mobile master card paypass tsm approval guide v1-0

Mobile MasterCardPayPass TSM

Approval GuideNovember 2009 - Version 1.0

©2009 MasterCardMobile MasterCard PayPass TSM Approval Guide November 2009 - Version 1.0

Proprietary Rights

The information contained in this document is proprietary and confidential toMasterCard International Incorporated, one or more of its affiliated entities (collectively“MasterCard”), or both.

This material may not be duplicated, published, or disclosed, in whole or in part, withoutthe prior written permission of MasterCard.

Trademarks

Trademark notices and symbols used in this manual reflect the registration status ofMasterCard trademarks in the United States. Please consult with the CustomerOperations Services team or the MasterCard Law Department for the registration statusof particular product, program, or service names outside the United States.

All third-party product and service names are trademarks or registered trademarks oftheir respective owners.MasterCard Worldwide2200 MasterCard BoulevardO’Fallon MO 63368-7263USA

1-636-722-6100

www.mastercard.com

Table of Contents

© 2009 MasterCardiMobile MasterCard PayPass TSM Approval Guide November 2009 - Version 1.0

Using this Manual

Scope ............................................................................................................................................... 1

Audience ......................................................................................................................................... 1

Reader Guidance ........................................................................................................................... 2

Abbreviations and Acronyms...................................................................................................... 2

Related Information...................................................................................................................... 3

Terminology ................................................................................................................................... 4

Revision History ............................................................................................................................ 6

Chapter 1 Introduction

1.1 Background...........................................................................................................................1-1

1.2 Who needs to Use this Process?........................................................................................1-2

1.3 When is this Process Used?................................................................................................1-2

1.4 How is this Process Used?..................................................................................................1-3

Chapter 2 Certification Process

2.1 Overview ...............................................................................................................................2-1

2.2 Key Stage 1: Planning & Administration Phase..............................................................2-2

2.3 Key Stage 2: Testing and Evaluation Phase.....................................................................2-2

2.4 Key Stage 3: Review & Certification Phase .....................................................................2-3

Table of Contents

ii© 2009 MasterCard

November 2009 - Version 1.0 Mobile MasterCard PayPass TSM Approval Guide

Chapter 3 Administrative Processes

3.1 Product Development Cycle ..............................................................................................3-1

3.1.1 Purpose .......................................................................................................................3-1

3.1.2 Output.........................................................................................................................3-1

3.1.3 Requirement Level ....................................................................................................3-1

3.1.4 Procedure....................................................................................................................3-1

3.1.5 Contacts ......................................................................................................................3-1

3.2 TSM Registration .................................................................................................................3-2

3.2.1 Purpose .......................................................................................................................3-2

3.2.2 Output.........................................................................................................................3-2


3.2.4 Procedure....................................................................................................................3-2

3.2.5 Contacts ......................................................................................................................3-3

3.3 TSM Evaluation Plan ..........................................................................................................3-3

3.3.1 Purpose .......................................................................................................................3-3

3.3.2 Output.........................................................................................................................3-4


3.3.4 Procedure....................................................................................................................3-4

3.3.5 Contacts ......................................................................................................................3-4

3.4 GVCP Application...............................................................................................................3-4

3.4.1 Purpose .......................................................................................................................3-4

3.4.2 Output.........................................................................................................................3-5


3.4.4 Procedure....................................................................................................................3-5

3.4.5 Contacts ......................................................................................................................3-5

Chapter 4 Evaluation Processes

4.1 TSM Functional Evaluation ...............................................................................................4-1

4.1.1 Purpose .......................................................................................................................4-1

4.1.2 Output.........................................................................................................................4-1


4.1.4 Procedure....................................................................................................................4-2

4.1.5 Contacts ......................................................................................................................4-2

4.2 TSM Security Audit .............................................................................................................4-2

4.2.1 Purpose .......................................................................................................................4-2

4.2.2 Output.........................................................................................................................4-3

Table of Contents

© 2009 MasterCardiiiMobile MasterCard PayPass TSM Approval Guide November 2009 - Version 1.0


4.2.4 Procedure....................................................................................................................4-3

4.2.5 Contacts ......................................................................................................................4-4

Chapter 5 Final Review and Certification Processes

5.1 Functional Evaluation Assessment ...................................................................................5-1

5.1.1 Purpose .......................................................................................................................5-1

5.1.2 Output.........................................................................................................................5-1

5.1.3 Procedure....................................................................................................................5-1

5.1.4 Contacts ......................................................................................................................5-1

5.2 Security Audit Review .........................................................................................................5-1

5.2.1 Purpose .......................................................................................................................5-1

5.2.2 Output.........................................................................................................................5-1

5.2.3 Procedure....................................................................................................................5-2

5.2.4 Contacts ......................................................................................................................5-2

5.3 TSM Certification.................................................................................................................5-2

5.3.1 Purpose .......................................................................................................................5-2

5.3.2 Output.........................................................................................................................5-2


5.3.4 Procedure....................................................................................................................5-3

5.3.5 Contacts ......................................................................................................................5-3

Annex A Checklist

A.1 Checklist ..............................................................................................................................A-1

©2009 MasterCardiMobile MasterCard PayPass TSM Approval Guide November 2009 - Version 1.0

Using this Manual

This chapter contains information that helps you understand and use this manual.

Scope .........................................................................................................................................1

Audience ...................................................................................................................................1

Reader Guidance......................................................................................................................2

Abbreviations and Acronyms..................................................................................................2

Related Information.................................................................................................................3

Terminology .............................................................................................................................4

Revision History.......................................................................................................................6

Using this Manual

Scope

©2009 MasterCard1Mobile MasterCard PayPass TSM Approval Guide November 2009 - Version 1.0

Scope

This document describes all the processes that must be completed in order for anyTrusted Service Manager (TSM), and any specific services they provide for use in issuingMobile MasterCard PayPass implementations, to be fully approved for commercialdeployment with MasterCard issuing banks. For the avoidance of doubt the generic termMobile MasterCard PayPass is used throughout this document to describe all variants ofPayPass implementations on mobile devices or involving mobile devices as a carrierdevice for the payment device.

Audience

The primary audience for this document is organizations that function as the TrustedService Manager for a Mobile MasterCard PayPass implementation. However, there areadditional entities that play a role in successful implementation of Mobile MasterCardPayPass capability that may also find this document useful to understand who theindividual stake holders are, the roles that they fulfill and the procedures MasterCard hasimplemented to ensure the overall implementation functions as expected...

These include:

Mobile Network Operators

Mobile Handset Manufacturers

Component Vendors (who provide NFC components to handset manufacturers)

SIM card manufacturers (who would be manufacturing SIM cards for use in thehandsets)

Payment Application Developers

User Interface Application Developers

Issuers

Issuers that offer PayPass transaction capability via a mobile device to their accountholders must ensure that all components utilized for the Mobile PayPass implementationare fully approved and compliant with MasterCard requirements.

It is generally expected that TSMs will ensure this on behalf of the banks that theyprovide their services to.

It is also expected that TSMs will initiate the Approval of their solution themselves.

Using this Manual

Reader Guidance

2©2009 MasterCard


Reader Guidance

This document describes the evaluations and associated administrative processes thatapply for TSMs and their solutions if they are to be used in implementations of MobileMasterCard PayPass.

Abbreviations and Acronyms

The following abbreviations and acronyms are used in this manual:

Acronym Meaning

API Application Programming Interface

GVCP Global Vendor Certification Program

J2ME Java 2 Platform, Micro Edition

MNO Mobile Network Operator

MOTAPS MasterCard Over The Air Provisioning Service

OTA Over The Air

SCW Smart Card Webserver

SE Secure Element

SIM Subscriber Identity Module

STK SIM Tool Kit

SWP Single Wire Protocol

TSM Trusted Service Manager

UI User Interface

UICC Universal Integrated Circuit Card

USIM Universal Subscriber Identity Module

Using this Manual

Related Information


Related Information

The following documents and resources provide information related to the subjectsdiscussed in this manual.

Note MasterCard reserves the right to release new versions of documentsreferenced by this process. Partners should therefore check for the latestdocumentation versions and the impact of any amendments they containbefore starting the partner testing process.

Title Description

Mobile MasterCard PayPass Testingand Approval Guide

Overall entry point document covering all required Approvalsfor implementations of Mobile MasterCard PayPass

Security Requirements for MobilePayment Provisioning

Security Requirements for Mobile Payment Provisioning

Mobile MasterCard PayPass TSMFunctional Requirements

Functional requirements for all TSM solutions

MasterCard PayPass BrandingStandards

Standards for the use of all MasterCard PayPass brand identifiersin any form of card-holder implementation

Maestro PayPass BrandingStandards

Standards for the use of all Maestro PayPass brand identifiers inany form of card-holder implementation

PayPass on Mobile Requirements High level requirements document for implementations ofMobile MasterCard PayPass

Mobile MasterCard PayPass UserInterface Application Requirements

Requirements documents relating to User Interface (or Wallet)Applications that are used for payment and accountmanagement on the Mobile Device.

Mobile MasterCard PayPass UserInterface Application ApprovalGuide

Approval Guide describing the process for approving UserInterface Applications that interface with the PaymentApplication for payment and account management and/or makeuse of any MasterCard properties such as brand identifiers.

Using this Manual

Terminology

4©2009 MasterCard


Terminology

This section explains a number of key terms and concepts used in this manual.

Term Meaning

Assessment Summary Acknowledgement by MasterCard that specified components ofthe submitted product or service were compliant with therequirements of [Mobile MasterCard PayPass Requirements], [MobileMasterCard PayPass TSM Functional Requirements] and whereapplicable [Mobile MasterCard PayPass User Interface Requirements] atthe time of testing; this does not constitute a full Approval, it ismerely an interim step and may be used as input to the ApprovalReview.

Auditors A security specialist accredited by MasterCard to evaluate TSMcompliance with physical and logical security requirementsdefined by the Global Vendor Certification Program (GVCP) in[Security Requirements for Mobile Payment Provisioning].

Certification The generic term for the outcome of the process of evaluating aTSM and confirming its compliance with all relevant MasterCardrequirements.

Compliance Certificate The final formal confirmation from MasterCard to a TSM thatthe TSM’s solution under evaluation has successfully completedthe entire approval process.

Component Any service, product, part or combination of parts used in aMobile MasterCard PayPass implementation (e.g. mobile deviceor payment application).

Evaluation Generic term used to refer to the set of testing processes thathave a defined start (sample requirements etc) and end point(evaluation assessment, report etc).

Evaluation Laboratory A facility accredited by MasterCard to perform tests on PayPassand Mobile MasterCard PayPass components.

Evaluation Plan Test plan which describes the actions required by the submittingentity or entities during the formal test process. It also shows thepersonalization profile requirements and number of samples tobe submitted for formal testing.

Evaluation Report Summary of test results, issued by a Testing Laboratory as aresult of Formal Testing.

Mobile Device Any mobile phone, smartphone or handheld PDA orcommunications device.

Mobile MasterCard PayPassTesting and Approval Process

The collective term for all tests and evaluations that must becompleted by vendors of any component used in MobileMasterCard PayPass implementations.

Using this Manual

Terminology


Term Meaning

Mobile Provisioning The provisioning of applications to a Mobile Device by meansof a wireless connection. In the context of TSMs this term istypically used to describe the provisioning of PaymentApplications to a Mobile Device, which may also include theprovisioning of On-Device Personalization Applications tofacilitate the personalization of such Payment Applications.

On-device PersonalizationApplication

Software that provides interaction between the PayPassapplication within the Secure Element and the mobile networkfor over-the-air personalization. It also enables download of thePayPass application over-the-air to the Secure Element. May beimplemented in a number of ways, for example a Java MIDlet.

OTA Over-The-Air (OTA) refers to any process that involves thetransfer of data (including applications) to the mobile handset orany component within the mobile handset via the mobilenetwork.

Over-The-Air (OTA)personalization

Personalization (see definition below) carried out in such a waythat the mobile handset Secure Element to be personalized isconnected to the associated personalization data servers via awide-area network, such as a mobile network or the Internet.

Payment Application The software implemented within the secure memory domain ofa Mobile MasterCard PayPass implementation (e.g. on the secureSIM card) covering the requirements of the PayPass or MobileMasterCard PayPass Specification.

Payment Application Provider A legal entity that has signed a PayPass Specification LicenseAgreement is entitled to use PayPass brands and supply PayPassapplications and whose name will be stated on the MasterCardMobile MasterCard PayPass Implementation -Certificate ofAccreditation.

Personalization Bureau A facility responsible for writing payment system, issuer, andaccount holder specific data to a payment card or alternate formfactor. This facility is acting on behalf of a licensed issuer and isauthorized by MasterCard to perform this activity forMasterCard branded products...

Security Accreditation Formal acknowledgement by MasterCard that a TSM and itsspecified solution for use in Mobile MasterCard PayPassimplementations and all of its components demonstratedcompliance to MasterCard’s Security Requirements.

TSM Functional EvaluationAssessment

A formal review by MasterCard of the results of the TSMFunctional Evaluation.

Using this Manual

Revision History

6©2009 MasterCard


Term Meaning

UI/Wallet AssessmentSummary

Acknowledgement by MasterCard that the submitted sampleswere compliant with the User Interface Applicationrequirements specified in [PayPass on Mobile Requirements] and[Mobile MasterCard PayPass User Interface Application Requirements],at the time of testing.

User Interface (or Wallet)Application

The application which is used as an interface to the securepayment application or applications in the secure element foraccount management and where applicable transactionverification purposes.

Revision HistoryMasterCard periodically will issue revisions to this document as and when anyenhancements, new developments, corrections or any other changes are required.

Each revision includes a summary of changes which is added to the revision historybelow, describing what has changed and how. Revision markers (vertical lines in theright margin) indicate where the text changed. The month and year of the revisionappear at the right of each revision marker.

MasterCard may publish revisions to this document in a MasterCard bulletin, anotherMasterCard publication, or on MasterCard OnLine, within the Mobile Partner Programsection: www.mastercard-mobilepartner.com.

A subsequent revision is effective as of the date indicated in that publication or on theMobile Partner Program website and replaces any previous edition.

Version Date History Impact

1.0 Nov 09 First complete version

©2009 MasterCard1-iMobile MasterCard PayPass TSM Approval Guide November 2009 - Version 1.0

1 Introduction

This chapter provides the reader with an overview of the Evaluation and

Accreditation Processes for Trusted Service Managers (TSM) who wish to

commercialize solutions to be used when implementing Mobile MasterCard

PayPass.

1.1 Background..................................................................................................................... 1-1

1.2 Who needs to Use this Process? ................................................................................... 1-2

1.3 When is this Process Used?........................................................................................... 1-2

1.4 How is this Process Used? ............................................................................................ 1-3

Introduction

Background

©2009 MasterCard1-1Mobile MasterCard PayPass TSM Approval Guide November 2009 - Version 1.0

1.1 Background

MasterCard has developed a comprehensive test and validation process for all productsand services (components) of Mobile MasterCard PayPass implementations. The processis closely based on the existing validation processes for PayPass card devices and othervendors involved in the supply chain (such as Personalization Bureaus). This enablesworld-wide interoperability as well as quality, security and reliability assurance atacceptable levels of time and cost.

This document describes all processes that must be completed in order for any TSM tobe approved for support of a Mobile MasterCard PayPass program.

Completing this process allows the parties involved in the personalization, mobileprovisioning and where applicable other life-cycle management parts of the supply chainto demonstrate conformity to:

[PayPass on Mobile Requirements]

[Mobile MasterCard PayPass TSM Functional Requirements]

[Security Requirements for Mobile Payment Provisioning]

and where applicable

[Mobile MasterCard PayPass User Interface Application Requirements]

[MasterCard PayPass Branding Standards]

[Maestro PayPass Branding Standards]

A TSM that successfully completes all of the applicable tests and evaluations will receivea formal Compliance Certificate from MasterCard.

In some circumstances MasterCard may require further supporting evaluation evidenceprior to issuing an Accreditation.

Assessments, Security Audit and Accreditation status indicators for components may bepublished by MasterCard on the Mobile Partner Program web site [www.mastercard-mobilepartner.com] and /or the Certified Vendor List which is published on a monthlybasis in the Global Security Bulletins on MasterCard Online[www.mastercardonline.com] for reference by issuers and other partners wishing tocombine their products with other relevant components.

Introduction

Who needs to Use this Process?

1-2©2009 MasterCard


1.2 Who needs to Use this Process?

Issuers have an obligation to ensure that all components of a Mobile MasterCard PayPassimplementation (including the TSM), have been fully evaluated and are approved. Inmost cases it is likely that issuers will rely on TSMs to correctly manage the provisioningand personalization process so that personalization requests where at least onecomponent is not approved are blocked.

This document is designed primarily for TSMs, but is also relevant to a broader audience(including Mobile Network Operators (MNOs), Application Developers, SecureElement Providers, Mobile Handset Manufacturers and Issuers), as these other membersof the Mobile MasterCard PayPass value chain will need to be aware of the roleperformed by the TSM, its purpose and the importance thereof.

This document will guide the TSM through the process by defining formal sub-processes and each step that they will need to follow.

1.3 When is this Process Used?

This process is used:

When a new TSM wishes to provide OTA provisioning services for MasterCardissuers

Annually on the anniversary of the initial Certification

If any changes are made to an existing approved TSM.

Examples of changes to existing approved TSMs include:

Changes to the logical architecture of the TSM solution.

Changes to the physical site of an approved TSM’s facilities.

New additional geographical TSM sites.

Changes to the On-Device Personalisation Application.

New On-Device Personalization Applications.

Introduction

How is this Process Used?


1.4 How is this Process Used?

This process describes the key activities which must be successfully completed in orderfor a TSM to become a MasterCard certified TSM.

To manage the process, it is recommended that the submitting entity appoints a projectmanager as the point of contact with MasterCard and the Laboratories and/or Auditors.

It is the responsibility of the TSM to initiate the actions required to achieve Certificationor renewal of an existing Certification.

The process relating to evaluations is driven by the suppliers of services that they wishto provide for use in a Mobile MasterCard PayPass implementation.

Compliance Certificates will be issued to the TSM or submitting entity upon successfulcompletion of the process by MasterCard.

The main contact for any questions related to this process [email protected].


2 Certification Process

This chapter gives a high level overview of the three key stages in the Certification

Process.

2.1 Overview......................................................................................................................... 2-1

2.2 Key Stage 1: Planning & Administration Phase .......................................................... 2-2

2.3 Key Stage 2: Testing and Evaluation Phase................................................................. 2-2

2.4 Key Stage 3: Review & Certification Phase ................................................................. 2-3

Certification Process

Overview


2.1 Overview

The TSM Certification Process can be broken down into three key stages as shown inthe diagram below. This chapter provides a high level overview of each of the keystages, and chapters 3 – 5 provide more detailed descriptions of each specific step in theprocess.

Figure 2.1 identifies the individual processes and their relationships.

Figure 2.1—Mobile MasterCard PayPass TSM Certification Process Overview

KEY STAGE 3Review & Approval

Phase

KEY STAGE 2Testing & Evaluation

Phase

KEY STAGE 1Planning & Administration

Phase

SecurityEvaluationsFunctional Testing

TSM Registration

TSM ServiceFunctionalEvaluation

Evaluation Plan

TSM SecurityAudit

Optional for non-MOTAPS TSMs(only if required following registration review),

Mandatory for MOTAPS TSMs(i.e. TSMs wishing to integrate with MOTAPS)

TSM enrolls inGVCP

Is the TSM alreadyregistered in the GVCP

TSMComplianceCertificate

No

Yes

Mandatory for all TSMs

TSM FunctionalEvaluation Assessment

TSM Security AuditReview

AssessmentSummary

TSM SecurityAccreditation

TSM Approval Review

GVCP Listing


Key Stage 1: Planning & Administration Phase



2.2 Key Stage 1: Planning & Administration Phase

Before a TSM submits a request for formal Certification, MasterCard will be availablefor development support. TSMs are recommended to contact MasterCard’s MobilePartner Program for this type of support to ensure that their services and facilities willcomply with the various test requirements when the time comes for formal testing. Thisreduces unnecessary costs and time delays in bringing new products to market (asproducts that perform badly during formal evaluation, or that have inherent securityflaws that are uncovered during the audit process will need to be rectified and re-submitted for repeated evaluation).

The first step of Key Stage 1 is the Registration Process during which the TSM willregister their product or service and a specific geographic site where processing will takeplace, by completing a Registration Form designed to capture information about theTSM, the key point of contact and the product/service and the site (including allrelevant components and features).

Once registration has been completed MasterCard’s technical teams will review theinformation provided and make decisions on what type of evaluations are needed andwhere these should be carried out. The required evaluations and accompanyinginstructions to the TSM, regarding the next steps, are formally summarized in theEvaluation Plan which is provided to the TSM.

Any TSM that is not yet enrolled in the Global Vendor Certification Program (GVCP),will need to do so at the earliest available opportunity, as this is a prerequisite for theSecurity Audit to take place.

2.3 Key Stage 2: Testing and Evaluation Phase

Once the TSM has received the Evaluation Plan the TSM is able to start formalevaluation. The TSM must agree relevant contracts/schedules with external TestLaboratories and Auditors (where applicable) and will then book evaluation and auditslots and commence the process. Some evaluations may be carried out by MasterCardpersonnel.

Where external Laboratories and Auditors are to be used, they will advise on the lengthof time taken for the evaluations, the compilation of the reports and the cost for theirservices.

Once the reports are completed these will be sent to the TSM by the Laboratory.MasterCard will need to review the reports in the final phase, so the TSM should sendthe reports to MasterCard as soon as possible after receiving them.


Key Stage 3: Review & Certification Phase


2.4 Key Stage 3: Review & Certification Phase

Once MasterCard has received all the reports, they will perform a thorough assessmentand review to ascertain the level of conformance with the various requirements.

Each report will be assessed individually, and if successful any or all the assessments maybe summarized upon request from the TSM in a formal statement called the AssessmentSummary (AS).

The results of the assessment (and where applicable the AS) are then presented toMasterCard’s Certification Authority for final review and a Compliance Certificate canthen be issued to the TSM, thus formally confirming compliance of the TSM and itssolution with all requirements.


3 Administrative Processes

This chapter outlines the Administrative Processes. There are two different areas of

focus for any TSM Certification:

1. Functional evaluation

2. Security evaluation

The administrative processes described in this document cover both areas, while

the administrative sub-process specifically covering the security evaluation area will

generally be determined during the Registration Process (see section 3.2) and are

detailed in the resulting Evaluation Plan (see section 3.3).

3.1 Product Development Cycle......................................................................................... 3-1

3.1.1 Purpose ................................................................................................................. 3-1

3.1.2 Output .................................................................................................................. 3-1

3.1.3 Requirement Level ............................................................................................... 3-1

3.1.4 Procedure.............................................................................................................. 3-1

3.1.5 Contacts ................................................................................................................ 3-1

3.2 TSM Registration ........................................................................................................... 3-2

3.2.1 Purpose ................................................................................................................. 3-2

3.2.2 Output .................................................................................................................. 3-2


3.2.4 Procedure.............................................................................................................. 3-2

3.2.5 Contacts ................................................................................................................ 3-3

3.3 TSM Evaluation Plan..................................................................................................... 3-3

3.3.1 Purpose ................................................................................................................. 3-3

3.3.2 Output .................................................................................................................. 3-4


3.3.4 Procedure.............................................................................................................. 3-4

3.3.5 Contacts ................................................................................................................ 3-4

3.4 GVCP Application......................................................................................................... 3-4

3.4.1 Purpose ................................................................................................................. 3-4

3.4.2 Output .................................................................................................................. 3-5


3.4.4 Procedure.............................................................................................................. 3-5

3.4.5 Contacts ................................................................................................................ 3-5

Administrative Processes

Product Development Cycle


3.1 Product Development Cycle

3.1.1 Purpose

The Product Development Cycle represents a TSM’s internal development proceduresfor a PayPass product or component.

TSMs may use the services of MasterCard accredited Laboratories or Auditors to assistwith solution development and testing.

Use of these services is at the discretion of the TSM. It is recommended that theseservices are used, as they may increase the efficiency of subsequent formal testing.

Note Please check for the latest versions of specifications, requirements andreference documentation prior to starting product development.

3.1.2 Output

The output of this process will be TSM specific, but should generally result inimprovements with regards to functional reliability and/or usability and/or security, anyor all of which should lead to a higher likelihood of achieving accreditation.

3.1.3 Requirement Level

The process is optional and TSM specific.

3.1.4 Procedure

Procedures will be TSM specific.

Specification support can be obtained using the contact below.

3.1.5 Contacts

The MasterCard contact during the Product Development Cycle [email protected].

MasterCard documentation that is relevant before and during the Product DevelopmentCycles is also available from www.mastercard-mobilepartner.com


TSM Registration



3.2 TSM Registration

3.2.1 Purpose

TSM Registration or Renewal Registration is designed to register full details:

Of new TSM services and the functional scope thereof for formal evaluation.

Of the TSM geographical location for logical and physical security evaluation.

Of any change to a TSM service that has already been approved.

Of the existing TSM site and its most up-to-date service description for the annualrenewal (in the case of annual renewals to existing Certifications).

In the case of a renewal or change, it is the TSM’s responsibility to ensure all supportingdocumentation is unexpired, valid and applicable.

Note Each physical TSM site or facility will need to be registered separately asSecurity Audits, Accreditations and Compliance Certificates are site specific.Assessment Summaries relating to the On-Device Personalization Applicationand related end-to-end user experience can be re-used for multiple sitesassuming they all use the same technology and offer the same service levelsand functionality.

Note The Registration Form will need to be completed for every annual renewal of anexisting TSM and its service.

3.2.2 Output

The result of this process is a completed registration form submitted by the TSM.


The process is mandatory for all Certification requests.

3.2.4 Procedure

The procedure is:

1. The TSM obtains the latest version of the TSM Registration Form from the MobilePartner Program website [www.mastercard-mobilepartner.com] or from the MobilePartner Program contact below.

2. The TSM completes all relevant parts of the Mobile MasterCard PayPass TSMRegistration Form.


TSM Evaluation Plan


Note MasterCard will instruct the partner which sections of the forms to fill in whenthe TSM receives the forms.

For new implementations/components or renewal requests, any existing relevant formaldocumentation relating to previous formal test cycles should be submitted. For changedproducts/components, information describing the change should also be submitted.

3. The documentation is e-mailed to the contact below.

4. MasterCard receives the registration documentation to enter into the database.

3.2.5 Contacts

The MasterCard contact for TSM Registration is [email protected].

3.3 TSM Evaluation Plan

3.3.1 Purpose

This process is comprised of two stages:

1. Registration Review

2. Evaluation Planning

Once the completed registration form has been received the information will bereviewed by MasterCard to:

Check that all relevant license agreements are in place and valid for the TSM.

Identify the mandated formal evaluations for the registered service.

Provide information to allow the TSM to initiate the ordering process for formalevaluations at Test Laboratories and Auditors.

Provide documentation to indicate to Laboratories and Auditors that MasterCardhas given the ‘green light’ to begin formal evaluation.

Identify a date by which evaluations must be completed.

Document personalization profiles of the samples required for formal evaluation.

Document the number of samples required for formal evaluation.


GVCP Application



3.3.2 Output

The results of the review will result in the Evaluation Plan which will contain relevantdetails as listed above as well as a set of clear instructions to the TSM describing how toproceed with the evaluations.

This is an internal MasterCard process and is applied to all submissions.

MasterCard will contact the submitting entity if any further details are required as inputto this process, or to notify of changes to the evaluation process or plan.



3.3.4 Procedure

The procedure is:

3. MasterCard reviews the information in the TSM Registration Form

4. MasterCard issues an Evaluation Plan and sends it to the contact name given in theRegistration Form

3.3.5 Contacts

The MasterCard contact for queries relating to the Evaluation Plan [email protected].

3.4 GVCP Application

3.4.1 Purpose

In order for a TSM to start any processes relating to the security evaluation, it must beenrolled in the Global Vendor Certification Program (GVCP).

TSM’s that are not enrolled in the GVCP at the time of registering their solution forCertification will be instructed to do so at their earliest opportunity in the EvaluationPlan.


GVCP Application


3.4.2 Output

The outcome of GVCP Application will be enrollment of the TSM in the GVCP, whichwill in turn enable the TSM to be audited by the accredited auditors and to receiveAccreditation and ultimately Certification.


The process is mandatory for all TSM’s that are not enrolled in the GVCP at the time ofregistering for Certification.

3.4.4 Procedure

The procedure is:

1. The TSM receives the instruction to enroll in the GVCP as part of the EvaluationPlan (where applicable).

2. The TSM contacts the GVCP Helpdesk to initiate enrollment

3. Further instructions will be given by the GVCP Helpdesk

3.4.5 Contacts

The MasterCard contact for queries relating to GVCP Application is [email protected]


4 Evaluation Processes

This chapter outlines the Tests and Evaluations Processes.

4.1 TSM Functional Evaluation .......................................................................................... 4-1

4.1.1 Purpose ................................................................................................................. 4-1

4.1.2 Output .................................................................................................................. 4-1


4.1.4 Procedure.............................................................................................................. 4-2

4.1.5 Contacts ................................................................................................................ 4-2

4.2 TSM Security Audit........................................................................................................ 4-2

4.2.1 Purpose ................................................................................................................. 4-2

4.2.2 Output .................................................................................................................. 4-3


4.2.4 Procedure.............................................................................................................. 4-3

4.2.5 Contacts ................................................................................................................ 4-4

Evaluation Processes

TSM Functional Evaluation


4.1 TSM Functional Evaluation

4.1.1 Purpose

The TSM Functional Evaluation process is designed to ensure that any TSM serviceoffering that is designed to interact with any part of a Mobile MasterCard PayPassimplementation conforms to MasterCard’s design, usability, functional and reliabilityexpectations as defined in:

[PayPass on Mobile Requirements]

[MasterCard PayPass Branding Standards] when applicable

[Maestro PayPass Branding Standards] when applicable

[Mobile MasterCard PayPass TSM Functional Requirements]

Where the On-device Personalization Application includes payment and accountmanagement related functionality it will also need to undergo the User InterfaceApplication Approval Process as defined in [Mobile MasterCard PayPass User InterfaceApplication Approval Guide].

Note In such cases where the On-device Personalization Application is combinedwith a User Interface or Wallet Application, the TSM Functional Evaluation willinclude the User Interface Application Evaluation.

When required this will include:

A review of technical documentation submitted by the service provider describingthe end-to-end solution.

End-to-end testing by MasterCard on a live test system (which may be pre-commercialization, but must utilize all systems that will be used when launched tomarket – such as servers, short codes, gateways etc.).

This process does not take into account the security of a TSM service.

A TSM Service Functional Evaluation can be required as a result of the RegistrationReview

4.1.2 Output

The output of this process is a TSM Service Functional Evaluation Report.


TSM Security Audit




When required by MasterCard.

4.1.4 Procedure

The procedure is:

1. Following completion of the TSM Registration process the vendor will havereceived a TSM Evaluation Plan giving clear instructions on what type of samplesand supporting documentation should be sent to whom for evaluation.

2. The partner provides the samples and any additional requested documentation tothe specified Laboratory or MasterCard as specified in the Evaluation Plan.

3. MasterCard or the designated external Laboratory performs the tests and generates aTSM Service Functional Evaluation Report.

4. The TSM Service Functional Evaluation Report is used as input to the AccreditationReview.

4.1.5 Contacts

All queries relating to the TSM Service Functional Evaluation Process shall be sent [email protected]

4.2 TSM Security Audit

4.2.1 Purpose

This process tests the conformity of a TSM and its service to MasterCard’s securityrequirements for TSM services as defined in:

[Security Requirements for Mobile Payment Provisioning]

It is an audit that is performed by a MasterCard approved auditor to assess the securityand compliance of the end-to-end encryption solutions of the service(s), the provider’sfacilities and all relevant applications designed for use in a Mobile MasterCard PayPassimplementation.

Note Where the functionality supplied by the TSM extends beyond the scope asdefined in [Security Requirements for Mobile Payment Provisioning] there maybe additional requirements for PCI compliance.


TSM Security Audit


4.2.2 Output

The process results in a report relating to the TSM and its service or solution. Thereport will be issued by a MasterCard approved auditor.

Successful completion of the audit will enable the TSM to become accredited byMasterCard for the provisioning of services relating to Mobile MasterCard PayPassimplementations (such as Over the Air (OTA) provisioning and personalizationservices).

If the report concludes that a service does not conform to requirements, the submittingentity or entities will be informed and asked what steps they intend to take to correct anynon conformity.

Note Please check for the latest versions of specifications and referencedocumentation prior to the audit.



4.2.4 Procedure

The procedure is:

1. The vendor must be a Global Vendor Certification Program (GVCP) memberbefore an audit can take place. If the vendor is not yet a GVCP member,appropriate instructions will be included in the Evaluation Plan.

2. Detailed instructions on the audit process will be given by the GVCP when thevendor contacts the GVCP to initiate this process.

3. The vendor will follow these instructions to arrange for the audit to take place.

4. Audit reports are compiled by the auditors and will be sent to the vendor.

5. MasterCard’s GVCP will need to review the audit report and any corrective actionplans that may result from the audit and will use these as input to the accreditation.

Note MasterCard’s GVCP will give detailed instructions to the vendor as to whichsteps need to be completed as part of the GVCP membership, the auditprocess and any fees that may apply.


TSM Security Audit



4.2.5 Contacts

The MasterCard contact for GVCP queries and the audit process is:[email protected]


5 Final Review and Certification Processes

This chapter outlines the Final Review and Accreditation Processes.

5.1 Functional Evaluation Assessment............................................................................... 5-1

5.1.1 Purpose ................................................................................................................. 5-1

5.1.2 Output .................................................................................................................. 5-1

5.1.3 Procedure.............................................................................................................. 5-1

5.1.4 Contacts ................................................................................................................ 5-1

5.2 Security Audit Review.................................................................................................... 5-1

5.2.1 Purpose ................................................................................................................. 5-1

5.2.2 Output .................................................................................................................. 5-1

5.2.3 Procedure.............................................................................................................. 5-2

5.2.4 Contacts ................................................................................................................ 5-2

5.3 TSM Certification........................................................................................................... 5-2

5.3.1 Purpose ................................................................................................................. 5-2

5.3.2 Output .................................................................................................................. 5-2


5.3.4 Procedure.............................................................................................................. 5-3

5.3.5 Contacts ................................................................................................................ 5-3

Final Review and Certification Processes

Functional Evaluation Assessment


5.1 Functional Evaluation Assessment

5.1.1 Purpose

This process is an internal MasterCard process and is a technical review of all theevaluation results for a registered solution. It is designed to ensure that the solutiondemonstrates sufficient conformance to MasterCard’s functional requirements whentested.

5.1.2 Output

The output of this process is a TSM Service Functional Evaluation AssessmentSummary (or simply Assessment Summary - AS).

5.1.3 Procedure

The procedure is:

1. In cases where the vendor has been instructed to have the evaluation carried out byan external test centre, the vendor will send the completed report to MasterCard.

2. MasterCard will review the evaluation report.

3. If the results of the evaluation are positive this will result in a TSM ServiceFunctional Evaluation Assessment Summary which is used as input to theCertification Review.

5.1.4 Contacts

All queries relating to the TSM Service Functional Evaluation Process shall be sent [email protected]

5.2 Security Audit Review

5.2.1 Purpose

The purpose of this process is for MasterCard’s Payment Systems Integrity departmentto review the results of the audit report which will have been carried out based onMasterCard’s Security Requirements for OTA Provisioning.

5.2.2 Output

The output of this process is a TSM Security Accreditation.


TSM Certification



5.2.3 Procedure

The procedure is:

1. MasterCard receives the Security Audit report and any corrective action plan fromthe TSM

2. MasterCard reviews the audit report from the accredited auditors and any correctiveaction plan from the TSM.

3. If the outcome of the review is positive, the TSM will be accredited by MasterCard.

4. If the outcome of the review is negative, the TSM will be requested to put in placenecessary corrective actions to provide proof of the completion thereof when thishas been done.

5.2.4 Contacts

All queries relating to the Security Audit Review process shall be sent to [email protected]

5.3 TSM Certification

5.3.1 Purpose

The purpose of this process is to issue a formal statement of compliance to the TSMconfirming that all aspects of the TSM and its service conform to all applicableMasterCard requirements.

This formal statement of compliance is known as the Compliance Certificate and can beused by the vendor to prove to its customers that it has met MasterCard’s requirementsand can be used in the context of Mobile MasterCard PayPass issuance.

5.3.2 Output

The output of this process is TSM Compliance Certificate.


This is mandatory for TSMs wishing to provide their solution to MasterCard issuinginstitutions for use in Mobile MasterCard PayPass implementations.


TSM Certification


5.3.4 Procedure

The procedure is:

1. MasterCard’s certification authority reviews the results of the TSM ServiceFunctional Evaluation Assessment Summary and the TSM Security Audit Review.

2. If the results of all applicable assessments are positive MasterCard will issue theCompliance Certificate to the vendor.

Compliance Certificates may be made available to MasterCard’s Mobile Partner ProgramMembers on www.mastercard-mobilepartner.com for reference.

5.3.5 Contacts

All queries relating to the TSM Certification shall be sent [email protected].

©2009 MasterCardA-iMobile MasterCard PayPass TSM Approval Guide November 2009 - Version 1.0

A Checklist

This annex contains a checklist to help you verify that you have completed each

required step in the approval process.

A.1 Checklist........................................................................................................................ A-1

Checklist

Checklist

©2009 MasterCardA-1Mobile MasterCard PayPass TSM Approval Guide November 2009 - Version 1.0

A.1 Checklist

In order to assist TSMs with the approval process, the following check-list has beendrawn up. The key stages in the process are listed here so that the submitting entity caneasily keep track of what tasks have been completed and which ones may still berequired.

Check the box next to each step you have completed.

1. Check latest requirements These can be obtained from www.mastercard-mobilepartner.com

2. Complete RegistrationForm.

The latest registration form can be obtainedfrom www.mastercard-mobilepartner.com

Help with completing the form can be obtainedfrom [email protected]

3. Submit Registration Formto MasterCard

Send completed form [email protected]

4. Receive Evaluation Plan. An Evaluation Plan can only be issued once acompleted Registration Form has been received.Every Evaluation Plan is specific to asubmission.

5. Follow instructions forGVCP process.

When required the GVCP process will bedetailed in the Evaluation Plan, the contact forall GVCP-related queries will be [email protected]

6. Provide Evaluation Planand samples to designatedtest facility or MasterCardcontact for FunctionalEvaluation to be carriedout

As specified in the Evaluation Plan if required.

7. Receive FunctionalEvaluation Report

This could be a designated external evaluator orMasterCard depending on the Evaluation Plan.

8. Pass Evaluation Report toMasterCard as soon aspossible

If an external test facility has been used, theFunctional Evaluation Report should be sent toMasterCard as soon as possible:[email protected]

Checklist

Checklist

A-2©2009 MasterCard


9. Receive feedback fromMasterCard

If the Evaluation Report indicates non-conformance with requirements corrective actionwill need to be taken and the relevant tests willneed to be repeated.

Positive feedback is not generally given in aformal form to the vendor at this stage, but incertain circumstances an interim statement“Functional Evaluation Assessment Summary”may be issued upon request.

10. Audit Report The result of the Security Audit (which will becoordinated by GVCP) is an audit report.

11. Pass Audit Report toMasterCard GVCP assoon as possible

The Security Audit Report should be sent toMasterCard GVCP as soon as possible: [email protected].

12. Compliance Certificate A Compliance Certificate will be issued if theresults of all the required tests and securityevaluation prove that a TSM meets MasterCard’srequirements.

mobile master card paypass tsm approval guide v1-0

Documents