The deployment of Consumer Device Cardholder Verification Method (CDCVM) solutions across the payments ecosystem is increasing.
With traditional Cardholder Verification Methods (CVM), consumer authentication is performed on the merchant system (a PIN entered into a merchant device, for example). The growing use of mobile devices for payment transactions has enabled consumer authentication to be performed specifically on the consumer’s own device, via passcodes, passwords and patterns, as well as through biometrics such as fingerprint, iris, voice and facial recognition. This type of authentication on a consumer device is known as CDCVM. Additionally, when multiple payment applications on the device share the same CDCVM and the associated result, it is referred to as Shared CDCVM.
As CDCVM is very different to traditional CVM, EMVCo has developed a dedicated process to evaluate the security of CDCVM solutions and has defined industry best-practices to address functional and performance considerations:
• EMV® CDCVM Security Requirements and Security Evaluation Process - to help promote protection from fraud across the consumer and wider payments ecosystem, it is imperative that solution assets (such as a user’s biometric or password) be adequately secured. Also, the delivery of results must not be manipulated, falsified or exploited, and the solution must not be maliciously abused, disabled or bypassed. To support these objectives, EMVCo has published CDCVM Security Requirements and has established a Security Evaluation Process to help ensure CDCVM solutions maintain certain minimum levels of security, including mechanisms and protections designed to withstand known attacks.
• EMV CDCVM Best Practices - EMVCo has defined guidelines for functional and performance behaviours to promote a consistent user experience and global interoperability.
EMVCo actively engages the payment community in developing, enhancing, and evolving future specifications and related testing processes.
In particular, EMVCo has been collaborating with the FIDO Alliance since 2016. As part of this collaboration, EMVCo shared a number of CDCVM use-cases for payment which the FIDO Alliance took into account when incorporating User Verification Caching into the FIDO specification. EMVCo continues to liaise with the FIDO Alliance to ensure that the FIDO Alliance Biometric Certification programme covers the EMVCo high-level performance objectives. CDCVM solution providers are encouraged to evaluate the performance of their solutions using the FIDO Alliance Biometric Certification programme.