EMVCo Software-Based Mobile Payment Evaluation

EMVCo Software-Based Mobile Payment (SBMP) is a globally recognized security evaluation framework designed to assess whether software-based mobile payment components and solutions meet a sufficient level of security to safeguard sensitive payment data and transactions against real-world attacks. This includes a wide range of products and services, such as:

• Mobile payment applications
• Software Development Kits (SDKs)
• Trusted Execution Environments (TEEs)
• Consumer Device Cardholder Verification Methods (CDCVM)
• Attestation mechanisms
• Multi-factor authentication
• Software protection tools (such as white-box Cryptography, obfuscation, and tamper detection)

The evaluation process provides a standardized path for vendors to obtain a security evaluation certificate that demonstrates their solutions are secure and compliant with industry standards.

What atsec offers:

atsec provides EMVCo SBMP evaluation services covering all aspects of the process, including:

• Training on EMVCo SBMP requirements and the full evaluation process
• Full security evaluation of software-based mobile payment components
• Preparation and submission support leading to an official EMVCo SBMP security evaluation certificate

During a SBMP security evaluation, atsec employs a comprehensive methodology that includes code and documentation review, vulnerability analysis, and penetration testing to ensure that the evaluated solution complies with EMVCo’s SBMP security requirements and to provide vendors with actionable insights to strengthen their security posture. By leveraging atsec’s proven evaluation approach, organizations can be confident that their SBMP security assessment aligns with EMVCo’s expectations, ultimately helping them achieve certification and bring secure payment solutions to market more efficiently.

Why our services are important to you:

atsec’s EMVCo SBMP security evaluation services allow vendors to demonstrate that their solutions can withstand real-world attacker techniques such as static analysis, dynamic analysis, reverse engineering, hooking, fault injection, and tampering.

If you develop or plan to deploy software-based mobile payment solutions, EMVCo SBMP evaluation and certification are essential to proving that your product provides adequate protection for sensitive payment data and complies with industry standards expected by payment schemes, banks, merchants, and app distribution platforms. More broadly, certification significantly increases market acceptance and trust in digital payment ecosystems.

atsec is ready to partner with you to help you understand the EMVCo SBMP requirements, assess your product’s readiness, and perform a professional security evaluation to certify your mobile payment product.