Mastercard
Card Quality Management
Overview
December 2016
Introduction
Mastercard Card Approval
Overview
Mastercard Card Approval LoA policy
Requirements
Product Quality
Quality Management
Benefits
Labels
ChipCard Interface Technologies
A Modular Structure
A Unique Identifier
Certificate Example
Documents
Audit
Accredited Auditors
Ranking
Timeline
Process
Overview
Detailed
New comers Vs. already certified
Budget
Mastercard Outsourcing Letter to Smart Consulting
Figures
Conclusion
Agenda
2
Introduction
Involved companies:
Personalization bureaus
Card manufacturers (card vendors)
Suppliers of the card vendors (chip, modules, inlays manufacturers)
Involved products:
Mastercard EMV cards (ID1 card format)
Requirements:
Quality Management
Product Quality (modular structure)
Methodology:
Self-assessment controlled by on-site audits
Corrective actions plan.
3
CQM = Mastercard Card Quality Management
Mastercard Card Approval
Overview
4
Company
Program
Product
Program
Global Vendor Certification Program
Physical and Logical Security
GVCP
Brand and Card Design Rules Card Design(1)
Card Structure Integrity and Security
Innovative form factors or card bodies
CSI
Chip Card Quality ManagementCQM
Chip Anti-Fraud SecurityCAST
Chip Card (Functionality) ApprovalIAT
(1) The e-mail address depends on the region, it will be communicated by the Mastercard local contact
Mastercard Card Approval
LoA policy (1/2)
5
A Mastercard Letter of Approval (LoA) is issued to a chip card vendor for each
chip card or device that has successfully completed the following items:
• Interface and Application Testing
• Compliance Assessment and Security Testing
• CQM
IAT
CAST
CQM
LoA
Mastercard Card Approval
LoA policy (2/2)
CQM
Card Supplier
End-user product manufacturing and delivery based
on an approved Module
Multi-stakeholders Model
LoAApproved Module
CCS
Card Vendor
From full product conception to end-
user delivery
TAS CCN Labels
LoA
IAT CQMCAST
Integrated Model
GVCP
Contactless License
Module Supplier
Chip + Operating System
+ Payment App
Conformity Compliance
Statement (CCS)
M/Chip Dev. Agreement
IAT CQMCAST
TAS LabelsCCN
GVCP
Labels
Contactless License
M/Chip Develop. Agreement
Contactless License
112 23 53 4
Source: Card Vendor Product Approval Process Guide
Categories Interoperability with ATMs and
POS terminals:Electrical, contactless, magnetic, physical characteristics
Durability and Reliability: Mechanical, Electro-Static Discharges, magnetic, ageing, resistance to chemicals…
Mastercard BrandDesign, colors, layout.
Visual Security FeaturesUV print, hologram, signature panel…
MiscellaneousNo toxicity for health and environment…
Examples
Reading distance between the
contactless card and a POS
Resistance to:
ESD
Card bending or torsion
Abrasion
Chemicals: sweat, fuel…
Temperature and humidity
Mechanical stress
Chip module extraction
Requirements (1/2)
Product Quality
7
Requirements (2/2)
Quality Management
Objectives definition and measurement
Training program
Written procedures
Specifications
Qualification and Change Control
Customer satisfaction
Statistical Process Control
Internal audits
Continuous improvement
8
For the Bank
Cardholder satisfaction
CQM is the unique worldwide payment
card quality reference
For the Supplier or Vendor
Marketing advantage:
Bank tenders compliance
CQM companies list is public
Corporate quality tool to both support
and control the remote sites
External independent view
Modular activities
Benefits
9
CQM labels are required for every suppliers
The Letter of Approval (LoA) requires the CQM certification.
Labels (1/3)
Manufacturing Activities
10
Integrated Circuit
Integrated Circuits Module
Plastic CardChip
EmbeddingPerso
Integrated Circuit
Integrated Circuits Module
Inlay with Antenna
Plastic CardChip
EmbeddingPerso
Integrated Circuit
Integrated Circuits Module
Inlay with Antenna and Chip
Plastic Card Lamination with Chip
PersoContactless
Contact
Dual
Smart Card manufacturing is splited in modular activities.
The CQM label identifies the activity for the card interface technology ( Contact, Contactless,
Dual)
Labels 2/3
unique CQM identifiers
CQM labels are identifiers granted to a CQM certified company
to cover their certified activities.
CQM label structure is “ACCLLTTTTS”.
A = Activity of manufacturing
CC = Company
LL = Location of the manufacturing site
TTTT = Interface Technology (Contact, Dual, Contactless)
S = Status ( R:interim label for Recognition, A:label for Approval)
11
CQM Recognition is a 6 month max interim period aimed
- for companies starting the CQM process
- for a new activity started by CQM certified companies
CQM Approval is the step achieved when the audit pass
recommendation is accepted.
Labels 3/3
CQM Certificate Example
12
Documents
Documents available on line: smart-consulting.com
Overview presentation (this presentation)
Registration Form
Quality questionnaire (Assessment Plan)
Requirements specification
Non Disclosure Agreement (NDA) template.
Documents available on demand: [email protected]
Annual services offer (including quote)
Draft certificate for candidate review
13
Always check online for the last release of the documents.
Audits 1/3
Accredited Auditors
14
The auditors are acting worldwide.
Name First Name Company Tel office Email Country
Chen Luke 陳明乾 TÜV SÜD +886 228986818 [email protected] Taiwan
Ferreira Luis Agora Consult +32 470822142 [email protected] Belgium
Gase Axel Kiwa Telefication 31 316 583 114 [email protected] Netherlands
Janczek Thies Cocaso +49 4347701433 [email protected] Germany
Shinmoto Tamon 真本多聞 TÜV SÜD +81 449801675 [email protected] Japan
Trüggelmann Uwe TruCert +1 2504349456 [email protected] Canada
Van Voorst Ries Dekra +31 263563419 [email protected] Netherlands
Audit 2/3
Ranking
15
Smart Consulting will notify the rank decision to the auditee after the audit report reception.
Smart Consulting is the sole entity to approve an audit shift request.
Recommendation Next auditAction plan
Completion Check
APass
Action plan is not required.< 3 years
BPass
Action plan is defined and committed.< 2 years < 4 months
CPass with many unconformities
Action plan is defined and committed.< 1 year < 4 months
DRecommendation postponed after the next audit or action
plan completion check.
Audit Timeline
16
Action Plan Completion Report Assessment
Smart Consulting to Auditee and Auditor 2 weeks after Action Plan Completion Report
Action Plan Completion ReportAuditor to Smart Consulting and Auditee 19 weeks after Audit End
Action Plan CompletionAuditee to Auditor 17 weeks after Audit End (*)
Audit Report AssessmentSmart Consulting to Auditee and Auditor 5 weeks after Final Audit Report
Final Audit ReportAuditor to Smart Consulting and Auditee 4 weeks after Audit End
Action PlanAuditee to Auditor 2 weeks after the Audit (*)
AuditAuditor
Audit PreparationAuditee to Auditor 2 weeks before the Audit (*)
Audit AgreementAuditee + Auditor Auditee + Auditor
RegistrationAuditee to Smart Consulting
Owner Recipients Deadline
(*) Typical values. They shall be defined inside the bilateral Audit Agreement binding on the Auditor and the Auditee
Process 1/4
Overview
17
CQM Certificate
Approval
Renewal
Recognition
One Year
Extention
No No
Details next slide
N N
Process 2/4
Details
18
Registration to Smart ConsultingServices offer for 1 year
Acceptance of the offerRECOGNITION Yearly fees invoice
6 months max Yearly fees paymentAudit offer with quote and schedule
Auditor selection and notificationLabels for CQM recognition.
Audit preparationSupport for the Audit preparation
Non conformitiesAction-plan
Audit-Report and recommendationNotification of the audit results
Signed certificate with appoval labelsAction-Plan Completion Report
Action-Plan Completion Report Assess
YEARLY Yearly fees invoiceEXTENTION Yearly fees payment
Signed Certificate with labels
RENEWAL Refer to above approval process
Audit
APPROVAL
Smart Consulting CQM Candidate CQM Auditor
New Comer
To register immediately for
CQM recognition together with
Mastercard GVCP registration in
order to gain time.
CQM labels require the related
GVCP certification.
Already Certified
The audit date shall be initiated by the auditee directly with the auditor taken into account
The last audit acknowledgement issued by Smart Consulting
The certificate birthday(max 60 days before)
The auditor availability in the region
Pay the CQM yearly extension fees 60 days before the certificate expiration date.
Notify changes in real time:
new location
new workshops
new primary contact
Process 3/4
New Comer Vs. Already Certified
19
Sooner is better
contact: [email protected]
Process 4/4
Certificate is granted after
Confirmation by positive audit recommendation
Next audit(s) planned
60 days after annual fees payment
20
Note: All the GVCP sites of the group of
companies shall be CQM certified
Budget
Auditor Smart Consulting
Price~ 1500€ per day
+ T&E
900€ annual fees
+ 500€ per activity
Payment term
(new candidates)to be defined
60 days after CQM offer
date
Payment term
(already certified)to be defined
60 days before certificate
birthday
Negotiable? yes no
21
Mastercard Outsourcing Letter
22
The CQM scheme
is owned by
Mastercard
Certification Authority
The CQM operations
are performed by
Smart Consulting
Certification body
CQM Certification Trend
23
0
200
400
600
800
1000
1200
1400
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
Companies
Sites
Activities
Labels
Conclusion
1. Mastercard mandates CQM:
for all EMV cards
for all activities (formerly called workshops)
for all countries worldwide
for every GVCP certified site belonging to the same group of
companies.
2. CQM certified companies list is public
CQM certified companies are available inside the Mastercard Vendors list
( GVCP monthly update)
3. Increasing number of bank tenders are mandating CQM
24
Mastercard Sources: Card Vendor Product Approval Process Guide 2015/05
CQM certified companies public list (GVCP)
Security Bulletin 2014/09 (GVCP)
smart-consulting.com
Eric Berlin
End