EMV Level 3 Certification, a Pain Point for POS Vendors and Acquirers
EMV Level 3 certification is a mandatory requirement for any payment acceptance device. Once device hardware is certified for EMV L1 and L2, then it should go through EMV Level 3 certification for each card brand. And this certification should be repeated for each device type and country.
There are new payment trends in the market such as SoftPOS, Apple tap to pay on iPhone, tablet based payments, new POS terminals with different form factors, etc. Payment companies and acquirers want to offer their solutions in the shortest time to their customers. With the increasing number of payment methods, channels and form factors, EMV Level 3 certification has become one of the most challenging item to address. Payment providers need to quickly certify their solutions to go to market quickly, however most of time they waste long time during the EMV Level 3 certification.
EMV Level 3 certification is a costly and time-consuming process. The process requires a significant amount of acquirer host and EMV testing for different modules such as EMV SDK, EMV Level 3 application, receipt and acquirer integration module. It requires involvement of different parties, including POS terminal vendor, payment gateway, acquirer, test tool vendor and card brands. In most cases, the certification time extends dramatically and sometimes it even takes more than 1 year.
In this blog, we will investigate items that helps you to achieve EMV Level 3 certification in a shorter time and with less effort.
In-house or Outsourced
It is important decision whether to run the project with internal resources or outsource it. There may be different factors for this decision. If your resources are not enough or occupied with other projects, then outsourcing might be a good option. However finding the right solution provider is crucial. If you want to outsource only testing where you have enough EMV resources in your company, it may be easier to find a vendor. However, if you want outsourced vendor to take more responsibility to handle the certification end to end without minimum dependency to you then this service provider should have the capacity to assign to the project with EMV experts, POS and certification analysts, testers and project managers. If any of these are missing, especially EMV experts, then outsourcing may not help you to achieve a smooth certification.
As opposed to general idea, majority of the certification time is not spent in L3 testing, it is spent in analyzing, identifying and fixing test failures. The success of the project highly depends on EMV expertise of the team in the project. Of course other items such as project managers, program managers, alignment and focus of teams, collaborative working are crucial as well.
Right Team and Right Process Bring Success
EMV Level 3 certification delays are mostly sourced from following reasons :
- EMV L2 kernel SDK(or firmware or any application managing connection between L2 kernels and POS application) is not configured correctly so that it doesn’t behave in the correct way.
- POS application doesn’t implement L3 requirements correctly (i.e U.S Common Debit, open loop transit related logics, receipts, etc)
- Payment gateway sends authorization message with incorrect fields.
- New brand EMV requirements.
- Acquirer host configuration issues.
It is crucial that testers, EMV experts, product managers and engineers to collaboratively work to identify and address issues. Identifying issues is a critical item where EMV experts step in, analyze the test case, test results and logs. These experts should know brand requirements deeply and they should be able to quickly, investigate and identify the issue. Once the issue is identified, relevant group should be notified. These groups may be EMV SDK team, POS team, payment gateway team or acquirer. There should be a well-defined project management and mitigation process so that the right team can focus on the right thing. Teams would be better to work in close time zones since most of times the issues can only be addressed with involvement of multiple teams. Generally, the delay in projects is because of the lack of expertise to figure out the root cause of the issue. Issues should be quickly investigated, identified and assigned to the right team. At this point the involvement of EMV experts and product managers are crucial. Once issue is identified, it should be clearly defined with detailed explanation of root cause, EMV requirements, test case requirements and solution alternatives to fix the issue. Engineers should have all necessary information such as test tool logs, test case requirements, POS logs, acquirer messages to fix issues in short time. EMV experts, product managers and engineers should jump on calls proactively whenever it is needed. Acquirer’s team may also be included in conversations.
Well-defined Mitigation Process
Well-defined mitigation process is important for all parties to instantly access and see issues, milestones, risks and ETAs. Also high level reports should be generated so that project stakeholders can manage expectations and take required actions to facilitate the process. In case of dependencies like delayed response from card brands or test tool vendors, it is crucial someone high level to step in and help expedite the process. If there is dependency to third party vendors such as EMV L2 kernel or POS hardware providers, then it is crucial to align with their team to get required support timely and efficiently.
How to Avoid Project Delays
EMV Level 3 certification duration can be shortened significantly if it is planned in the right way and if the team has the required expertise and focus on the project. A well-planned project helps you to offer your solution ahead of competition and reduce your costs.
At the very early phase of the project, following checks should be done to avoid delays in the later phases :
- Data collection forms : Acquirer and POS vendor should agree on the required features, such as AIDs, CVM methods, offline/online. There are also technical detailed items in the forms where EMV experts should help parties to understand requirement and decide if it will be supported.
- Analyze EMV terminal configuration parameters carefully. Check the version of EMV L2 kernel to be certified and check if there are any updates on the existing parameters for all card brands.
- Check test requirements to figure out if there are any new major requirements. This process should be done as early as possible to give POS developers or acquirer integration team enough time.
- Check acquirer host specs to figure out if there is any change and implement these changes as early as possible.
- Check L3 test tool version and make sure to use the right version.
- Using POS terminal effectively (to run transactions, send bug reports, load O.S and configs, etc.)
- Ensure effective communication methods with test tool vendor, acquirer, and terminal vendor
- Access to test platforms to change store settings (i.e., prioritize U.S Debit, or Application Selection from the list, enabling tips, Store & Forward, Voice Auth, etc.)
How Fairbit Helps Expediting the Project
Most of times, POS vendors don’t have enough resources, such as testers, EMV experts. Fairbit team has average 20 years of EMV experience, implementing tens of EMV certifications in the United States, Canada and Europe. Fairbit provides testers but most importantly we can provide EMV experts and consultants as well. Our team has great experience in EMV projects. We developed in-house EMV kernels and SoftPOS solution with the extensive EMV experience. Fairbit team worked in different markets gaining expertise for domestic and global standards. Our team has experience on not only EMV specs and L3 test requirements but also on business or market specific requirements such as U.S Common Debit, open-loop transit, Strong Customer Authentication and so forth. Also there are brand specific requirements. Different brands like MasterCard or Visa may have different requirements sometimes. Some countries have their own domestic standards like Interac in Canada. Knowing all these standards give Fairbit team great insight to address issues and help POS vendors to implement right logics.
Fairbit team can also :
- Review POS API/SDK documents to understand the calls and logs between the POS terminal and the reader to help fixing failing tests
- Review Payment Gateway API documents understand API calls between terminal and the host to help fixing failing tests
Fairbit supports EMV certification projects in a tailored way based on your needs. In the most simple way, we can provide testers if you have enough internal resources. If you need EMV experts, this is something we are the best and we can provide EMV experts. We can also provide project managers, program managers if needed.