GlobalPlatform | Composition Model Made Simple
What is a composite product?
A composite product consists of an open platform (such as a secure element [SEs]),
with one or more sensitive applications (such as mobile payment or
identity / end-user authentication), and optionally one or more basic
applications (which does not need to comply with stringent security
requirements to operate, for example couponing or advertising).
What is the GlobalPlatform Composition Model?
The technical document is a common, cross-industry certification model for SEs with
post-issuance capabilities. In essence, it outlines a methodology that streamlines the
security evaluation of a near-field-communication (NFC) mobile composite product by
specifying how EMVCo and Common Criteria certificates can be re-used for chips and
SE platforms that have previously been certified.
EMVCo is the EMV® technical body jointly owned by American Express, Discover,
JCB, MasterCard, UnionPay and Visa. Common Criteria is an international security
certification standard involving national certification bodies that work on a mutual
agreement basis to secure IT products and systems.
The document is of particular interest to mobile application and product issuers,
such as mobile network operators (MNOs) and financial institutions.
Why is GlobalPlatform working in this space? I was not aware it was a
GlobalPlatform Specifications and supporting documentation are viewed as best
practice and endorsed by a wide-range of industry players and certification bodies.
While GlobalPlatform is not a certification authority, it has leveraged the knowledge of
its members to develop solutions that address industry challenges.
So what industry challenge is GlobalPlatform addressing?
The industry is continually looking at ways to reduce product time to market while
simultaneously advancing the security of a NFC mobile product. As SEs in mobile devices
begin to host multiple applications, it is important that all applications perform as
intended and do not interfere with the other services being delivered.
Evaluating the security of sensitive applications and the potential impact of adding a
basic application pre and post issuance is therefore vital, but needs to be cost and time
effective for all market stakeholders. Currently, as there is no basic application process,
when a new application is introduced onto an SE - sensitive or basic - a full re-test is
required of the entire product before it can be released. A developer launching a basic
application, however, does not want to spend significant resources evaluating the full
product (sensitive and basic applications) to validate that its product does not interfere
with a sensitive application.
For NFC to reach its full potential, a balance needs to be achieved between
technical, commercial and security requirements, as well as an understanding of the
responsibilities and motivations of each actor contributing to the product.
How does the model work?
The GlobalPlatform Composition Model specifies how:
- Existing security evaluation results from EMVCo and Common Criteria can be re-
- Security evaluation work can be limited to only test the impact of a new application
and SE combination.
This modular approach where each element of the product receives its own security
certificate - optimizes the testing requirements of EMVCo and Common Criteria when a
new sensitive application or a new platform is combined with a previously certified
platform or sensitive application.
- The chip is certified against Common Criteria or EMVCo Security Requirements, as
is the SE platform. This produces a single certificate for the combined chip/SE product.
- Independent certificates are received for each sensitive application installed. Any
basic applications are 'verified' to confirm that they will not put any sensitive applications
or the SE at risk.
What documents are available?
- The Card Composition Model Security Guidelines for Basic Applications
v2.0, which proposes a minimal set of
guidelines for basic applications. Adhering to these guidelines will protect sensitive
applications, other applications, and the SE.
- Card Composition Model v1.1, which addresses the re-
certification of multi-application products with additional applications.
- Card Composition Frequently Asked Questions v1.1,
which supports industry players using this model for the
All documents can be downloaded from the GlobalPlatform
website without charge.
Is the industry as a whole in support of the model?
The GlobalPlatform Composition Model was developed with support from EMVCo
and the GSMA. It has been endorsed by AFSCM, the European Payments Council, the
European Telecommunications Standard Institute (ETSI) and SIMalliance. The document
has also received a contribution from the International Security Certification Initiative.
What is next for GlobalPlatform within the security space?
GlobalPlatform is continually looking at ways to support its members and the wider
industry in advancing the secure chip ecosystem. The GlobalPlatform Composition
Model will evolve to reflect advancing industry needs.