How to Certify Your Mobile App for EMVCo SBMP Secure Payments

Why SBMP Certification Matters

EMVCo SBMP certification demonstrates that your app is resilient against hacking, tampering, and data breaches—critical for mobile payment solutions. Certification is often mandatory or strongly recommended for apps handling sensitive payment data, and it enables collaboration with major payment schemes such as Visa and Mastercard.

The SBMP Evaluation Process: Key Steps

SBMP evaluation must be performed by an EMVCo-accredited laboratory. Accredited labs, such as Applus+, guide clients from product registration through the final evaluation report.

The evaluation follows a rigorous, multi-stage process:

• TOE (Target of Evaluation) Information Gathering
  • What happens: Developers submit binaries, source code, design documents, and security guidelines.
  • What’s checked: Evaluators verify version consistency, component certifications, and the security of third-party SDKs or libraries.
  • Tip: Ensure all third-party components are up-to-date and secure.

• Design & Source Code Review (SCR)
  • Step-by-step analysis: Identify critical assets (e.g., encryption keys, payment data), map code variables/functions managing those assets, and review lifecycle security (generation, storage, deletion).
  • Goal: Flag security flaws such as weak encryption or insecure storage.

• Vulnerability Analysis (VA)
  • Public vulnerabilities: Check for known exploits in libraries (e.g., OpenSSL).
  • Code-derived risks: Review weaknesses identified during the source code review.
  • Test plan: Propose attacks to test security mechanisms (e.g., reverse engineering, code hooking).

• Testing (Penetration Testing/Verification Testing)
  • Penetration Testing (PT): Simulate real-world attacks (e.g., tampering, debugger bypass).
  • Verification Testing (VT): Confirm security mechanisms function correctly (e.g., root/jailbreak detection).
  • Tools used: Industry-standard tools like Frida, IDA, and custom scripts.

• Reporting and Delivery to EMVCo
  • Compile findings: Create an Evaluation Technical Report (ETR).
  • Address vulnerabilities: Work with developers to fix issues (iterative process).
  • Finalise and deliver: Submit the final ETR to EMVCo for certification.

FAQs: What Developers Need to Know

How long does SBMP evaluation take?

Typically 4–12 weeks, depending on product complexity, documentation, and remediation needs.

What if my app fails a test?

Developers receive detailed feedback and can pause the evaluation to implement fixes. After changes, the lab re-evaluates and repeats the test.

Are third-party libraries evaluated?

Only public vulnerabilities in third-party libraries are checked. Their impact on the final product is considered, but their code is not directly reviewed unless it’s a COTS (commercial off-the-shelf) tool, which may skip full SCR.

What’s the difference between PT and VT?

PT: Actively exploits vulnerabilities. VT: Validates security defences (e.g., anti-tampering).

Do I need to provide physical devices?

No. Labs test on their own devices. Only binaries, source code, and documentation are required.

How often should I re-certify?

Annually or after major updates introducing new security features.

Do I need to provide source code?

Yes. SBMP methodology requires white-box evaluation, so access to source code is mandatory during the process.

What version of the test application should I provide?

Use the most secure version available, ideally a production build. Developer or debug builds may not be sufficient.

Pro Tips and Pitfalls to Avoid

• Do This
  • Document thoroughly: Provide clear security guidelines and architecture diagrams.
  • Test internally first: Use tools like MobSF or OWASP ZAP to catch basic flaws.
  • Monitor post-launch: SBMP requires continuous threat analysis.
• Avoid This
  • Assuming “obfuscation = security”: Tools like ProGuard are not enough; SBMP checks for anti-debugging and runtime protections.
  • Ignoring minor flaws: Small vulnerabilities can lead to chain exploits.
  • Using uncertified SDKs: Ensure all dependencies are SBMP-compliant to avoid delays.

Why Certify Your App?

• Builds user trust and brand credibility.
• Enables collaboration with major payment schemes (Visa, Mastercard, etc.).
• Simplifies the evaluation and certification process for clients.

Contact Us Today and Start Your Journey

As an accredited laboratory with extensive experience in security evaluations, we guide you through every step of the SBMP certification process. Our experts ensure high-quality services, helping you achieve and maintain compliance with industry standards.