The document is the latest update to GlobalPlatform’s Security Certification Program and will make it quicker and easier for stakeholders across industries to validate and compare security features, protect applications and data against high-profile attacks and comply with evolving IoT and cybersecurity regulations.
GlobalPlatform is seen as the de-facto standard for secure element technologies and there are over 50 billion GlobalPlatform-certified SEs in-market; equipping solutions like mobile phones, IoT devices, banking cards and eID documents, with a tamper-resistant hardware platform to securely host applications and store confidential data.
As the use of digital services continues to grow, the newly released PP will address the need for consistent and verifiable security. It offers a simple framework for:
- Security laboratories to evaluate the security of SE-based products, and validate conformance with security, regulatory and data protection mandates, such as the European Cybersecurity Act.
- Silicon and SE vendors to demonstrate their products are secure for use across devices and verticals including payment and identity cards, ePassports, smartphones and IoT devices.
- Device manufacturers to determine the trustworthiness of components, and select a solution with the required features to protect apps and digital services on their devices.
Due to its modular structure, the PP enables the evaluation of different SE use cases and form factors. This includes smart card SEs including payment, SIM cards or ID documents, to embedded SEs in smartphones and IoT devices, and also advanced uses cases available on integrated form factors which have emerged to address the security requirements of connected device designs.
To enable simple access to the secure services offered by SEs, like signature or user authentication for consumer payment and identity use cases, as well as Secure Boot or attestation for device-based use cases, GlobalPlatform has selected a security assurance level of EAL4+ augmented with ALC_DVS.2 (sufficiency of security measures) and AVA_VAN.5 (advanced methodical vulnerability analysis).
This assures stakeholders including Mobile Network Operators (MNOs), application developers, IoT cloud platforms and service providers that their critical assets loaded on a GlobalPlatform-certified SE are protected from complex attacks.