Anda di halaman 1dari 15

AMERICAN EXPRESS EMV

CERTIFICATION GUIDE V2.8


Revision History

Version name Version date Commentary/reason for revision


Revision V2.3 October 2003 a) EMV Certification Guide V2.3 replaces
American Express EMV Acceptance Manual V2.2
b) The EMV Certification Request form, covering
both device & E2E requirements, will be issued as
a separate document & not included as an
Appendix to this document
c) Terminal Parameters Information Pack: V1.0
July 2003 included as an Appendix
d) Other changes in line with current American
Express EMV processes

Revision V2.4 February a) EMV Certification Guide V2.4 has been


2004 produced to reflect the streamlined certification
process and replaces American Express EMV
Acceptance Manual V2.3
b) The EMV Certification Request form, covering
both device & E2E requirements, will be issued as
a separate document & not included as an
Appendix to this document
c) Terminal Parameters Information Pack: V1.0
July 2003 included as an Appendix
d) Other changes in line with current American
Express EMV processes

Revision V2.5 May 2004 a) Removal of ‘Terminal Parameter’ appendix


Revision V2.6 June 2004 a) Editorial clarifications
b) Formatting changes
Revision V2.7 July 2004 a) Addition of header note explaining the need for
testers to use identical kit in conditions that exactly
replicate the live environment
b) Removal of reference to Electronic Business
Guide under Submissions Testing section
Revision V2.8 July 2004 a) Editorial clarifications

AmeX EMV Certification Guide V2.8.doc


CONTENTS
1 Introduction.................................................................................................................................. 3
1.1 Certification and why it is necessary 3
1.2 American Express Certification Process 4
2 Target Audience........................................................................................................................... 4
3 Glossary ....................................................................................................................................... 5
4 American Express EMV Acceptance .......................................................................................... 6
4.1 AEIPS (American Express ICC Payment Specification) 6
4.2 How do I obtain AEIPS? 6
4.3 EMEA EMV Authorisation 6
4.4 EMEA EMV Submission 6
4.5 Terminal parameters and CAPKs (Certification Authority Public Keys) 6
4.6 The Certification Process 6
4.7 When do I need to certify my EMV solution? 7
5 American Express EMV Authorisation Certification.................................................................. 8
5.1 Authorisation Certification Process / sample time frame 8
5.2 Pre-requisites 9
5.3 Requesting certification 9
5.4 Authorisation Certification 10
5.5 What Tests do I need to perform? 10
5.6 Authorisation testing 10
5.7 Test Fails 10
5.8 Test Passes 10
5.9 What do I do now? 10
6 American Express EMV Submissions Testing.......................................................................... 12
6.1 Testing Process 12
6.2 Pre-requisites 13
6.3 Requesting submissions testing 13
6.4 What Tests do I need to perform? 13
6.5 Submission certification Fails 13
6.6 Submission certification Passes 14
6.7 What do I do now? 14
6.8 What do I do when I achieve Approval status? 14

AmeX EMV Certification Guide V2.8.doc


Important Note:
In describing the following EMV certification process American Express assumes that in all cases
testers are not emulating part or all of the merchant's POS/IPOS system but are using the identical
hardware/software that will be used in the merchant's live system and that the transaction is routed
using identical connection methods and the same equipment where applicable, e.g. the merchant host.
Unless informed otherwise American Express assumes that all testing will be carried out at the
merchant’s site – if this is not the case please inform the EMV Certification Unit via
emvcertificationunit@aexp.com.

1 Introduction
American Express understands the complexity of EMV acceptance, the EMV specifications, and the work
required by companies to bring products to market or upgrade their Point of Sale (POS) environment.
American Express is keen to make the development of EMV acceptance on the POS as straight forward as
possible. To this end, American Express has a certification process and supporting documentation.

1.1 Certification and why it is necessary

The purpose of American Express certification is to ensure interoperability between EMV cards, terminals
and the authorising and switching host systems, not only within a given market but internationally. By
having an American Express certified product in the marketplace, you are ensuring this interoperability to
your customers.

Certification is a process for testing conformance with a pre-defined specification or set of requirements.
The card industry has a strong interest in certification to uphold the following tenants of the industry:

1. To support the card brand by delivering confidence to merchants and cardmembers that transactions by
chip and pin (EMV) will work as expected.
2. To deliver interoperability so that cards issued in one part of the world successfully complete transactions
in POS terminals or merchant POS systems in another part of the world, with no prior engagement between
the card issuer and the developer/acquirer of these systems.
3. To provide future proofing for the card issuer. Successful EMV certification of the Point of Sale terminal
gives the card issuer the confidence that changes made to EMV card applications, residing within the
architecture of EMV, will successfully function at existing points of sale, without further testing.

Without a strong EMV certification programme we would expect to find many processing issues at the point
of sale, which would negatively impact both our cardmembers and merchant customers.

AmeX EMV Certification Guide V2.8.doc


EMV is highly complex and contains many different processing options from which the card issuer can
select. The POS terminal supports these options and effectively makes EMV work. It interacts with the card
at the application level (to select an application and process the transaction according to the needs of the
application) and with both the cardmember and merchant via terminal and pin pad messages and receipts. It
also handles the online interface to the acquirer/issuer.

To implement EMV effectively, we need a rigorous approach to EMV certification.

American Express requires EMVCo Level 1 and Level 2 approval as a pre-requisite for building American
Express EMV functionality. This should reduce the likelihood of problems occurring during certification.

This document describes the procedures and related information required to complete EMV certification
approval for card accepting devices.

1.2 American Express Certification Process


Certification for the acceptance of American Express EMV payment transactions is split into two distinct
processes:
1) Authorisation certification
2) Submission testing

Authorisation certification includes a number of off-line and online tests between a POS device and
American Express test cards to test the terminal application and to ensure that the device handles and
operates American Express cards correctly. In addition the process tests the end-to-end EMV transaction
process and ensures that the correct messages are being passed to the cards through the acceptance and issuer
systems. This is the American Express equivalent to the EMVCo Level 2 certification.

Submission testing is to ensure EMV transactions can be sent to American Express in the correct message
format, through the acceptance systems. This is required by any merchant or third party submitting
transactions to American Express.

These tests are to be executed by the vendor normally, but occasionally we may request a sample device to
be provided to execute these tests ourselves. By adopting the procedures within this document, you will be
able to have your new EMV device or acquiring software product certified by American Express.

2 Target Audience
The target audience for this document are POS device vendors, host system developers, merchants and third
parties who wish to obtain American Express EMV certification for their products. Additionally this
document targets Acquiring banks and processors that process transactions on behalf of American Express.

AmeX EMV Certification Guide V2.8.doc


3 Glossary
AAC Application Authentication Cryptogram
AEIPS American Express ICC Payment Specification
AC Application Cryptogram
AFL Application File Locator
AID Application Identifier
AIP Application Interchange Profile
ARPC Authorisation Response Cryptogram
ARQC Authorisation Request Cryptogram
AUC Application Usage Control
CAPK Certificate Authority Public Key
DDA Dynamic Data Authentication
EMV Europay Mastercard Visa
EMVCo EMVCo, LLC formed in February 1999 by Europay International, MasterCard International
and Visa International to manage, maintain and enhance the EMV™ Integrated Circuit Card
Specifications for Payment Systems.
End-to-end
Certification Also known as acquirer certification
IAC Issuer Action Codes
ICC Integrated Chip Card
IIN Issuer Identification Number
LCOL Lower Consecutive Offline Limit
NDA Non-Disclosure Agreement
PAN Primary Application Number
PIN Personal Identification Number
POS Point Of Sale
PSE Payment Systems Environment
SDA Static Data Authentication
Self test American Express provide the tools to allow the testing to be performed by the tester
TC Transaction Certificate
Tester The person who participates with Amex to execute the certification process for
Vendor/Merchant/nominated third party

AmeX EMV Certification Guide V2.8.doc


4 American Express EMV Acceptance
4.1 AEIPS (American Express ICC Payment Specification)

American Express complies with the global EMV specifications for EMV payment transactions. AEIPS is
American Express’s EMV payment specification. The purpose of AEIPS include detailing the American
Express (and American Express entities) specific requirements where variations are allowed within EMV,
when implementing EMV (ICC) technology. AEIPS is primarily a technical specification, but it also states
the business requirements that the technical solutions address.

4.2 How do I obtain AEIPS?


If you wish to obtain the AEIPS documentation please contact your American Express representative.

4.3 EMEA EMV Authorisation

American Express supports national message standards for authorisation of transactions. For information on
what authorisation standards are supported in a particular country, please contact your local American
Express representative.

4.4 EMEA EMV Submission

American Express supports national message standards for submission of charges and its own submission
formats. For information on what submission standards are supported in a particular country, or situation,
please contact your local American Express representative. Part of our certification process includes a
submission test.

4.5 Terminal parameters and CAPKs (Certification Authority Public Keys)

All terminal parameters, CAPKs and CAPKs related information are covered in the TERMINAL
PARAMETERS document issued as part of the test pack components. If these settings are required prior to
entering the formal approvals phase please contact emvcertificationunit@aexp.com who will provide the
necessary information.

4.6 The Certification Process


The certification process follows a number of distinct steps. All of these must be executed, in order, to
complete a certification for American Express card acceptance.

AmeX EMV Certification Guide V2.8.doc


1 Completion of EMVCo Level 1 and Level 2 certification
2 American Express Authorisation Certification (offline & online EMV and magnetic stripe tests)
3 Submissions testing
4 American Express issues a certification letter when all of the above steps have been completed. This
concludes the certification process
Please note: American Express provide the tools to allow the Vendor/merchant/ nominated thirty party
(from here on referred to as tester) to perform the testing.

4.7 When do I need to certify my EMV solution?


The ‘EMV solution’ requires certifying prior to deployment and the acceptance of American Express
branded cards.

The software components within a POS terminal applicable to certification are the terminal application and
the EMV kernel

• Terminal application. This provides the transaction processing software for handling the authorisation
request, refund transaction etc, interfaces with the drivers for the peripherals (i.e. screen display, printer,
pin pad etc) and handles the acquirer message interface.

• The EMV kernel. This provides the EMV capability and may be developed by the vendor or bought in
from another supplier.

Note: When we certify a terminal we are certifying one implementation of each of the above components,
effectively as a black box. As we are not aware of where the boundary lies between the individual software
components, we can only certify the complete software package. Therefore a change to the POS terminal
application software and/or the EMV kernel would require re-certification.

AmeX EMV Certification Guide V2.8.doc


5 American Express EMV Authorisation Certification
5.1 Authorisation Certification Process / sample time frame
Detailed below is the process flow for American Express EMV certification. This diagram is an overview of
the testing process. The boxes indicate the steps taken for American Express EMV certification, who
executes the step (Tester or American Express) & provides a sample time frame.

Tester Direction American Express Sample


time
frame

1. Certification information is requested 2. American Express representative sends


from the American Express representative. certification procedures document and
EMV Certification Request form.
3. Tester completes the EMV Certification
request form and returns this to the
American Express representative.
4. EMV Certification Unit reviews the Week 1
Certification Request form and
provisionally schedules testing slots for
testing.
EMV Certification Unit contacts the Tester
and provides test plan, ICCSim test scripts
(or ICCSim cards) and White Plastic cards
needed to perform certification.
Note: Test Cards will be issued shortly
before the confirmed testing slot.
5. Tester reviews scripts and information Week 2
to be submitted for certification and raises
any questions on content or process. EMV Certification Unit provides the tester
with support as required
6. Tester uses cards/scripts to prepare their Week 2
device/systems for certification. EMV Certification Unit provides the tester
Tester configures POS terminal with with support as required
appropriate parameters.
Tester performs a successful
communication link test to Amex EMV
test environment
7 Tester confirms the testing slot with EMV Certification Unit issues ICCSim Week 2
EMV Certification Unit giving two weeks cards and White Plastic cards for testing.
notice.
8. Tester executes test scripts as per EMV Certification Unit provides the tester Week 3, 4
agreed schedule. When all tests have with support as required
passed, tester collates the information we
require for certification and returns
completed scripts (or cards), receipts,
display messages etc. All test output for
each section (offline, online chip & pin,
magnetic stripe) must be returned in one
batch.
AmeX EMV Certification Guide V2.8.doc
9. EMV Certification Unit validates test Week 5
results, communicates outcomes; issuing
certificate (action 12) if no faults or queries
found & if submissions tests are not
required (if they are please refer to Section
6 – Submissions Testing).
10 Tester fixes faults and re-tests with If faults are found errors are returned to Variable:
American Express. tester with list of issues Timescales
dependant
12. Vendor/Merchant receives certificate 11. When no faults are found in transaction outcome
allowing them to accept American scripts or submission details, the device / of review
Express EMV transactions using their EMV kernel is certified and a certificate is between
EMV components, and returns signed sent to the tester. tester &
copy. Amex.

The time frame indicated in column 4 of this process flow is a sample only. Your American Express EMV
certification representative will discuss time frames and schedules with you in more detail.

The timings in this process flow are dependent upon the testing being completed according to agreed
schedules, thereby allowing the results to be reviewed by American Express during the pre-arranged time
slots.

Please ensure that slots are booked as early as possible and that your American Express representative is
informed of any changes to submission dates.

5.2 Pre-requisites

Before the authorisation testing begins, the following must be in place:


1. The POS device or other EMV kernel has been upgraded to support EMV transaction data.
2. POS Device or EMV kernel processing has EMVCo Level 1 and level 2 certification.
3. The POS device is configured with American Express terminal parameters.
4. The American Express test host is available for EMV testing.
5. End-to-end certification test slots are agreed between the tester and American Express.
6. It is essential that a communications test to our test system has been completed.

American Express will not normally issue a Certification approval letter (which allows the acceptance of
American Express EMV transactions) until the submission route for the EMV transactions has been certified.
(Reference Section 6 on EMV submission testing.)

5.3 Requesting certification


Authorisation Certification is initiated by completing the EMV Certification Request form, which can be
obtained from your American Express representative. Once you have sent this form to American Express, it
will be reviewed for accurate completion.

AmeX EMV Certification Guide V2.8.doc


You will be forwarded the authorisation certification Pack. This will include the test plan and cards, as
required, so that the Tester can prepare for the certification.

5.4 Authorisation Certification


Authorisation certification involves testing the transaction between the POS device and American Express
test authorisation host. Normally the tests can be executed at anytime, without prior notification, using our
special test host facility.

For authorisation certification on POS terminals the device is self-tested.

5.5 What Tests do I need to perform?


The tests in the end-to-end Certification are split up into various sections:

• Offline Tests - There are approx 30-40 test scripts but the exact number will vary from time to time,
depending on industry requirements.
• Generic Online Tests – These Chip & Pin tests must be completed in all certifications. There are approx
20-30 test scripts, again the number will vary from time to time.
• Market specific Online Tests – Only the tests relative to the specific market of the systems / device being
certified need to be performed, therefore, the number will vary.
• Mag Stripe regression tests – there are approximately 30 test scripts, depending on the specification of the
device under test.

5.6 Authorisation testing


During testing the tester will run through the test plan using the test scripts, the ICCSim test cards/or the
ICCSim tool and the white plastic test cards. Once these are completed, the tester passes the ICCSim card
result logs and the completed test plan (with device transaction display information and relevant EMV
transaction logs provided and receipts attached) to American Express for review. If the ICCSim test cards
are supplied by American Express, they must be returned as they form part of the results needed for review.

5.7 Test Fails


If the testing fails for any reason all fault reports will be sent to you together with any logs and appropriate
evidence. A re-testing slot will then be arranged.

5.8 Test Passes


Upon successful completion of all internal test scripts and submissions testing an approval certificate will be
issued to the Tester.

5.9 What do I do now?


• Contact your local American Express representative for all the supporting documentation.
AmeX EMV Certification Guide V2.8.doc
• Read and complete the EMV Certification Request form
• Submit the EMV Certification Request form to your local American Express representative.
• Perform a communications test with our test system
• Arrange a test slot with American Express
• Follow the authorisation test plan and use the cards supplied
Note: Following authorisation certification, submissions testing would normally be completed. After
completion of these steps your EMV implementation would be certified for American Express EMV
processing.

AmeX EMV Certification Guide V2.8.doc


6 American Express EMV Submissions Testing

This is required of all submitters of American Express transactions


The correct submission of EMV data is very important to the whole process of EMV acceptance and
certification. American Express would not normally complete end-to-end authorisation certification until
EMV submissions testing has been completed successfully.

6.1 Testing Process

The testing process for EMV submission fil B* s detailed below:

Tester Direction American Express

1. Tester contacts American Express 2. The American Express representative


representative to request Submissions collects relevant submission information from
testing. the tester.
For the UK the submissions format
specification is available in the Electronic
Business Guide (EBG)

3 The tester develops their systems to 4 American Express representative contacts


handle the new submission format the tester to

The tester performs a satisfactory a) set up the submission test link and
submissions test via the submissions test
link with American Express b) arrange for the submission of test file.

5. Tester sends submission test file to 6.American Express receives test file in the
American Express at the confirmed time. test submission system

American Express reviews and validates the


If required, Tester fixes faults and re- submission test file providing feedback to
submits a submission test file at a tester
confirmed time

7 Once the certification processes for device,


end-to-end authorisation and submissions are
completed satisfactorily by the tester, an
8 Vendor/merchant receives certificate American Express EMV certification approval
allowing them to accept American Express letter is issued to the vendor/merchant
EMV transactions using their EMV
components, and returns signed copy.

*1 For the UK there is more detail on certification testing in the ‘Electronic Business Guide’
AmeX EMV Certification Guide V2.8.doc
6.2 Pre-requisites
There are several pre-requisites to the submission testing, one of the most significant being that the test
transactions are generated using a POS device that has already received American Authorisation certification
(EMV and mag stripe).

Before the submissions testing can begin, the following must be in place:
1. The POS device or other EMV kernel has been upgraded to support EMV transaction data.
2. POS Device or EMV kernel processing has EMVCo Level 1 and level 2 certification.
3. Transactions are generated using a POS device or EMV kernel that has passed American Express
EMV Authorisation certification.
4. The American Express test host is available for EMV testing.
5. Submissions certification test slots are agreed between tester and American Express.
Note: It is essential that a communications test to our test system is completed before submission testing
commences.

American Express will not issue our Certification letter which allows the acceptance of American Express
EMV transactions until the submission route for the EMV transactions has been tested satisfactorily.

6.3 Requesting submissions testing

Submissions testing is initiated by your American Express representative who will contact you to collect
relevant submission information. Your representative will later contact you to set up test links and arrange
submission of test file.

6.4 What Tests do I need to perform?

We would prefer the submission file to be created from the tests carried out during authorisations
certification. If this is not possible please contact your American Express representative.

Please notify your American Express representative before sending the submission file via your submission
test link.

6.5 Submission certification Fails


Your American Express representative will provide you with a fault report. For minor changes we require
you to re-submit within 48 hours. If the changes are more complex an indication of the time frame required
to fix and resubmit is requested.

AmeX EMV Certification Guide V2.8.doc


6.6 Submission certification Passes
End-to-end certification approval will not be given to any tester until the submission route for the EMV
transactions has been completed. Upon successful completion of all internal end-to-end test scripts and
submissions testing an approval certificate will be issued to the Vendor/merchant.

6.7 What do I do now?


• Wait to be contacted by your American Express representative who will collect submissions information
from you.
• Complete any technical development required to handle the new submission format
• As confirmed with American Express perform a submission link test
• Send submissions test file in a timeframe agreed with the American Express representative.
Note: once we have received a valid test submission file and all other test processes are completed an end-
to-end Certification Approval will be issued to the vendor/merchant

6.8 What do I do when I achieve Approval status?


• Return a signed copy of your approval letter
• Remember to use your live authorisation NUA, live merchant number & live keys

AmeX EMV Certification Guide V2.8.doc