Payments  

Security  Task  Force  (PST)

Kernel  Management  Guidelines  

 
EMV  Migra3on  Forum/Payments  Security  Task  Force  
April  2015  
 
About  the  EMV  Migra3on  Forum  and  the  
Payments  Security  Task  Force  
The  EMV  Migra,on  Forum  is  a  cross-­‐industry  body  focused  on  
suppor3ng  the  implementa3on  steps  required  for  global  and  
regional  payment  networks,  issuers,  processors,  merchants  and  
consumers  to  help  ensure  a  successful  introduc3on  of  more  secure  
EMV  chip  technology  in  the  U.S.  The  focus  of  the  Forum  is  to  
address  topics  that  require  some  level  of  industry  coopera3on  and/
or  coordina3on  to  migrate  successfully  to  EMV  chip  technology  in  
the  U.S.    

For  more  informa3on  on  the  EMV  Migra3on  Forum,  please  visit  
hMp://www.emv-­‐connec3on.com/emv-­‐migra3on-­‐forum/    

Announced  in  March  2014,  the  Payments  Security  Task  Force  is  a  
cross-­‐industry  group  focused  on  driving  execu3ve  level  discussion  
that  will  enhance  payment  system  security.  The  Task  Force  
comprises  a  diverse  group  of  par3cipants  in  the  U.S.  electronic  
payments  industry  including  payment  networks,  banks  of  various  
sizes,  credit  unions,  acquirers,  retailers,  industry  trade  groups,  and  
point-­‐of-­‐sale  device  manufacturers.  
 Introduc3on:  Kernel  Management  Guidelines  

Welcome  to  the  U.S.  EMV  Value-­‐Added  Reseller  

Qualifica3on  Program’s  educa3onal  webcast  series,  
brought  to  you  by  the  Payments  Security  Task  Force  
and  EMV  Migra3on  Forum.  

This  is  a  brief  on  Kernel  Management  Guidelines,  

presented  by  Russell  Wolfe  of  UL.  

Note: This webcast is one in a series of webcasts which will provide U.S. value added resellers,
independent software vendors and merchant organizations with understanding of the U.S. market for
EMV migrations, U.S. debit deployment, development preparation, lessons learned and testing
considerations to assist with EMV chip migrations.
Kernel  Management  Guidelines  

These  guidelines  are  recommenda,ons  for  kernel  

management  
!  Kernel  management  is  linked  to  managing  terminal  vendor  
communica3ons  and  standardizing  solu3ons.  
!  Proper  management  can  poten3ally  minimize  terminal  
tes3ng  requirements,  as  well  as  minimize  the  overall  
system  impact  when  necessary  updates/changes  to  exis3ng  
terminals  are  deployed  in  the  market.  
EMV  Terminal  Kernel  Requirements  Background  
!  Ensure  the  EMV  terminal  has  EMVCo  approvals  for  the  Interface  Module  
or  IFM  and  kernel  at  3me  of  deployment.  
!  EMVCo  renewal  policy  states  an  IFM  approval  is  valid  for  4  years  and  an  
applica3on  kernel  approval  is  for  3  years.  This  validity  period  applies  to  
both  sta3c  and  configurable  kernels.  
!  Terminal  changes  are  defined  by  EMVCo  as  major  and  minor  based  on  
their  impacts.  Major  changes  require  EMVCo  retes3ng  and  new  approvals.  
!  Terminal  vendors  determine  whether  changes  to  approved  IFM/kernel  are  
considered  major  or  minor.  
!  For  minor  changes,  EMVCo  retes3ng  or  new  approvals  are  not  required.  
The  terminal  vendor  is  responsible  for  managing  documenta3on  and  
internal  test  results  for  minor  changes  to  the  original  EMVCo  approval.    
!  Refer  to  EMVCo  Type  Approval  Bulle3n  No.  11,  6th  Edi3on,  February  2014.  
Kernel  Management  Guidelines  
!  “Approved  terminals”  refer  to  terminals  that  contain  an  EMVCo  approved  kernel  and  chip  
reader  IFM.  Different  models  in  the  same  terminal  family  can  share  an  approved  kernel  
and/or  chip  reader.  
!  A  terminal  can  con3nue  to  be  deployed  without  risk  un3l  the  kernel  expires    
(as  governed  by  Payment  Network  policies).    
!  Terminals  can  remain  in  market  beyond  the  approval  expira3on  as  long  as  there  are  no  
changes  to  the  kernel  or  chip  processing  logic.  Includes  exis3ng  inventory  already  in  the  
distribu3on  channel  as  long  as  there  are  no  interoperability  issues.  
!  Payment  Networks  have  policies  related  to  terminal  approvals  for  payment  network  
tes3ng  requirements.    
!  EMVCo  approved  components  are  largely  portable,  meaning  an  EMVCo  approved  
applica3on  kernel  may  run  on  any  terminal  that  has  an  EMVCo  approved  IFM.    
!  As  a  best  prac3ce,  terminal  vendor  maintenance  changes  to  an  exis3ng  kernel  are  usually  
incorporated  into  the  next  version  which  would  require  a  new  cer3fica3on.    
!  At  expira3on  of  the  EMVCo  approval,  the  terminal  vendor  can  request  an  approval  
extension.  
Tes:ng  Considera:ons  
!  Payment  Networks  have  posi3ons  related  to  terminal  approvals  and  
network  tes3ng  requirements.      
!  Acquirers  should  ensure  that  any  new  terminal  installa3ons  contain  IFMs  
and  kernels  that  have  a  current  EMVCo  approval.    
!  Typically  a  minor  change  to  a  kernel  would  not  require  retes3ng  against  the  
Payment  Network  tests.  It  is  recommended  to  work  with  your  terminal  
vendor  on  kernel  change  impacts  to  your  terminal  configura3on.    
!  Not  all  kernel  changes  require  an  upgrade.  Refer  to  EMVCo  Bulle3n  11.  
Depending  on  the  classifica3on,  retes3ng  may  not  be  required.    
!  If  an  interoperability  issue  is  iden3fied,  changes  will  be  required  which  may  
include  updates  to  the  kernel  and  payment  network  tes3ng  will  be  required.  
!  Any3me  there  are  changes  to  chip  processing  impac3ng  the  payment  
applica3on  or  the  EMV  kernel,  payment  network  tes3ng  will  be  required.  
Recommenda:ons  
!  Standardize  POS  solu3ons  by  using    the  same  kernel  configura3on.  

!  A  kernel  can  be  supported  on  more  than  one  device  (terminal  
family).  
!  Consult  with  your  terminal  vendor  to  determine  if  the  terminal  is  
the  same  family  which  can  reduce  tes3ng.    
!  Reduce  the  number  of  configura3ons  deployed  which  can  reduce  
tes3ng  efforts.  
!  The  current  EMVCo  recommenda3on  is  expired  kernels  should  be  
replaced  within  one  year  afer  expira3on  date.  Any  new  
deployments  would  require  a  new  approved  kernel,  requiring  a  
separate  payment  network  cer3fica3on.  
Recommenda:ons  
!  Evaluate  kernel  updates,  when  available  by  the  terminal  vendor.    

!  Terminal  management  systems  will  allow  for  EMV  configura3ons  

and  parameter  updates  to  be  managed  remotely  and  efficiently.    
!  The  iden3fiers  of  kernels  with  interoperability  issues  are  listed  on  
the  EMVCo  website.    
!  Establish  ongoing  communica3on  with  your  terminal  vendor.    

!  If  an  interoperability  issue  is  iden3fied,  the  acquirer  will  need  to  be  
able  to  make  the  necessary  changes  which  may  include  updates  to  
the  kernel.  Payment  network  tes3ng  will  also  be  required.    

Consult  with  your  acquirer  and  payment  network  for  more  details  on  
their  EMV  implementa3on  requirements.  
  
UL    -­‐  Transac3on  Security  Division  
Russell  Wolfe  
[email protected]  
 

Payments  Security  Task  Force  (PST)