Chip Card Testing and Approval Requirements V8.0

Chip Card Testing & Approval
Requirements
Visa Approval Services
Version 8.0
April 2021
Visa Public
Important Information on Confidentiality and Copyright
© 2010-2020 Visa. All Rights Reserved.
Notice: The Visa Confidential label indicates that the information in this document is intended for use
by Visa employees, Visa clients, and other external persons and entities that are parties to an
applicable Confidentiality and Nondisclosure Agreement (NDA) with Visa. This information is not for
public release.
THIS DOCUMENT IS PROVIDED ON AN "AS IS,” “WHERE IS,” BASIS, “WITH ALL FAULTS” KNOWN AND
UNKNOWN. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, VISA EXPLICITLY
DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, REGARDING THE LICENSED WORK AND TITLES,
INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY , FITNESS FOR A PARTICULAR
PURPOSE, AND NON-INFRINGEMENT.
THE INFORMATION CONTAINED HEREIN IS PROPRIETARY AND CONFIDENTIAL AND MUST BE

MAINTAINED IN CONFIDENCE IN ACCORDANCE WITH THE TERMS AND CONDITIONS OF THE
LICENSE OR OTHER APPLICABLE AGREEMENT BETWEEN YOU AND VISA.
All brand names and logos are the property of their respective owners, are used for identification
purposes only and do not imply product endorsement or affiliation with Visa.
Note: This document is not part of the Visa Rules. In the event of any conflict between any content in
this document, any document referenced herein, any exhibit to this document, or any communications
concerning this document, and any content in the Visa Rules, the Visa Rules shall govern and control
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants
for use exclusively in managing their Visa programs. It must not be duplicated, published, distributed
or disclosed, in whole or in part, to merchants, cardholders or any other person without prior written
permission from Visa.
The trademarks, logos, trade names and service marks, whether registered or unregistered (collectively
the “Trademarks”) are Trademarks owned by Visa. All other trademarks not attributed to Visa are the
property of their respective owners.
Contents
Chip Card Testing & Approval Requirements
Contents
Tables .............................................................................................................................................................................. iii

Figures .............................................................................................................................................................................iv
Introduction ................................................................................................................................................................... 6
Audience....................................................................................................................................................................................... 6
Contact Information ................................................................................................................................................................. 7
Process Overview ...................................................................................................................................................................... 8
1 Vendor Registration,Licensing & Agreements .............................................................................................. 9
1.1 Vendor Registration....................................................................................................................................................... 9
1.2 Licensing Specifications and Software.................................................................................................................... 9
1.3 Legal Agreements......................................................................................................................................................... 10
1.4 Test Plans and Commercial Test Tools ................................................................................................................. 10
1.4.1 Test Plans ................................................................................................................................................................. 10
1.4.2 Commercial Test Tools and Test Scripts....................................................................................................... 12
2 Product Submission Process ............................................................................................................................. 14
2.1 Product Questionnaires.............................................................................................................................................. 14
2.2 Laboratory Scheduling and Testing ....................................................................................................................... 15
2.2.1 Disposition of Samples After Testing ............................................................................................................ 16
2.3 Forms Required for Testing ...................................................................................................................................... 16
2.4 Functional Testing Requirements Overview ....................................................................................................... 17
2.4.1 Sharing of Test Results ........................................................................................................................................ 20
2.5 Security Testing Requirements ................................................................................................................................ 20
2.5.1 IC Security Evaluations ........................................................................................................................................ 20
2.5.2 Visa Chip Security Program ............................................................................................................................... 21
2.5.3 Initial Assessment Letter (IAL) .......................................................................................................................... 22
2.6 Product Samples for Testing .................................................................................................................................... 22
2.6.1 Sample Requirements ......................................................................................................................................... 22
2.6.2 Number of Samples and Personalization for Functional Testing ....................................................... 24
2.6.3 Information Printed on Samples ..................................................................................................................... 30
2.6.4 QR Code Labels for Performance and Cross Testing Samples ............................................................ 31
April 2021 Visa Confidential i

Contents
2.6.5 Reduced Sample Testing requirements........................................................................................................ 33

3 Test Reports Review and Approval Process................................................................................................. 36
3.1.1 Test Results .............................................................................................................................................................. 36
3.1.1.1 Product Fails Testing ...................................................................................................................................... 36
3.1.1.2 Product Passes Testing.................................................................................................................................. 36
3.2 Requesting an Approval............................................................................................................................................. 37
3.3 Product Approval .......................................................................................................................................................... 39
3.3.1 Legal Conditions & Restrictions ...................................................................................................................... 39
3.4 Product Approval Period ........................................................................................................................................... 40
3.4.1 Products Approved After January 1 2016 .................................................................................................... 41
3.5 Global Design and Innovation Product Review & Qualification ................................................................. 42
A Appendix A – Revision History ........................................................................................................................ 44
B Appendix B – Testing Requirements ............................................................................................................. 46
B.1.1 Appendix Structure............................................................................................................................................... 46
B.1.2 Limits to Change Process ................................................................................................................................... 46
B.1.3 Paper Approval Process ...................................................................................................................................... 46
B.2 Product Test Requirements - Static Native, Base Product ............................................................................ 47
B.3 Product Test Requirements - Static Native, Changes/Derivatives ............................................................. 48
B.4 Product Test Requirements – GlobalPlatform, Base Product ....................................................................... 52
B.5 Product Test Requirements - GlobalPlatform, Changes/Derivatives ........................................................ 53
B.6 Product Test Requirements – Inlays for non-card products with static contactless chip, Base
Product........................................................................................................................................................................................ 57
B.7 Product Test Requirements - Inlays for non-card products with static contactless chip,
Changes/Derivatives .............................................................................................................................................................. 57
B.8 Product Test Requirements – Non-card products with static contactless chip, Base Product........ 59
B.9 Product Test Requirements - Non-card products with static contactless chip,
Changes/Derivatives .............................................................................................................................................................. 60
B.10 Product Test Requirements - VBSS, Base Product ........................................................................................... 61
B.11 Product Test Requirements – VBSS compliant products, Changes/Derivatives ................................... 62
Acronyms and Glossary ............................................................................................................................................. 68
ii Visa Confidential April 2021

Tables
Tables
Table 2–1: Forms Required for Testing ........................................................................................................................ 16

Table 2–2: Sample and Personalization requirements for Functional Testing ........................................... 24
Table 2–3: Printing for functional testing samples ................................................................................................. 30
Table 2–4: Serial numbering guide for QR samples ............................................................................................... 33
Table 3–1: Quantity and personalization for archived samples ........................................................................ 37
April 2021 Visa Confidential iii

Figures
Figures
Figure 2–1: Product Submission Process ...................................................................................................................... 14

Figure 2–2: Security Testing Process .............................................................................................................................. 21
Figure 2–3: Positioning the QR code label on an ID1 card sample................................................................... 32
Figure 3–1: Report Review and Approval Process ................................................................................................... 36
Figure 3–2: Card Lifecycle Management Policy ......................................................................................................... 41
iv Visa Confidential April 2021

April 2021 Visa Confidential v

Introduction
Introduction
The process and requirements described in this document applies to the following types of product
• Contact chip products supporting Visa Smart Debit/Credit (VSDC)
• Contactless chip products supporting MSD/qVSDC
• Dual interface chip products supporting VSDC and MSD/qVSDC
For the purpose of this document the term “card” shall be used to represent ID1 size cards, fobs, mini
cards, micro-tags, adhesive micro-tags (stickers), and inlays for non-card products with static
contactless chip.
Other form factors will be referred to as “non-card products with a static contactless chip”, one
example being a wearable product such as a wristband.
A product with a static contactless chip is defined as a payment product that cannot have its account
data provisioned or updated post issuance. In other words, the genuine account number, not a token,
is personalized to the product prior to issuance.
For information about the mobile product type approval process please refer to Visa Approval
Services Mobile Product Testing and Compliance Requirements document.
Audience
This document is intended for vendors submitting chip card products and non-card products with a
static contactless chip to Visa Approval Services for testing. It describes Visa’s product testing and
approval process.
6 Visa Confidential April 2021

Introduction
Contact Information
Visa Approval Services is responsible for managing the accreditation and various other processes
described in this guide. They are the single point of contact within Visa for vendors seeking testing
and laboratories seeking accreditation. The vendor or the testing laboratory may contact Visa
Approval Services at any time.
Email: [email protected]
Websites: Visa Technology Partner
(https://technologypartner.visa.com)
Visa Digital Partner Services
(https://digitalpartnerservices.visaonline.com/ )
US Postal Address: Visa International Approval Services
For shipping non-card
•
900 Metro Center Boulevard
products and inlays with
static contactless chip Mail Stop M3-2NW
for interoperability and
performance testing Foster City, CA 94404
United States
• For shipping cards for Mailroom Contact : (650) 432-8822
archiving:
Visa Worldwide Pte Ltd

Singapore Postal Approval Services
Address:
Mailstop SP08-A2
• For shipping cards for 10 Eunos Road 8 #10-01
interoperability and
Singapore Post Centre
performance testing
408600 Singapore
Mailroom Contact +65 6579 3712
April 2021 Visa Confidential 7

Introduction
Process Overview
The type approval process consists of the following stages:

• Registration, Licensing and Agreement Execution (usually done once)
• Product Submission
• Testing Authorization
• Laboratory Testing
• Test Reports Review
• Product Approval
The scope of testing includes (where applicable) the following:

• Testing of basic electrical and protocol characteristics of the contact interface
• Testing of radio frequency and protocol of the contactless interface
• Testing of Visa payment application(s)
• Security testing of the final product
To reduce the duplication of testing for vendors, Visa’s type approval process utilizes testing and
certification programs offered by EMVCo and GlobalPlatform.
The applicability and scope of functional and security testing is dependent of the configuration of
product being submitted and the circumstance of the submission, i.e. whether it is a new product or a
derivative.
If the product successfully passes all required testing and requirements, Visa issues a Letter of
Approval (for card products) or Letter of Compliance (for stickers and non-card products). The
approval recognition applies internationally unless specified in the letter.
Note: The process described in this document does not approve vendors, it only approves products.
Approval is not transferrable from one product to another, or from one vendor to another.
Note: The issuance of a letter by Approval Services does not provide an allowance of the card
construction per ISO 7810 & 7811-6, or review against the Visa Product Brand Standards, as required
by Global Design & Innovation (Brand). Information regarding this separate and required qualification
process can be found on the Visa Product Brand Standards website or by contacting
[email protected].

Vendor Registration,Licensing & Agreements
1 Vendor Registration,Licensing & Agreements

All vendors must
• Register as a Visa Technology Partner
• License Visa specifications, and software (where applicable)
• Execute an Approval Services Testing Agreement (ASTA) before they can submit a
product for testing.
1.1 Vendor Registration
The Visa Technology Partner website facilitates the vendor registration process. Information can be
found at https://technologypartner.visa.com/Registration. Vendors only need to register once.
Note: Vendors who are submitting a non-card product with a static contactless chip, e.g. a wearable
or an IOT product, are also required to enroll in the Visa Ready program. Please contact Visa Ready at
[email protected] or go to Visa Ready Portal at. https://partner.visa.com/site/programs/visa-
ready.html
1.2 Licensing Specifications and Software
Product manufacturers are responsible for developing products to supported Visa specifications and
requirements.
The Visa Technology Partner website facilitates the licensing of Visa’s Chip Specifications and Visa-
developed Software, which in turn allows access to additional documentation vendors will need:
• Visa Contactless Payment Specification
• Visa Integrated Circuit Card Specification
• Visa-developed Visa Smart Debit / Credit application software
• Visa Chip Security Program
• GlobalPlatform Requirements
• Visa Prepaid Specification
• Multi-Access for Visa Smart Debit/Credit Specification
• Test plans and personalization (see section 1.4)
• Visa Biometric Sensor-on-Card Specification

This list is not exhaustive of all specifications and requirements that may be used in the development
of a Visa-compliant payment product, for example EMVCo and GlobaPlatform. The vendor developing
a product is ultimately responsible for obtaining all specifications and requirements relevant to the
product it submits for testing and approval.
Information about licensing Visa technology can be found on the Visa Technology Partner website at
https://technologypartner.visa.com/Registration.
1.3 Legal Agreements
In addition to the license agreements, vendors intending to submit a product to Approval Services for
testing must execute an Approval Services Testing Agreement (ASTA). The ASTA is a standard
agreement that defines the terms and conditions governing the testing and approval of the vendor’s
product. The ASTA is made available to download from the Visa Technology Partner website after the
vendor has registered (see section 1.1). Please contact Approval Services if you have questions about
the ASTA.
Vendors who enroll in the Visa Ready program will also need to execute the Visa Ready Contract.
Please contact Visa Ready at [email protected].
Vendors will also need to enter into agreements with Visa-recognized testing laboratories that will test
their product. Visa does not get involved with agreements between laboratories and vendors. A
current list of Visa Recognized Testing Laboratories and their contacts can be found on the Visa
Technology Partner and Visa Digital Partner websites.
1.4 Test Plans and Commercial Test Tools
Test plans and commercial test tools with associated test scripts are available to assist vendors in
conducting quality assurance (QA) testing prior to submitting the product for official testing.
1.4.1 Test Plans
Successful completion of all the test scripts by the vendor does not imply approval, nor does it depict
Visa’s full testing process. Rather, it provides the vendor with insight into the product testing process.
Visa reserves the right to develop and run additional tests that are not part of the current test plan.

Visa testing may include subjecting the product to additional physical and situation-specific tests as
needed.
Vendors must sign the Approval Services Testing Agreement to gain access to test plans on the Visa
Technology Partner website.
Visa grants vendors who have signed the required agreements permission to use the test plans solely
for purposes of developing and testing products for a Visa application. Visa may revoke its permission
at any time. Possession and use of these materials is subject in all respects to the terms and the
continued effectiveness of the Approval Services Testing Agreement.
These materials are provided on an “as is” basis “with all faults.” Visa disclaims all warranties
pertaining to these materials, expressed or implied, including the implied warranties of
merchantability, fitness for purposes, or non-infringement.

1.4.2 Commercial Test Tools and Test Scripts
Commercial test tools and test scripts are available from Test Tool Vendors. Test Tool Vendor contact
information is published on the Visa Technology Partner or Visa Digital Partner Service website.
Test plans and test scripts are subject to enhancements and modifications at any time. Unpublished
test plan revisions are made available through Approval Services’ knowledge base on the Visa
Technology Partner website or Visa Digital Partner Service (requires logging on to the site).
Test plan revisions will be accumulated and published as new test plans as determined by Visa. It is
the Vendor’s responsibility to ensure that they have the most current test plans and test scripts
available. Vendors should contact their tool supplier to obtain any test script updates. Test Plans are
accessible online via the Visa Technology Partner or Visa Digital Partner Services website for licensed
Vendors


Product Submission Process
2 Product Submission Process

All necessary forms for testing are available on the Visa Technology Partner website. Vendors should
download and complete the latest version of the forms. This section discusses the forms that are
required and the requirements for scheduling.
The forms and process differs slightly between cards and non-card form factors with a static
contactless chip.
Vendor Completes
Vendor Updates
Non-Card Product Questionnaire for Vendor Submits Approval Services
Questionnaire Questionnaire and
with Static Wearable with Questionnaire to Reviews N
OK? Re-submits to
Contactless Chip Static Contactless Visa Ready Questionnaire
Approval Services
Chip
Approval Services
Vendor Completes
Vendor Submits Issues Visa
Approval Services
Card Form Factor Questionnaire to Reference Number
Chip Card
Approval Services and Determines
Questionnaire
Testing
Vendor Provides Vendor Contacts Approval Services Approval Services

Vendor Provides
Samples for Lab(s) to Schedule Notifies Vendor of Authorizes Testing
Forms to Lab(s)
Testing Testing Test Requirements at Laboratories
Figure 2–1: Product Submission Process
2.1 Product Questionnaires
Vendors must provide a Product Questionnaire for each product submitted for testing and approval.
The questionnaire is used to determine whether the product is acceptable and what testing is
required.
• If a product supports both T=0 and T=1 protocols, the product can be submitted
separately for each protocol or can be both protocols in one questionnaire. If submitted
with both protocols, the product will be evaluated in one testing scope.
• If a contactless product supports both Type A and Type B, the product must be
submitted separately for each contactless type and each will be tested independently.
• If a product supports multiple memory sizes, it shall be submitted with multiple memory
sizes declared in the same questionnaire. Approval Services assigns a single Visa

reference number. Visa’s approval extends to all chip models or memory sizes covered
by the EMVCo IC Certificate Number referenced in the approval letter.
2.2 Laboratory Scheduling and Testing
The vendor and the laboratory(s) are responsible for scheduling testing once the vendor has received
confirmation of the testing requirements from Approval Services and testing is authorized. Visa does
not participate in and is not responsible for any scheduling between the Laboratories and Vendors.
Security testing can take longer than functional testing. It is the vendor’s choice when to start security
and functional testing.
A vendor has six months from the testing authorization date to complete all testing and submit test
results to Approval Services. If applicable , all test samples for Performance and Cross Testing must
be submitted within reasonable timeframe so that testing can be completed within the six months
from the testing authorization date.
It may be necessary to contact more than one laboratory, depending on the characteristics of the
product, the scope of testing, and the testing available at various laboratories. For a current list of
testing offered by a laboratory, go to the Approval Services section on Visa Technology Partner
website.
Note: If any problems occur during functional or security testing that would not allow the product to
successfully complete testing, the following will occur:
• Official testing will stop.
• The vendor is responsible for all costs incurred with the Laboratory(s).
• The problem is corrected and the product questionnaire resubmitted.
Laboratories performing functional testing may offer quality assurance (QA) testing that can be
completed prior to submitting a product for official testing. However, quality assurance testing is not
part of Visa’s official testing and approval process and QA test results are not accepted for review.

2.2.1 Disposition of Samples After Testing
After functional testing is complete the Laboratory will:

o Retain the remaining samples for any subsequent testing that may be required.
o Keep the samples for six years (if the product is approved).
Note: Visa reserves the right to conduct additional testing on any products that have gone through
the testing and approval process.
2.3 Forms Required for Testing
Official testing shall not begin until the vendor has provided all necessary forms to the laboratory.
The Exhibit A and Request for Approval Forms are combined in a single file.
Table 2–1: Forms Required for Testing
Form Description
Exhibit A: Request for Establishes Visa’s right to review testing results submitted by the Vendor,
Testing Services following testing at a Laboratory.
+ An official request to release test reports to Visa so that Visa can begin
the review and approval process for a product tested at the Laboratory.
Request for Approval Form
Single Production Batch An attestation by the vendor that all samples submitted for testing (initial
Confirmation Form test samples or replacement samples), regardless of the Laboratory to
which they are being sent, are from the same production batch and
without modification.
Implementation A vendor must provide detailed information regarding the Visa payment
Conformance Statement application, platform, or interface.
(ICS)**
A separate ICS is needed for each type of functional testing performed.
** Visa accepts the equivalent forms used by EMVCo and GlobalPlatform, specifically:
• EMVCo Common Payment Application Level 1 & Level 2 ICS (for Contact Level1). The vendor only
needs to complete the section for Electrical and Protocol testing. The ICS must show the
hexadecimal values returned by the chip card in response to Answer to Reset (ATR), SELECT
command, and GET PROCESSING OPTIONS. Data provided by the Vendor is used to check the
data returned by the card during testing.
• EMVCo PICC Level 1 ICS (for Contactless Level1)
• GlobalPlatform Supported Configuration Options (SCO)

Forms must be submitted for each product submission. If a product fails testing, a new version of
each form must be provided when the product is resubmitted for testing.
2.4 Functional Testing Requirements Overview
Laboratories test various functions and applications supported by Visa. Such testing includes the
electrical aspects of the chip protocol and communications of the product, as well as functionality of
the applications.
Testing is dependent on the technology and applications supported by the product. A rough guide is
shown below.
Product Type Description
Contact Product EMV Contact Level 1 (Electrical & Protocol) T=0 or T=1
Visa Payment Application (VSDC)
Visa Biometric Sensor on Card Specification Application (VBSS)
Visa Biometric Sensor Performance Testing
Contactless Product EMV Contactless Level 1 (Analog & Digital) Type A or Type B
Visa Payment Application (MSD and/or qVSDC)
Cross Testing
Performance Testing
Dual Interface Product EMV Contact Level 1 (Electrical & Protocol) T=0 or T=1
Visa Payment Application (VSDC)
EMV Contactless Level 1 (Analog & Digital) Type A or Type B
Visa Payment Application (MSD and/or qVSDC)

Cross Testing
Performance Testing

Product Type Description
GlobalPlatform Product GlobalPlatform Functional Platform Testing
Although testing of dynamic CVV2 functionality is out of scope of functional testing, if supported the
dCVV2 functionality shall be enabled for testing.
EMV Contact Level 1 ensures a level of interoperability for cards and acceptance devices. Testing is
comprised of electrical characteristics, transmission protocol T=0 or T=1, and Answer to Reset (ATR) 3
volt and 5 volt.
EMV Contactless Level 1 ensures a level of interoperability for contactless products and acceptance
devices. Testing is comprised of analog testing to ensure the magnetic field characteristics are able to
carry the communication, and digital testing to ensure the timing, anti-collision, and protocol
characteristics are able to carry the communication.
Visa Payment Application testing ensures that the application processes the transactions correctly,
in accordance with the relevant specifications. MSD and qVSDC application paths are for contactless
use only and shall not be used through a contact interface. VSDC application path is for contact use
only and shall not be used over a contactless interface. Multi-Access for VSDC and Prepaid application
testing are also included if declared to be supported by the product. VBSS application is for contact
and contactless interfaces.
Visa performs cross testing (also referred to as interoperability testing) to ensure that contactless
products and devices are interoperable with each other. Cross-Testing is a part of the official testing
process, and the performance during this testing will be part of final approval consideration. Products
that fail to communicate with multiple devices may not be eligible for approval.
Note: Visa is not permitted to disclose information about the terminals used for Cross-Testing to
Vendors. Samples cannot be shared for contactless level 1 and cross testing.
Performance testing: Effective September 1 2016, contactless and dual interface products are
required to support a minimum ICC key size of 1152 bits and still meet the contactless performance
requirement of ≤ 400 milliseconds. Please refer to Approval Services Announcement ASA20150801 on
the Visa Technology Partner website for details.
VBSS compliant products, template extraction and matching timing shall be <1 second.
GlobalPlatform manages the platform functional testing for GP platforms. Visa only accepts official
GP test results performed by a GP-qualified Laboratory. Self-testing results are not accepted as proof
of specification compliance. Vendors shall provide an SCO Form and Qualification Letter from GP to
Visa in support of their submission. Visa requires the SCO and Qualification Letter prior to issuing an
approval or compliance letter. More information about the GlobalPlatform compliance testing process
can be found on its website at http://www.globalplatform.org.

A JavaCard-S product is based on both GlobalPlatform and JavaCard-S requirements. Because

JavaCard-S requirements do not allow for post-issuance download of applet packages or deletion of
applet packages or instantiations, the product cannot be tested in the same manner as a
GlobalPlatform card. Therefore, it is necessary to test the Visa payment application on the product to
ensure that the JavaCard-S platform can correctly interface with the Visa payment application. A
JavaCard-S product shall be submitted as static native card.

2.4.1 Sharing of Test Results
Vendors have the opportunity to leverage functional test reports from approved products. A product
that shares test results may be eligible for reduced testing.
If Visa discovers a defect in a product that other products have shared test results from, all Vendors
involved in the sharing agree that Visa can communicate all relevant information to each affected
Vendor and its customers, including an explanation of the nature of the defect and products at issue.
Shared test results are permitted only if:
 All Vendors involved in the sharing have an ASTA.
 The product being leveraged from has been tested and approved with no issues or
comments.
 The product being leveraged from is not already sharing test results from another
product.
 A product using shared results will be tied to the original approved product as follows:
 The product will receive the same expiration date as the product from which the results
are shared.
 If the original product is revoked, then all products sharing testing results will be
revoked.
 If the original product is modified and/or updated, then all products sharing testing
results may require additional testing.
 The questionnaire being submitted should indicate that the product is seeking to share
test results and provide the Visa Reference Number (VTF#) of the approved product.
Note: If a product is submitted for full testing, it will receive an independent approval, and its
expiration date is not tied to any other product.
2.5 Security Testing Requirements
2.5.1 IC Security Evaluations
Chip hardware is defined as the basic ‘Chip’ or ‘IC’ product without an operating system or
application. The security of the chip hardware is evaluated by EMVCo. The EMVCo IC security
evaluation process considers the security of chip products and aims to provide a high level of
assurance that the chip is designed to resist known attack methods. Visa leverages the EMVCo
process to minimize cost and time spent in performing evaluation work and to avoid duplication of
effort.

EMVCo issues an IC certificate with an IC Certificate Number (ICCN) when a chip has successfully
completed the EMVCo IC security evaluation process. EMVCo approved ‘IC’ products are listed on the
EMVCo website at www.emvco.com.
Requirement: Visa will only accept new products for security testing if the chip has successfully
completed the EMVCo IC security evaluation process and the chip is listed on the EMVCo approved
chips list.
For detailed information on the EMVCo ‘IC’ security evaluation process, please see EMV Security
Guidelines – EMVCo Security Evaluation Process available at www.emvco.com, or contact the EMVCo
Security Evaluation Secretariat at [email protected] with any questions.
For further information on how the EMVCo security evaluation process ties in with the Visa Chip
Security Program, please contact Approval Services.
2.5.2 Visa Chip Security Program
Like functional testing, security testing is performed only on a product in its final configuration, as it
would be supplied to a Visa client. Security testing focuses on aspects of the product implementation
that may have a security impact. Security testing goes beyond the functional testing to see if the
product is vulnerable to known attacks, whether or not these are explicitly cited in the specification.
The Visa Chip Security Program (VCSP) seeks to minimize the cost and time spent in performing
evaluation work and to avoid duplication of effort. Security testing is not exhaustive and focuses on
the most likely vulnerabilities as revealed by previous testing, knowledge of the particular
application(s), and past experience with similar products.
The level of testing is continuously increasing to reflect ‘state-of-the-art’ attack potential.
Consequently, the introduction of new chip products should offer a higher level of protection against
the latest threats. However, no testing can anticipate all potential future attacks. Security, by
definition, is an ongoing process; as time progresses, attack and defense becomes a race.
All Visa chip-based payment products are required to go through VCSP security testing.
Visa Chip Security Program—Security Testing Process for Chip Cards provides detailed information
about the security evaluation program. The VCSP Initial Assessment Letter (IAL) requirements
document provides the requirements for submitting an IAL to Approval Services. These documents
are available at the Visa Technology Partner website.
Approval Services Vendor Authorizes

Security Lab Sends Security Evaluation Lab Sends Report Approval Services
Reviews IAL and Security Testing Lab to send Report
IAL to Approval Provided to to Approval Reviews Report &
Authorizes Security Performed to Approval
Services Vendor Services Issues Verdict
Testing (if needed) Services
Figure 2–2: Security Testing Process

Products exist in many variants and may sometimes have minor differences. A product with a “minor
change” is not required to undergo Visa security testing and will leverage the approval date and
comments of the original product.
A minor change is defined as:
• Verified bug fixes with no negative impact on security
• Functional changes that do not have an impact on security testing
• VSDC code changes that Visa has defined as minor
2.5.3 Initial Assessment Letter (IAL)
Vendors must obtain an initial assessment letter (IAL) from a Visa-recognized security laboratory prior
to Visa authorizing security testing to begin on a product. The Vendor must authorize the laboratory
to submit the IAL to Visa for products being submitted for security testing.
The review of the IAL will determine the amount of security testing that will need to be performed,
and Visa may decide that more or less testing is required based on product history and other factors.
The following summarizes different security testing scenarios:
• Full security testing – This will be required in the case of a new product that has not been
evaluated previously by the Laboratory under the VCSP program.
• Delta security testing – This will be performed in the case of product modification or
patch.
• No security testing – This may result in the instance that the product has been evaluated
before and the changes have no negative security impact (e.g., it is classified as a Minor
Change).
2.6 Product Samples for Testing
A vendor is required to provide samples for testing as described in this section.
2.6.1 Sample Requirements
Laboratories will accept products for testing only in their final configuration as they will be supplied to
Visa clients. A product submitted for testing shall be in the state described below.

Requirement Description
Chip The chip must be embedded and bonded to the product’s body.
Commands Commands that can update the product must be in compliance with the
Visa specifications for the application(s) in the product.
Documentation When providing technical documentation, all commands and status

words must be identified. Failure to identify commands and status words
in the technical documentation may cause the product to fail testing.
Debugging code All debugging code must be removed from the product before it is
submitted for testing. Failure to remove this code may cause the product
to fail testing.
Personalization Static native products personalized for testing must be in their

personalized/locked state.
ATR values After the card is put into an initialized state, the Answer to Reset (ATR)
(contact only) values (except for historical bytes) cannot be changed.
A product may not contain both T=0 and T=1 protocols within the same
Answer to Reset (ATR).
ATS values For Type A contactless products, the Answer to Select (ATS) values on the
(contactless only) product submitted for testing must be those identified in the
Implementation Conformance Statement (ICS).
Answer to REQB For Type B contactless products, the values of bytes 10, 11, and 12 in the
Command “Answer to REQB Command” on the product submitted for testing must
be those identified in the Implementation Conformance Statement (ICS).
Antenna A schematic of the antenna must be provided for all contactless and dual
Schematic interface products.
(contactless only)

2.6.2 Number of Samples and Personalization for Functional Testing
The following number of samples are required for testing.
A product that supports more than one Visa payment application requires a full set of samples for
each Visa payment application. For dual interface products, a full set of samples must be provided for
each interface.
All personalization requirement documentations are published on the Visa Technology Partner or Visa
Digital Partner website.
Personalization of test data will differ for each Visa application being tested. The functionality of the
Visa application must not be affected by personalization.
Samples must be from the same production batch.
Inlays for non card products are treated the same as the card for the purposes of this section
Table 2–2: Sample and Personalization requirements for Functional Testing

Form Factor Type of Testing Number of Personalization Comments

Samples Requirements /
Profile
Card Cross Testing 55 For VCPS 2.1.3 or less: Send samples to

Singapore location
o ID1 Card 21_1152_v2* except Inlay, which goes
o Micro Tag to Foster City.
For VCPS 2.2 or
higher:
o Sticker
o Fob 22_1152_v1*
o Mini Card Performance 12 For VCPS 2.1.3 or less: Vendors are required to
o Inlay with Testing provide three samples of
21_1024_v2 each profile.
static
contactless 21_1152_v2 Send samples to
chip Singapore location
21_1408_v2
except Inlay, which goes
21_1920_v2 to Foster City.
For VCPS 2.2 or

higher:
22_1024_v1
22_1152_v1
22_1408_v1
22_1920_v1
Card Cross Testing 5 For VCPS 2.1.3 or less: Send samples to

Singapore location.
o Metal 21_1152_v2*
o dCVV2 For VCPS 2.2 or
higher:
22_1152_v1*

Performance 4 For VCPS 2.1.3 or less: Vendors are required to

Testing provide one sample of
21_1152_v2 Send samples to

Singapore location.
21_1408_v2
21_1920_v2
For VCPS 2.2 or

higher:
22_1024_v1
22_1152_v1
22_1408_v1
22_1920_v1
Card Contact Level Number depends on For VIS 1.5.4 or less: Card Image files are
1 test requirements. included in the VIS
Refer to test VSDC01, VSDC11,
laboratory for VSDC12 or VSDC13 test plan package
guidance
(VIS Card Images
Requirements v1.5.4b)
For VIS 1.6.1 or

higher:
CT_L1
(VIS Contact L1 Test

v1.6.1 R01)

Any Contactless Level Number depends on For VCPS 2.1.3 or less: Card Image files are
1 test requirements. included in the VCPS test
Refer to test VCPS_1_000 or plan package
laboratory for VCPS_2_000
guidance
(VCPS Card Image Book
2 Part 1 v2.1.3b_R_01)
For VCPS 2.2 or

higher:
CTL_L1
(VCPS Contactless L1
Test v2.2 R01)
Card Visa Smart Refer to the Refer to the

Debit/Credit personalization personalization
requirements for the requirements for the
applicable VSDC test applicable VSDC test
plan version. plan version.
Any Visa Contactless Refer to the Refer to the

Payment personalization personalization
applicable VCPS test applicable VCPS test
plan version. plan version.
Card Static Native Refer to the Refer to the

personalization personalization
applicable applicable VSDC/VCPS
VSDC/VCPS test test plan version.
plan version.

Any GlobalPlatform Refer to the Refer to the Visa discourages

GlobalPlatform Test GlobalPlatform Test extensions of the
Card Preparation Card Preparation GlobalPlatform
Requirements. Requirements. Application
Programming Interface
Vendors can take (API) and does not test
the opportunity of extensions, if
Reduced Sample implemented.
Testing, to reduce
the number of test
samples needed for
a GlobalPlatform
chip card product’s
approval. Refer to
Reduced Sample
Testing
requirements
Non-card Cross Testing 3 For VCPS 2.1.3 or less: Send samples to Foster
product with City location.
static contactless 21_1152_v2*
chip Vendors may provide
For VCPS 2.2 or additional equipment for
higher: the purpose of holding
the product at its
22_1152_v1*
preferred angle for
testing, otherwise the
default presentment
shall be face down,
parallel to the terminal
landing plane.

Performance 4 For VCPS 2.1.3 or less: Vendors are required to

Testing provide one samples of
21_1152_v2 Send samples to Foster

City location.
21_1408_v2
21_1920_v2
For VCPS 2.2 or

higher:
22_1024_v1
22_1152_v1
22_1408_v1
22_1920_v1
Card VBSS Testing Refer to VBSS Refer to VBSS

Performance, Cross- Performance, Cross-
Testing and Level Testing and Level
1/Archive Release 1/Archive Release
Notes located on Notes located on Visa
Visa Technology Technology Partner and
Partner and Visa Visa Digital Partner
Digital Partner websites
websites
Notes:
i. Vendors should always check and use the latest Card Images for Performance and Cross test provided in
Visa Technology Partner site. The current card image version for VCPS 2.1.x products is v2 and VCPS
2.2.x products is v1.
ii. Samples for card image 1920 is required if the product or its base product supports this key size. The
vendor shall indicate any limitations in the CCQ if the product cannot meet this requirement

2.6.3 Information Printed on Samples
The table below details the Information printing for functional testing samples.
This information is optional for the Performance and Cross Testing samples. Each Performance and
Cross Testing samples must include a QR Code label as described in next section.
.
Table 2–3: Printing for functional testing samples
Form Information Comment

Factor
Card Visa reference number (VTF number) Paste-on labels are not acceptable.
Chip model number
Test cards are not required to have a
Contactless interface type (Type A or Type B) magnetic stripe for the testing process.
if applicable
Transmission protocol (T=0 or T=1) if
applicable
Unique serial number per card
List of applications on the card (abbreviations
are acceptable)
Card Image Number – (not applicable for
Reduced Sample testing for GP cards
supporting VIS 1.6.1 and VCPS 2.2)
Non-card Visa reference number (VTF number)

product
Card Image Number
with static
contactless The center point of the proximity payment
chip antenna

2.6.4 QR Code Labels for Performance and Cross Testing Samples
The QR code label requirement is applicable to all Cross Testing and Performance Testing samples for
the following product form factors: ID1 Card, Micro Tag, Sticker, Mini Card, ID1 Card (Metal) and ID1
Card (dCVV2). The printed information detailed in section 2.6.3 is optional for Cross Testing and
Performance testing samples.
Each individual QR code label will contain and display the following information:
• Product Reference Number (VTF)

• Serial Number (example: 001)
• Card Image Name (example: 22_1152_v1)
• Test Type (XT for cross testing and PF for performance testing)
• Contactless Protocol (Type A, Type B)
Vendors will receive a QR code label package with two files upon testing authorization. The number of
labels in each file is dependent on the quantity required for the card product. The package includes
following:
• The PNG file contains .PNG image files that are customizable according to the Vendor’s in-house
label printer requirements.
• The PDF file is a ready-to-print 8.5” x 11” label template with 1”x1” QR code labels.
• A sample QR code label package is attached with this announcement. Vendors may use both file
formats that are included for trial runs at their respective printing facility.
Vendors shall comply with the following requirements when using the QR code labels:
• Print the QR code on durable white matte or semi-gloss adhesive labels.
• Alternatively, Vendors can also print the QR code label directly on each sample.
• Transparent labels are not acceptable.
• For ID1 size cards:
o Place the QR code label on the back of the card as shown in Figure 1. Ideally, its
position should be right in the center, but we can accept displacement of up to
10mm.
o The size of the QR code should be between 18mm x 18 mm to 25mm x 25mm

Figure 2–3: Positioning the QR code label on an ID1 card sample
• For non-ID1 size cards:

o Please contact Approval Services with details and physical dimensions of your product
for further instructions.
Vendors can optionally generate their own QR codes and not use the labels provided during test
authorization as long as the additional requirements below are met.
• QR codes are consistent with the product information declared in the questionnaire
• QR fields are separated by a semi-colon
• Example: “LBTEST02345A;001;22_1152_v1;XT;A”
• QR image resolution should be at least 200 dpi.
• Serial numbering of the samples should follow the format as shown in Table 2–4.
• Use Arial font for the text around the QR code. Please choose a font size that is easy and clear
enough to read.

Table 2–4: Serial numbering guide for QR samples
Serial Number
Form Factor Type of Testing

Key size 1920 Key size 1920 NOT
Supported Supported
• ID1 Card
• Micro Tag Cross Testing 001 to 055 001 to 055
• Sticker
• Mini Card Performance Testing 056 to 067 056 to 064
•
Performance Testing Only 001 to 012 001 to 009
• ID1 Card
(Metal) Cross Testing 001 to 005 001 to 005
• ID1 Card
(dCVV2) Performance Testing 006 to 009 006 to 008
Performance Testing Only 001 to 004 001 to 003
Vendors and Laboratories should contact Approval Service if there are any question related to the
personation.
2.6.5 Reduced Sample Testing requirements
Current test plans and test tools provide the opportunity to reduce the number of test samples
needed for a GlobalPlaffom chip card product’s approval test cycle. This approach is called Reduced
Sample testing.

Following are the eligibility requirements for using Reduced Sample Testing
• Platform must be compliant to GlobalPlatform version 2.1.1
• Platform must support dynamic JavaCard with garbage collection.
• Product must use Visa-developed VSDC applet or vendor -developed applet that supports:
o EMV Card Personalization Specification version 1.1
o VSDC Personalization Specification version 2.1 ( for VIS 1.6 & VCPS 2.2)
• Product must be developed to the following specifications:
o VIS 1.6 UL1
o VCPS2.2
For the specification- related criteria listed above, the version referenced is a minimum requirements (
ie more recent versions also qualify for eligibility).
If the product meets all of the above criteria, then the Reduced Sample testing approach can be used.
Instead of submitting a test sample image for each test case and the test plan, the card vendor may
submit test samples as follows:
• Provide 90 samples to Visa-recognized test lab for testing
• The card samples must have the Visa payment applet loaded
• The card samples must be in OP_SECURED state
• The card samples must be labeled according to the Chip Card Submission Requirements
document
VIS 1.6 UL1 and/or VCPS 2.2 products that do not meet eligibility requirements for Reduced Sample
testing must continue to submit test sample images as specified by the test plan. However, these
types of products still benefit from the personalization image scripts that are provided in XML format
(that are easily imported into card vendor personalization tools).
Note that test plans for earlier version of VIS and VCPS (such as the VIS 1.5.4b and VCPS 2.1.3b) will
continue to use the existing document-based approach for specifying personalization test images


Test Reports Review and Approval Process
3 Test Reports Review and Approval Process

A product that supports more than one Visa payment application requires a full set of samples for
each Visa payment application. For dual interface products, a full set of samples must be provided for
each interface.
Vendor Provides
Approval Services Lab Performs Lab Provides
Request for Approval Services Approval Services
Authorizes Testing Testing & Provides Report to Approval Passes Testing? Y Product Approved
Approval Form to Reviews Reports Issues Letter
at Laboratories Report to Vendor Services
Lab
Vendor Provides
Vendor Initiates Samples to
Product Failed
Brand Review Approval Services
for Archive
Figure 3–1: Report Review and Approval Process
3.1.1 Test Results
When functional testing is complete, the Laboratory will provide the Vendor with a report outlining
the test results. There are two possible outcomes from functional testing, pass or fail.
3.1.1.1 Product Fails Testing
In the instance where a product fails testing, the Laboratory will send a report to the Vendor
identifying the reasons for the failures. If the Vendor intends to resubmit the product, the Vendor
must do the following:
• Correct the discrepancies
• Submit a new questionnaire to Approval Services
• Prepare new versions of the forms
• Contact the Laboratories for a new test date
• Provide new samples for testing
3.1.1.2 Product Passes Testing
When a product passes testing, the Laboratory sends a final report to the Vendor.
The Vendor determines whether it wishes to submit the results of application testing to Visa. If so, the
Vendor completes and signs the Request for Approval form and submits it to the Laboratory, thus
authorizing the Laboratory to send an electronic copy of the results to Approval Services for review.

Test results should be submitted to Approval Services for evaluation within six months after testing
authorization date. Please contact Approval Services if testing cannot be completed with reports
submitted within this timeframe.
3.2 Requesting an Approval
Visa will consider issuing a letter only for products that have successfully passed all testing at a
Laboratory and that support Visa-defined applications.
Upon successful completion of official testing, the product will appear on the Visa Approved Products
List located on both the Visa Technology Partner and Visa Digital Partner Services websites, unless
the Vendor requests otherwise. Publication of non-card products with static contactless chip is
managed through the Visa Ready program on the Visa Digital Partner website.
Note: Vendors are required to submit ten (10) cards for archiving, whether testing was performed or a
paper approval. The sample quantity and personalization are detailed in the table below
Table 3–1: Quantity and personalization for archived samples
Form Factor Interface Type Number of Personalization Comment

Samples
VIS 1.5.4 and earlier:

Cards Contact Only* 10 VSDC02. Samples for
(including archiving
inlays) VIS 1.6.1 and above: should be sent
VIS Image to Approval
Services Foster
(1) 13_6_2_C01_001 or
City location.
(2) 11_5_C02_001
*If product
supports both
VCPS 2.1.3 and earlier. contact T=0/1,
Contactless Only 10 VCPS Image 2000. we require one
set per
VCPS 2.2 and above: protocol.
VCPS image
(1) 6_33_C09_001 or
(2) 6_33_C03_001.

VIS 1.5.4/VCPS 2.1.3 and

Dual Interface* 10 earlier:
VSDC02
VCPS 2.2 and above:

VCPS image
(1) 6_33_C09_001 or
(2) 6_33_C03_001.
VIS 1.5.4 and earlier:

Cards Contact Only* 5 VSDC02. Samples for
archiving
(Metal or should be sent
VIS 1.6.1 and above:
dCVV2) to Approval
VIS Image
(1) 13_6_2_C01_001 or Services Foster
(2) 11_5_C02_001. City location
*If product
supports both
VCPS 2.1.3 and earlier.
Contactless Only 5 contact T=0/1,
VCPS Image 2000.
we require one
set per
VCPS 2.2 and above:
protocol.
VCPS image
(1) 6_33_C09_001 or
(2) 6_33_C03_001.
VIS 1.5.4/VCPS 2.1.3 and

Dual Interface* 5 earlier:
VSDC02
VCPS 2.2 and above:

VCPS image
(1) 6_33_C09_001 or
(2) 6_33_C03_001.
Cards (VBSS) Contact Only* 3 Refer to VBSS

Samples for
Performance, Cross-
Testing and Level archiving
Contactless Only 3
1/Archive Release Notes should be sent
Dual Interface* 3 located on Visa to Approval
Technology Partner and Services Foster
Visa Digital Partner City location
websites
*If product
supports both

contact T=0/1,
we require one
set per
protocol.
Non-card Contactless Only 0 NA Archive Samples

products with not required
static
contactless
chip
3.3 Product Approval
When a product successfully passes all required testing, Approval Services will issue a Letter of
Approval
A Letter of Approval for a product submitted through the Visa Ready Program will be provided to the
vendor once all requirements of the program have been met. Contact [email protected] to obtain
the letter.
3.3.1 Legal Conditions & Restrictions
The term “approval” is being used generically in this section to mean either the issuance of an
approval letter or the issuance of a compliance letter.
Visa’s approval only applies to products that are identical to the product tested by Visa or one of
Visa’s recognized laboratories. A product may not be considered approved by Visa, nor promoted as
approved, if any aspect of the product is different from that which was tested by a laboratory or by
Visa, even if the product conforms to the basic product description contained in the letter of approval
or letter of compliance. For example, even though a product contains applications or operating
systems that have the same name or model number as those tested by one of Visa’s recognized
laboratories or by Visa, but the product is not identical to the features previously tested by one of
Visa’s recognized laboratories or by Visa, the product should not be considered or promoted as
approved by Visa.
Visa’s approval is granted solely in connection with a specific product and to the submitting vendor.
Such approval may not be assigned, transferred or sublicensed, either directly or indirectly, by
operation of law or otherwise. Only vendor(s) that receive a Visa approval for a product may state that
they have the approval.
No product manufacturer, chip supplier, or other third party may refer to a product, service or facility
as “Visa-approved,” nor otherwise state or imply that Visa has, in whole or in part, approved any

aspect of a manufacturer, or supplier, or its products, services or facilities, except to the extent and
subject to the terms and restrictions expressly set forth in a written agreement with Visa, or in a letter
of approval or letter of compliance provided by Approval Services. All other references to Visa
approval are strictly and actively prohibited by Visa.
When granted, Visa approval is provided by Visa to ensure certain security and operational
characteristics important to Visa’s systems as a whole, but does not, under any circumstances, include
any endorsement or warranty regarding the functionality, quality or performance of any particular
product or service. Visa does not warrant any products or services provided by third parties. Approval
does not, under any circumstances, include or imply any product warranties from Visa, including,
without limitation, any implied warranties of merchantability, fitness for purpose or non-infringement,
all of which are expressly disclaimed by Visa. All rights and remedies regarding products and services
which have received Visa approval shall be provided by the party providing such products or services,
and not by Visa. Unless otherwise agreed in writing by Visa, all property and services contemplated in
this document, which Visa provides to any third parties, are provided on an “as-is” basis, “with all
faults” and with no warranties whatsoever. Visa specifically disclaims any implied warranties of
merchantability, fitness for purpose or non-infringement.
The issuance of a letter of approval or letter of compliance is conditioned upon the vendor having
executed all necessary agreements, including without limitation, the applicable license agreements
with Visa, and shall be of no force and effect unless such agreements have been executed
contemporaneously with or prior to the issuance of the letter.
Visa performs limited testing to ascertain a product’s compliance with any required specifications and
may perform interoperability testing with other approved products. Visa’s limited testing program is
not designed to establish the functionality of an approved product in all potential conditions in which
it may be used. Visa’s approval does not in any circumstances include or imply any guarantees,
assurances or warranties that the approved product will operate in all possible settings or in
connection with any other approved product. Approval granted by Visa does not supersede additional
testing requirements as may be imposed by national testing bodies, financial institutions, network
services providers, Visa Region Specific Requirements or other customers.
The issuance of an approval or compliance letter does not provide an allowance of the card
construction per ISO 7810 & 7811-6, or the Visa Product Brand Standards, as required by Global
Design & Innovation (Brand). Information regarding this separate and required qualification process
can be found on the Visa Product Brand Standards website or by contacting
[email protected].
3.4 Product Approval Period
Derivatives inherit the policy of the parent product.

3.4.1 Products Approved After January 1 2016
This section describes the card lifecycle management policy for cards and non-card products with a
static contactless chip.
The card lifecycle management policy applies to all products except for products based on the EMVCo
Common Payment Application and products approved prior to 1 January 2016. Those products will
continue to be governed under the existing renewal policy (see section 0).
Upon approval, the usage date assigned on the product’s letter will be based on the issue date of the
underlying IC Certificate from EMVCo. The current approval period is replaced with a usage period
covering the entire life of the product in the field. The usage date is defined as the IC Certificate issue
date + 12 years. The vendor may sell the product at any time during its usage period. If the product is
submitted on a newly certified IC, then the maximum usage date can approach twelve years. For
products submitted on older IC’s, the usage date timeframe will be shorter.
Base and derivative product submissions may be submitted during the IC’s certification period.
Products submitted as a base product will receive the usage date based on the underlying IC
Certificate. Derivative products are tied to the parent product’s usage date.
When the usage date of a product has been reached, the product will be removed from the Visa
Approved Products List the month following the usage end date.
Figure 3–2: Card Lifecycle Management Policy

3.5 Global Design and Innovation Product Review & Qualification
The issuance of a letter by Approval Services does not provide an allowance of the card construction
per ISO 7810 & 7811-6, or review against the Visa Product Brand Standards, as required by Global
Design & Innovation (Brand). Information regarding this separate and required qualification process
can be found on the Visa Product Brand Standards website or by contacting
[email protected].

Appendix A – Revision History

A Appendix A – Revision History
Version Date Description
8.0 April 2021 Corrections, clarifications and updates.

QR Code Personalization
VBSS Requirements
7.1 December 2017 Clarification of memory sizes acceptance
7.0 July 2017 Corrections, clarifications and updates.

Updated mailing address for Foster City location.
Updated testing
Card images for cross testing and performance testing
6.9 October 2016 Addition of content related to non-card products and inlays with a
static contactless chip.
6.8 October 2016 Addition of references to Visa Brand Standards.

New Sample Requirements for VIS 1.6.1 and VCPS 2.2. Added
reference to Reduced Sample Testing for GP cards.
New card images for VIS 1.6.1 and VCPS 2.2.
Addition of dCVV2 card acceptance requirements.
6.7 June 2016 Corrections, clarifications and updates.

Updated mailing address for Singapore location.
6.6 December 2015 Cross-Testing Cards

Added Appendix A: Revision History
6.5 December 2015 Cross-Testing Cards: Updated cross-testing cards and mailing
address
Cross-Testing: Added the performance testing card profiles
Added the Card Lifecycle Management policy

6.4 October 2015 Added Cross-Testing information

Moved the General Conditions & Exceptions section to the
Renewal Policy section
Appendix B: Added VCSP testing requirements

Appendix B – Testing Requirements
B Appendix B – Testing Requirements

Derivative products must have a new name and/or versioning to indicate it is a different product from
the original certified Visa product.
B.1.1 Appendix Structure
This appendix lists the testing requirements for products. Products have been grouped into four
categories
• Static native platforms (including Javacard-S)
• GlobalPlatform
• Inlays for non-card products with static contactless chip
• Non-card products with static contactless chip
If a vendor wants to make a change that is not listed, contact [email protected] to

determine which process may be utilized.
B.1.2 Limits to Change Process
A change to ROM is considered a new submission and testing is required.
Vendors that have received a letter from Approval Services identifying issues in the specification
deviation / comments sections may not use this process to make changes to a product. Vendors must
correct the issue(s) identified in the Letter before submitting the next version of the product for
testing.
B.1.3 Paper Approval Process
No functional or security testing is required.
Samples must be provided to Approval Services for archiving.
Following forms must be completed, signed and provided to Approval Services if the vendor has not
executed a version of the ASTA that is May 2018 or later:
• Request for Approval
• Exhibit A

B.2 Product Test Requirements - Static Native, Base Product
Contact Only
# Contact L1 Contactless L1 Application Testing Cross Security Comment

Testing Testing Testing
1 Full N/A Full N/A IAL One contact

protocol
supported
2 Full Electrical (on N/A Full (on one N/A IAL Both contact
one protocol) protocol)) protocol
supported
Full Protocol (T=0 VIS Transaction (on
and T=1) the other protocol )
Contactless Only
# Contact L1 Contactless L1 Application Cross Testing Security Comment

3 N/A Full Full Full IAL
Dual Interface
# Contact L1 Contactless L1 Application Testing Cross Security Comment

4 Full Full Full Full IAL One contact

protocol
supported
5 Full Electrical (on Full Full (On one Full IAL Both contact
one protocol) protocol)) protocol
supported
Full Protocol (T=0 VIS/VCPS Transaction
and T=1 (on the other
protocol )

B.3 Product Test Requirements - Static Native, Changes/Derivatives
Below is a list of acceptable changes for a Static Native Base Product. The list below is not exhaustive,
but provides examples of commonly submitted change requests. If a Vendor wants to make a change
that is not listed below, they should contact Approval Services to determine which process the Vendor
may utilize. Changes to the ROM mask are treated as a base product.
# Change / Contact Contactless Application Cross Testing Security Comments

Derivation L1 L1 Testing Testing
Testing
6 Contact Full N/A VIS N/A IAL Contact only

Protocol Protocol Transaction product
7 Contact Full Full Digital VIS/VCPS None IAL Dual interface

Protocol Protocol product
Transaction
8 Contactless Full Full Digital VIS/VCPS Full IAL Dual interface

Type Protocol product
Transaction
9 Contactless None Full Digital VCPS Full IAL Contactless only

Type Transaction product
10 VIS None None Full VIS None IAL Level 1

Application components not
Change affected
11 VCPS None None Full VCPS Selected IAL Level 1

Change affected
12 Contact L1 Full None VIS None IAL Level 2

Firmware Protocol Transaction components not
affected. Contact
Only
13 Contactless None Full Digital VCPS Selected IAL Level 2

L1 Firmware Transaction components not
affected.
Contactless Only


Testing
14 L1 Firmware Full Full Digital VIS and VCPS Selected IAL Dual interface L2
Protocol Transactions components not
affected
15 Add or None None Regression Performance IAL *Full if proprietary

Update or Full* app interacts with
Proprietary Visa payment app
Application or app not in Flash.
16 Antenna / None Full Analog VCPS Full None size or shape,

Inlay Transaction material,
connection
technology, layout
changes
17 Chip None None* or None* or None* or Full None Dual Interface

Module Full Analog VCPS product or
Transaction Contactless only
product
*None if 8/6 pin
change only
18 Embedder None None None None None Paper approval
19 Plastics* None None None None None Paper approval

*product
submission is
optional
20 Card body None Full VCPS Full None Depends on

changes to Transaction materials.
foil or metal
layer
21 Remove None None None None None Paper approval

Contact
Plate


Testing
22 Remove None None None None None Paper approval

Antenna
23 Add Contact Full Full Analog Full VIS None IAL* or *If contact interface
Plate None** was not in scope in
base product or if
any change in
firmware/software
**Otherwise, no
need for IAL
24 Change None* None* or None* or None* or Full None size or shape

Contact Full Analog VIS/VCPS
*if change from
Plate Transactions
gold/silver material
only
25 Add None Full Full VCPS Full IAL* or *If contactless

Antenna None** interface was not in
scope in base
product or if any
change in
firmware/software
**Otherwise, no
need for IAL
26 Adding None Full* or Regression Full* IAL or *if contactless

dCVV2 None VCPS and/or None*** interface
VIS** or
**if data sharing or
None
interaction with
dCVV2 and Visa
app or their ICs
***If the exact
dCVV2 components
were evaluated
previously (even for
other product) with
security report less
than 2-year-old
27 Contact ATR Full None VIS None None

Speed Protocol Transaction


Testing
28 Visa- None None Full Performance None or *depending on the

developed IAL* applet version. To
payment be confirmed with
applet swap Approval Services
29 Vendor None None Full Full IAL

developed
payment
applet
update

B.4 Product Test Requirements – GlobalPlatform, Base Product
The list in this section defines the base product requirements for products submitted on a GP
platform. GlobalPlatform manages the platform functional testing for GP platforms. Visa no longer
offer testing for Visa GlobalPlatform. Refer to the GlobalPlatform web site to understand its process.
Contact Only
# Contact L1 Contactless L1 Application Cross Security Comments

Testing Testing Testing Testing
1 Full N/A Full N/A IAL Using a previously approved

Visa applet in ROM.
Contactless Only

2 N/A Full Full Full IAL Using a previously approved

Visa applet in ROM.
Dual Interface

3 Full Full Full Full IAL Using a previously approved

Visa applet in ROM.

B.5 Product Test Requirements - GlobalPlatform,

Changes/Derivatives
Below is a list of acceptable changes for a GP Base Product. The list below is not exhaustive, but
provides examples of commonly submitted change requests. If a Vendor wants to make a change that
is not listed below, it should contact Approval Services to determine which process the Vendor may
utilize. Changes to the ROM mask will require full functional testing.
# Change / Contact Contactless Application Cross Security Comments

Derivation L1 L1 Testing Testing Testing
Testing
4 Contact Full N/A VIS N/A IAL Contact only

Protocol Protocol Transaction product
5 Contact Full Full Digital VIS/VCPS None IAL Dual interface

Protocol Protocol product
Transaction
6 Contactless Full Full Digital VIS/VCPS Full IAL Dual interface

Type Protocol product
Transaction
7 Contactless None Full Digital VCPS Full IAL Contactless only

Type Transaction product
8 Add None None VIS and/or Selected IAL

Approved VCPS
Applet to Regression
EEPROM
9 Antenna / None Full Analog VCPS Full None size or shape,

Inlay Transaction material, layout
changes.
10 Chip None None* or Full None* or Depends on None Dual Interface

Module Analog VCPS Analog product or
Transaction results Contactless only
product
*None if 8/6 pin
change only
11 Embedder None None None None None Paper approval.


Testing
12 Plastics None None None None None Paper approval.

*product
submission is
optional
13 Card body None Full VCPS Full None Depends on

materials Transaction material
changes to or Regression
foil or metal
layer
14 Remove None None None None None Paper approval.

Contact
Plate
15 Add Contact Full Full Analog VCPS None IAL** or *Full contact
Plate Transaction None*** platform testing
required.
VIS
Transaction **If contact
interface was
*Full VIS if
not in scope in
not Visa
base product or
applet
if any change in
firmware/softwa
re
***Otherwise, no
need for IAL
16 Remove None None None None None Paper approval.

Antenna


Testing
17 Add None Full Full VCPS Full IAL* or *If contactless

Antenna None** interface was
not in scope in
base product or
if any change in
firmware/softwa
re
**Otherwise, no
need for IAL
18 Adding None Full* or None Regression Full* IAL or *if contactless

dCVV2 VCPS and/or None*** interface.
VIS** or
**if data sharing
None
or interaction
with dCVV2 and
Visa app or their
ICs.
***if the exact
dCVV2
components
were evaluated
previously (even
for other
product) with
security report
less than 2-year-
old
19 VIS None None Full VIS None IAL Level 1

Change affected
20 VCPS None None Full VCPS Selected IAL Level 1

Change affected


Testing
21 Add or None None None or Full* None or IAL Full if

Update Performance proprietary app
Proprietary * interacts with
Application Visa payment
app or app not
in Flash

B.6 Product Test Requirements – Inlays for non-card products with

static contactless chip, Base Product
Static Native Platform, Contactless Only – no leveraging from an approved product
# Contactless Application Cross Security Comments

L1 Testing Testing Testing
1 Full Full Full IAL
GlobalPlatform Platform, Contactless Only – no leveraging from an approved product

2 Full Full Full IAL Visa approved applet in ROM
Static Native or GlobalPlatform Platform, Contactless Only – leveraging from an approved

product

3 Full Analog None Full None Antenna different from approved

product
B.7 Product Test Requirements - Inlays for non-card products with

static contactless chip, Changes/Derivatives
Below is a list of acceptable changes for an inlay. The list below is not exhaustive, but provides
examples of commonly submitted change requests. If a Vendor wants to make a change that is not
listed below, it should contact Approval Services to determine which process the Vendor may utilize.
# Change / Contactless Application Cross Security Comments

Derivation L1 Testing Testing Testing
4 Contactless Full Digital None Selected IAL

Type

5 Contactless L1 Full or Full VCPS Selected IAL Level 2 components not

Firmware Digital* Transaction affected.
*depends on the change
6 Antenna Full Analog None Selected None New design or materials
7 Different Full None Selected* None Design and materials are

Antenna Analog* unchanged.
Manufacturer
*If approved, additional
or
presentments do not need
Manufacturing
testing.
Site
8 Inlay Size or Full None Selected* None *if RF performance may be

Shape Analog* affected
9 Embedder None None None None Paper approval.
10 Materials Full None Full* None *if materials have metallic

Analog* composition

B.8 Product Test Requirements – Non-card products with static

contactless chip, Base Product
Static Native Platform, Contactless Only – no leveraging from an approved product

1 Full Full VCPS Full IAL
GlobalPlatform Platform, Contactless Only – no leveraging from an approved product

2 Full Full Full IAL Visa approved applet in ROM
Static Native or GlobalPlatform Platform, Contactless Only – leveraging from an approved card product

3 Full Analog None Full IAL* *Only if other electronic component/s

exist in the product (e.g. additional
MCU, display, etc.). Otherwise, no IAL
is required.
Static Native or GlobalPlatform Platform, Contactless Only – using a compliant inlay

4 Full Analog None Full or None Testing Requirements will vary,

or None Selected dependent on changes in size, shape
or None or materials from the Inlay that may
impact RF performance of the final
product.

B.9 Product Test Requirements - Non-card products with static

contactless chip, Changes/Derivatives
Below is a list of acceptable changes/derivatives to a base product. The list below is not exhaustive,
but provides examples of commonly submitted change requests. If a Vendor wants to make a change
that is not listed below, it should contact Approval Services to determine which process the Vendor
may utilize.
# Change / Contactless Application Cross Security Comments

Derivation L1 Testing Testing Testing
5 Size and/or Full Analog VCPS Full None Change impacts thickness
Shape of Transaction or distance of antenna
Product from surface.
Testing dependent on
differences.
6 Materials Full VCPS Full* None *if materials have metallic

Analog* Transaction composition

B.10 Product Test Requirements - VBSS, Base Product
Contact Only
# Contact Contactless Application Cross Sensor Security Comment

L1 Testing L1 Testing Testing Testing Performance
Testing
1 Full N/A Full VIS/VBSS N/A Full IAL
Contactless Only
# Contact Contactless Application Cross Sensor Security Comment

L1 Testing L1 Testing Testing Testing Performance
Testing
2 N/A Full Full VCPS/VBSS Full Full IAL
Dual Interface
# Contact L1 Contactless Application Cross Sensor Security Comment

Testing L1 Testing Testing Testing Performance
Testing
3 Full Full Full Full Full IAL

VIS/VCPS/VBSS

B.11 Product Test Requirements – VBSS compliant products,

Changes/Derivatives
This section defines the testing requirements for VBSS compliant products and it’s derivatives. The list
below is not exhaustive. If a Vendor wants to make a change that is not listed below, they should
contact Approval Services.
# Change / Contact L1 Contactless Application Sensor Security Comments

Derivation Testing L1 Testing Testing Performance
Testing
4 Contactless Full Full Digital Full VBSS ISO Analog IAL Dual interface
Type Protocol Timing product
Performance
5 Contactless None Full Digital Full VBSS ISO Analog IAL Contactless only
Type Timing product
Performance
6 VIS None None Full VBSS None IAL Level 1 components

Application not affected
Change
7 VCPS None None Full VBSS ISO Analog IAL Level 1 components
Application Timing not affected
Change Performance
8 Contact L1 Full None Full VBSS None IAL Level 2 components

Firmware Protocol not affected.
Contact Only
9 Contactless None Full Digital Full VBSS ISO Analog IAL Level 2 components
L1 Firmware Timing not affected.
Performance Contactless Only
10 L1 Firmware Full Full Digital Full VBSS ISO Analog IAL Dual interface L2
Protocol Timing components not
Performance affected


Testing
11 Add or None None * Full VBSS *Full if IAL *Full if proprietary

update interacting app interacts with
Proprietary with Sensor Visa payment app
Application (Sensor or app not in Flash.
characteristic
s on Card),
ISO Analog
Timing
Performance
12 Antenna / None Full Analog Full VBSS * Sensor None size or shape,
Inlay characteristic material,
s on Card + connection
ISO Analog technology, layout
Timing changes
Performance.
Full if
noticeable
difference on
sensor
characteristic
on Card.
13 Chip None None* or Full Full VBSS * Sensor None Dual Interface
Module Analog characteristic product or
s on Card + Contactless only
ISO Analog product
Timing
*None if 8/6 pin
Performance.
change only
Full if
noticeable
difference on
sensor
characteristic.


Testing
14 Materials None Full Full VBSS * Sensor None Depends on

*card body characteristic materials.
materials s on Card +
e.g. Add foil or
ISO Analog
metal layer
Timing
Performance.
Full if
noticeable
difference on
sensor
characteristic.
15 Remove None None None * Sensor None Paper approval if no

Contact characteristic sensor testing
Plate s on Card > required
Full if
noticeable
difference
16 Remove None None None * Sensor None Paper approval if no

Antenna characteristic sensor testing
s on Card on required
Card> Full if
noticeable
difference
17 Add Contact Full Full Analog Full VBSS Sensor IAL* or *If contact interface
Plate characteristic None** was not in scope in
s on Card> base product or if
Full if any change in
noticeable firmware/software
difference
**Otherwise, no
need for IAL
18 Add None Full Full VBSS Full VBSS IAL* or *If contactless
Antenna None** interface was not in
scope in base
product or if any
change in
firmware/software
**Otherwise, no
need for IAL


Testing
19 Matching None None Full VBSS ISO Analog IAL

Algorithm Timing
(Sensor Performance
manufacture Matching
r/Vendor) Performance
(FAR/FRR)
Antispoofing
20 Acquisition None None Full VBSS Full VBSS IAL

Algorithm Sensor test
(template
extraction)
21 Biometric None None Full VBSS ISO Analog IAL

Applet Timing
Performance
Matching
Performance
(FAR/FRR)
Antispoofing
22 Sensor None None Full VBSS Full VBSS IAL* or *If with changes in
change or Sensor test None** any component
modification firmware/SW
(including
coating) **If purely physical
change


Testing
23 Enrollment None None Full VBSS Full VBSS IAL* or *If with changes in
Sensor (if Sensor test None** any component
different firmware/SW
from Sensor
from VBSS **If purely physical
product) change
Probably
not
accepted /
Tending to
disappear
due to lack
of
acceptance
and
potentially
poor results
24 Any None None Full VBSS Sensor IAL* or *If with changes in
Hardware characteristic None** any component
change of s on Card > firmware/SW
the card Full if
product not noticeable **If purely physical
listed difference change
previously
25 OS Update Full Full Full VBSS Sensor IAL

Card characteristic
s on Card >
Full if
noticeable
difference


Testing
26 Secure None None Full VBSS Full VBSS IAL

Software Sensor test
modules
(White box
modules for
biometry)
[Related to
Matching
and
acquisition
Algorithm]
27 MCU None None Full VBSS Full VBSS IAL

Change Sensor test
[Related to
Matching
and
acquisition
Algorithm]

Acronyms and Glossary

This appendix defined selected terms used in this document.
Approval A generic term meaning the issuance of a

letter of approval or letter of compliance.
Chip Supplier The entity that manufactures the silicon chip.
Dual Interface That which supports both contact and

contactless payment.
EMVCo (EMV) EMVCo, LLC is an association of payment

systems that manage, maintain, and enhance
the EMV specifications.
ICCN IC Certificate Number (issued by EMVCo)
ICS Implementation Conformance Statement. A

form providing detailed technical information
regarding the Visa payment application,
platform, or interface.
Inlay A functional component that is made to be

embedded into a non-card product with a
static contactless chip. Typically consisting of a
contactless chip and antenna.
MSD Magnetic Stripe Data, a Visa payment

application for contactless cards.
Official Testing In the context of this document, refers to

testing conducted by a Visa-Recognized
Laboratory with the intention of obtaining Visa
approval of a chip card product.
Product Manufacturer The entity that offers the final tested and
approved product to the financial institution.

qVSDC Quick VSDC, a Visa payment application for

contactless products.
Static Native A contact chip card that was not developed to

the Visa GlobalPlatform or GlobalPlatform
requirements.
VIS Visa Integrated Circuit Card Specification, which

provides the technical details of chip card and
terminal functionality, related to VSDC
payment transactions.
Visa Biometric Sensor-on-Card Specification

VBSS
, provides technical details of cards with a
fingerprint sensor .
VSDC Visa Smart Debit / Credit. Visa service offerings

for chip-based debit and credit programs,
which are based on EMV and VIS specifications
and are support by VisaNet processing, as well
as by Visa rules and regulations.
Visa Recognized Laboratory A Laboratory that is recognized by Visa to test

products in preparation for approval by Visa.


Chip Card Testing and Approval Requirements V8.0

Uploaded by

Copyright:

Available Formats

Chip Card Testing and Approval Requirements V8.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chip Card Testing and Approval Requirements V8.0

Uploaded by

Copyright:

Available Formats

Chip Card Testing & Approval

© 2010-2020 Visa. All Rights Reserved.

THE INFORMATION CONTAINED HEREIN IS PROPRIETARY AND CONFIDENTIAL AND MUST BE

Tables .............................................................................................................................................................................. iii

April 2021 Visa Confidential i

2.6.5 Reduced Sample Testing requirements........................................................................................................ 33

ii Visa Confidential April 2021

Table 2–1: Forms Required for Testing ........................................................................................................................ 16

April 2021 Visa Confidential iii

Figure 2–1: Product Submission Process ...................................................................................................................... 14

iv Visa Confidential April 2021

April 2021 Visa Confidential v

6 Visa Confidential April 2021

Visa Worldwide Pte Ltd

April 2021 Visa Confidential 7

The type approval process consists of the following stages:

The scope of testing includes (where applicable) the following:

8 Visa Confidential April 2021

1 Vendor Registration,Licensing & Agreements

1.1 Vendor Registration

1.2 Licensing Specifications and Software

April 2021 Visa Confidential 9

1.3 Legal Agreements

1.4 Test Plans and Commercial Test Tools

1.4.1 Test Plans

10 Visa Confidential April 2021

April 2021 Visa Confidential 11

1.4.2 Commercial Test Tools and Test Scripts

12 Visa Confidential April 2021

April 2021 Visa Confidential 13

2 Product Submission Process

Vendor Provides Vendor Contacts Approval Services Approval Services

Figure 2–1: Product Submission Process

2.1 Product Questionnaires

14 Visa Confidential April 2021

2.2 Laboratory Scheduling and Testing

April 2021 Visa Confidential 15

2.2.1 Disposition of Samples After Testing

After functional testing is complete the Laboratory will:

2.3 Forms Required for Testing

16 Visa Confidential April 2021

2.4 Functional Testing Requirements Overview

Product Type Description

Visa Payment Application (VSDC)

Visa Biometric Sensor on Card Specification Application (VBSS)

Visa Biometric Sensor Performance Testing

Visa Payment Application (VSDC)

EMV Contactless Level 1 (Analog & Digital) Type A or Type B

Visa Payment Application (MSD and/or qVSDC)

April 2021 Visa Confidential 17

Product Type Description

GlobalPlatform Product GlobalPlatform Functional Platform Testing

18 Visa Confidential April 2021

A JavaCard-S product is based on both GlobalPlatform and JavaCard-S requirements. Because

April 2021 Visa Confidential 19

2.4.1 Sharing of Test Results

2.5 Security Testing Requirements

2.5.1 IC Security Evaluations

20 Visa Confidential April 2021