In today’s payment world, EMV Level 3(L3) certification is one of the most challenging and time-consuming processes for acquirers and terminal vendors. A typical L3 certification process for major brands (MasterCard, Visa, Amex, and Discover) takes between 3 and 6 months. In this article, we will analyze the reasons making the process so challenging and time-consuming and figure out how this process can be managed more efficiently and smoothly.
As it is shown in the diagram below, there are 3 main applications in a payment device:
- EMV Level 1 application ensures that the device meets the lower level electromagnetic and communication protocol requirements
- EMV Level 2 application is concerned with the validation of the EMV software that implements the payment functionality. Level 2 application runs on the Level 1-certified device.
- The payment application is concerned with the main transaction flow, user interfaces, receipts, business settings of the merchant, configuration of the EMV software and acquirer host messaging (online interfaces). Payment application runs on the Level 2-certified device.
L3 certification is performed to ensure that the components of the entire solution (EMV Level 1, Level 2, payment application and acquirer host messaging) on the device meet the payment brand requirements. L3 certification examines anything that sits between the card and the payment network which is indicated with yellow color in the diagram below.
Acquirers need to get L3 certification for each payment brand to be able to deploy payment terminals to the merchants. EMV contact and contactless payment transactions cannot be processed without this certification.
Payment Application on the device works according to product settings of the terminal. Product settings are a combination of merchant business and EMV parameter settings. These settings might differ from one market to another market, one payment brand to another payment brand and one acquirer to another acquirer. To give a better idea, we listed a few product setting parameters as following:
- PIN bypass
- Contactless floor limits
- U.S Common Debit selection process
- Quick Chip / Mchip Fast
- CVM Methods: CDCVM, No CVM, Offline PIN, Online PIN.
- Terminal Action Codes
- Selectable kernel configuration
Acquirer Settings:
- Transaction routing decisions
- Acquirer host communication protocols
L3 Certification Steps
L3 certification is performed in the following order of steps:
- Acquirer – Registers to Payment Scheme
- Acquirer and Terminal Vendor – Fills out Data Collection Forms
- Acquirer – Set up test host environment to process transactions coming from the device
- Terminal Vendor – Set up the test environment (L3 test tool, test terminals, and connection to acquirer test host)
- Terminal Vendor – L3 Test Execution
- Acquirer – L3 Test Execution
- Acquirer – Getting Letter of Acceptance Letter
If it is not managed well, there might be much unnecessary time spent out during these steps.
Acquirer – Registers to Payment Scheme
This is the first step to register the payment scheme to initiate an L3 certification process.
Filling Out Data Collection Form
This is an important step where the acquirer/terminal vendor sets EMV and product settings for the L3 certification process.
During filling out data collection forms, it is very crucial to correctly set the parameters. These parameters need to be:
- Compliant with L2 certified configurations of the device
- Compliant with market conditions (i.e terminal type should be Online Only in the United States, PIN bypass shouldn’t be enabled in Europe)
- Compliant with acquirer’s business decisions (i.e whether acquirer wants to support U.S Common Debit AIDs for low-cost routing, selectable kernel, MChip Fast, qVSDC)
- Compliant with payment brand rules (i.e Contactless MSR is not allowed anymore by certain payment brands)
During this step, there are many going back and forth between the terminal vendor and the acquirer to answer the questions in the form. Setting some parameters wrong may cause significant loss of time and additional effort. It needs to be ensured that both the acquirer and terminal vendor assigns a certification consultant/product manager. These people should work closely to ensure that all data collection forms are filled out correctly. Sometimes, there might be some questions to ask payment brands for further clarification. Acquirers need to ensure to have a quick response from the payment brand. Even though only a few parameters are set wrong, this may cause to repeat most of the L3 tests.
Setup Test Environments
Although this step seems not complicated in the first glance, sometimes one or more of the following issues happen to cause a delay in the process:
- L3 Test Tool has an old version which causes processing some L3 tests in a wrong way
- L3 Test Tool software, hardware or reader issues.
- Delays in test terminal preparation for a terminal vendor: Acquirer needs to provide the test account with MID/TID to the vendor.
- Wrong setting of test terminal (wrong MID/TID, wrong test keys, wrong EMV configuration file, wrong merchant settings)
- Acquirer host being not active or wrongly configured
- Wrong EMV configuration file
- Wrong merchant business settings
- Acquirer host connection issues
Terminal Vendor – L3 Test Execution
Generally, this is the most challenging and time-consuming process. In some cases, tests are performed with the terminal vendors first and then the acquirer performs the tests. In some other cases, the acquirer directly performs the tests where the terminal vendor provides support for failing test cases. There are thousands of test cases to be performed and sometimes a test failure for a small reason might take weeks to fix. The following list is mostly a common reason for test failures.
- Merchant Business Settings: Sometimes merchant business settings might be different than L3 configuration which may cause the L3 tests to fail. Production settings may not be always the same as L3 test settings. For example, the L3 test case might be requiring a list of AIDs displayed on the terminal screen and selected by a cardholder, while merchant production settings may be configured so that the AID is automatically selected. It needs to be ensured that all merchant settings are done according to L3 certification.
- Acquirer Host Messaging: Sometimes some fields in the authorization message may be missing or wrongly formatted. Acquirer host might be wrongly configured, or not active. In these kinds of situations, it should be ensured to get the transaction logs and a good level of support from the acquirer to address and fix the issue.
- EMV Configuration Parameters: Sometimes EMV configuration file might have a wrong EMV parameter. The parameter may not be compliant with the Data Collection Form, EMV specs or payment brand rules. There are hundreds of EMV parameters, and it needs to be ensured that all EMV parameters are correctly configured in the configuration file.
- Bug or Missing Features in Payment Application: Sometimes payment applications might have missing features or a bug that doesn’t meet the test pass condition. This issue might be related to a wrongly implemented payment flow that infringes on the EMV L3 requirements.
- Not applicable tests: Some test cases may not be applicable although they are there in the list of tests due to the wrong configuration of the test tool.
Acquirer – L3 Test Execution
If Acquirer repeats tests after the terminal vendor performs full testing, there shouldn’t be much issue in this phase. If the acquirer directly performs tests, then a close engagement should be ensured between the terminal vendor since most of the cases the issue should be fixed by the terminal vendor.
Acquirer – Getting Letter of Acceptance
This is the final step for the L3 certification process. The acquirer needs to submit to brand all test results associated with data collection forms.
Conclusion
To summarize, the smooth and efficient L3 certification process can be achieved if the following items are ensured:
- Acquirer and terminal vendor assign certification consultants/product managers
- Acquirer and terminal vendor give enough priority, assigns enough resources and work in a close cooperation
- Some steps described in this document may be implemented as a parallel
- Acquirer and terminal vendor have EMV experts to quickly fix the issues and to fill out data collection forms
Quick support from other parties: Payment brands and test tool vendors
Sharing is caring!
ESREF OZGUR ALTUNTAS
MANAGING DIRECTOR / EMV EXPERT