With this new recognition, Applus+ expands its portfolio of security services aimed at mobile payment solutions based on the emulation of secure chips.
Applus+ Laboratories has been accredited by the EMVCo consortium* as an SBMP (software-based mobile payment) evaluation laboratory. With this new accreditation, Applus+ broadens its remit as an EMVCo security laboratory as well as its portfolio of mobile payment solution services.
The new EMV SBMP certification scheme is aimed at devices carrying out EMV payment transactions on smartphones and other such products by way of software that emulates a card’s secure element.
Evaluating the robustness of software countermeasures
Payment solutions based solely on software do not offer the same intrinsic level of security as is provided by a secure element (hardware). As such, they rely on security countermeasures such as white box cryptography, obfuscation, anti-cloning (device binding), anti-tampering and anti-debugging. Applus+, as an EMV SBMP-accredited laboratory, can evaluate the robustness of such security countermeasures.
EMVCo SBMP evaluation versus Visa, MasterCard and Amex HCE evaluations
EMVCo SBMP certification complements the HCE payment-application evaluations developed by Visa, MasterCard and AMEX. The key difference is that the latter schemes’ evaluations centre on the security of the payment application itself, while the EMVCo SBMP evaluation is aimed at the software modules, such as cryptographic modules, that confer security countermeasures on a given device.
*EMVCo accreditation does not under any circumstances include any endorsement or warranty regarding the functionality, quality or performance of any particular product or service. EMVCo does not warrant any products or services provided by third parties. EMVCo accreditation does not under any circumstances include or imply any product warranties from EMVCo, including, without limitation, any implied warranties of merchantability, fitness for purpose, or non-infringement, all of which are expressly disclaimed by EMVCo. All rights and remedies regarding products and services which have received EMVCo accreditation shall be provided by the party providing such products or services, and not by EMVCo.