EMVCo issues security requirements for multi-factor authentication solutions

FRAMEWORK: Generic MFA solution with the dashed line encompassing the security evaluation scope

EMVCo has released security requirements for multi-factor authentication (MFA) solutions used in payments to support the development of MFA solutions capable of preventing or detecting attacks that can compromise card and ecommerce payments authentication.

The requirements cover payment authenticators used in a variety of devices including smartphones, laptops, vehicles and Internet of Things (IoT) devices and are based on EMVCo’s existing Security Evaluation Infrastructure that enables developers to test their products to ensure they meet payment industry expectations.

According to EMVCo, its MFA Security Requirements support:

Developers of MFA solutions for payments, to enable them to gain security evaluation certificates for their product components and solutions

Testing laboratories, to offer a clear evaluation process

Merchants, acquirers and payment service providers, to share valuable and practical information on security performance characteristics and the ‘suitability’ of MFA products.

“It is vital to recognise why this is important — the evaluation process essentially works to assist developers in preventing and protecting against attacks using their devices or infrastructure, which could adversely impact other payment participants,” EMVCO executive committee chair Joy Huang explains.

“Optimising EMVCo’s expertise and framework is an effective way to address this issue. EMVCo MFA Security Requirements builds on an established and proven infrastructure offering vendors access to EMVCo’s laboratory network to achieve the standards needed to protect consumers and the wider payments ecosystem.”

EMVCo revealed plans to develop and issue performance requirements for biometric payment cards in June.

EMVCo issues security requirements for multi-factor authentication solutions was written by Tom Phillips and published by NFCW.