame Detailed below is the process flow for American Express EMV certification. This diagram is an overview of the testing process. The boxes indicate the steps taken for American Express EMV certification, who executes the step (Tester or American Express) & provides a sample time frame.
Tester Direction American Express Sample time frame
1. Certification information is requested 2. American Express representative sends from the American Express representative. � certification procedures document and EMV Certification Request form. 3. Tester completes the EMV Certification � request form and returns this to the American Express representative. 4. EMV Certification Unit reviews the Week 1 Certification Request form and � provisionally schedules testing slots for testing. � EMV Certification Unit contacts the Tester and provides test plan, ICCSim test scripts (or ICCSim cards) and White Plastic cards needed to perform certification. Note: Test Cards will be issued shortly before the confirmed testing slot. 5. Tester reviews scripts and information Week 2 to be submitted for certification and raises � any questions on content or process. � EMV Certification Unit provides the tester with support as required 6. Tester uses cards/scripts to prepare their Week 2 device/systems for certification. � EMV Certification Unit provides the tester Tester configures POS terminal with � with support as required appropriate parameters. Tester performs a successful communication link test to Amex EMV test environment 7 Tester confirms the testing slot with � EMV Certification Unit issues ICCSim Week 2 EMV Certification Unit giving two weeks � cards and White Plastic cards for testing. notice. 8. Tester executes test scripts as per � EMV Certification Unit provides the tester Week 3, 4 agreed schedule. When all tests have with support as required passed, tester collates the information we require for certification and returns completed scripts (or cards), receipts, display messages etc. All test output for each section (offline, online chip & pin, magnetic stripe) must be returned in one batch. AmeX EMV Certification Guide V2.8.doc
9. EMV Certification Unit validates test Week 5 results, communicates outcomes; issuing certificate (action 12) if no faults or queries found & if submissions tests are not required (if they are please refer to Section 6 – Submissions Testing). 10 Tester fixes faults and re-tests with If faults are found errors are returned to Variable: American Express. � tester with list of issues Timescales � dependant 12. Vendor/Merchant receives certificate 11. When no faults are found in transaction outcome allowing them to accept American � scripts or submission details, the device / of review Express EMV transactions using their EMV kernel is certified and a certificate is between EMV components, and returns signed sent to the tester. tester & copy. Amex.
The time frame indicated in column 4 of this process flow is a sample only. Your American Express EMV certification representative will discuss time frames and schedules with you in more detail.
The timings in this process flow are dependent upon the testing being completed according to agreed schedules, thereby allowing the results to be reviewed by American Express during the pre-arranged time slots.
Please ensure that slots are booked as early as possible and that your American Express representative is informed of any changes to submission dates.
5.2 Pre-requisites
Before the authorisation testing begins, the following must be in place: 1. The POS device or other EMV kernel has been upgraded to support EMV transaction data. 2. POS Device or EMV kernel processing has EMVCo Level 1 and level 2 certification. 3. The POS device is configured with American Express terminal parameters. 4. The American Express test host is available for EMV testing. 5. End-to-end certification test slots are agreed between the tester and American Express. 6. It is essential that a communications test to our test system has been completed.
American Express will not normally issue a Certification approval letter (which allows the acceptance of American Express EMV transactions) until the submission route for the EMV transactions has been certified. (Reference Section 6 on EMV submission testing.)
5.3 Requesting certification Authorisation Certification is initiated by completing the EMV Certification Request form, which can be obtained from your American Express representative. Once you have sent this form to American Express, it will be reviewed for accurate completion.
AmeX EMV Certification Guide V2.8.doc