Certification & Testing

Payment Testing & Scheme Certification Services

Getting to market requires passing some of the most demanding technical certification programmes in financial services. From Mastercard MTIP and Visa ADVT terminal certification through to EMVCo Level 1/2/3 kernel approval and 3DS testing, our consultants have guided banks, terminal manufacturers, payment processors and fintechs through first-time certifications, remediation after failures, and re-certification after product changes.

Start Certification Planning View All Programmes ↓

Certification Programmes

Comprehensive support across all major scheme and standards body certification programmes.

Mastercard

MTIP

Mastercard Terminal Integration Process

Mandatory certification for all devices processing Mastercard, Maestro and Cirrus transactions. Covers magnetic stripe, EMV contact, EMV contactless (PayPass/MCCS), and fallback transaction types.

MTIP Deep-Dive ↓
Visa

ADVT

Acquirer Device Validation Toolkit

Visa’s toolkit for validating that acquirer-connected POS devices and ATMs correctly implement Visa payWave (VCPS 2.2) and Visa chip (VIS) specifications. Includes contactless kernel and fallback test cases.

ADVT Overview ↓
Multi-Scheme

CDET

Card Data Entry Device Testing

Tests PED, SCR and card holder device data entry functions — character sets, special characters, function key handling, and card read methods (swipe, insert, tap). Required for most acquirer device approvals.

CDET Overview ↓
EMVCo

EMVCo L1 / L2 / L3

EMVCo Type Approval

Level 1 — hardware/electrical interface (contact and contactless). Level 2 — EMV kernel software logic, card/terminal interaction. Level 3 — end-to-end payment application integration with acquirer host.

PCI SSC

PCI PTS / P2PE

PCI PIN Transaction Security / Point-to-Point Encryption

PCI PTS approval for PIN entry devices (PED). P2PE component listing for encryption devices, decryption environments, and key management. Critical for acquirers and terminal manufacturers.

EMVCo 3DS

3DS Testing

EMVCo 3DS Testing Programme

EMVCo 3DS functional testing for 3DS Requestors (merchants), ACS vendors, and DS (Directory Server) operators. Covers 3DS 2.x frictionless, challenge, and decoupled authentication flows.

Mastercard

MTIP — Mastercard Terminal Integration Process

MTIP is the mandatory Mastercard approval process for acquirer-connected payment terminals. No terminal may go live on the Mastercard network without a valid MTIP approval.

MTIP Phases

01
Registration — the acquirer or terminal manufacturer submits an MTIP registration to Mastercard via the Global Certification Management System (GCMS). Registration requires a completed Technical Information Package (TIP) describing the terminal hardware, software version, kernel type (contact / contactless), and the acquiring host they will connect to. Mastercard assigns a Test Facility and provides a test schedule.
02
Test Script Execution — test cases are executed at the designated Test Facility (or via self-testing using the MIP simulator for certain categories) against a Mastercard-approved host simulator. Each test case produces a pass/fail result with field-level evidence (request/response hex logs, terminal display captures). Evidence is compiled into a Test Evidence Package (TEP).
03
Submission — the completed TEP is submitted through GCMS. Mastercard reviewers examine the evidence for each test case. Minor discrepancies may be resolved via clarification; significant failures require remediation and re-testing.
04
Approval — on successful review, Mastercard issues a Letter of Approval (LoA) confirming the terminal type and software version is approved for live deployment on the Mastercard network. The LoA specifies the approved software version string — any version change requires a delta or full re-certification.

Test Script Categories

Magnetic Stripe

  • Track 1 and Track 2 read and parse accuracy
  • Service code interpretation (101, 120, 121, 201, 221)
  • Fallback to manual entry when swipe fails
  • PAN masking on receipt and display

EMV Contact (Chip)

  • Application selection — PSE, PPSE, direct selection
  • Offline data authentication (SDA, DDA, CDA)
  • Cardholder verification methods — PIN (offline/online), signature, no CVM
  • Terminal risk management — floor limits, velocity checks
  • Action analysis — TAC/IAC application and cryptogram request
  • Issuer script processing (post-auth script 71/72)

EMV Contactless — PayPass / MCCS

  • PPSE selection and kernel routing
  • Mastercard Contactless Kernel 2 (MCCS) test cases
  • CVM limit and contactless limit enforcement
  • Online / offline cryptogram processing
  • CDCVM (consumer device CVM) for mobile wallet transactions

Fallback Transactions

  • Chip-to-magnetic stripe fallback — correct DE22 fallback indicator
  • Contactless-to-contact fallback
  • Fallback declined at terminal vs allowed by terminal policy
  • Acquirer fallback rules and Mastercard fallback monitoring thresholds

Common MTIP Failure Points

Most common MTIP failures we see across client submissions — address these early to avoid costly re-test cycles.
  • AIP (Application Interchange Profile) handling — terminal incorrectly interprets AIP byte 1 bit 6 (CDA supported) or bit 7 (SDA only). If the card indicates CDA support but the terminal attempts DDA, the test case fails ODA validation.
  • CVM Result byte — DE55 tag 9F34 (Cardholder Verification Method Results) must correctly reflect the CVM performed and the CVM result (successful/failed). Terminals that hard-code this byte rather than computing it dynamically fail CVM combination test cases.
  • ODA (Offline Data Authentication) validation — SDA signature verification using the Certification Authority public key → Issuer public key → signed static data chain. Incorrect handling of padding (PKCS#1 v1.5), certificate expiry, or revoked CA keys are common failure modes in test environments where expired test CA keys are not refreshed.
  • Host simulation requirements — the acquirer host simulator must support approved, declined, referral (DE39=01), and partial approval responses. Some MTIP test cases require issuer script (tags 71/72) delivery in the 0210 response. Hosts that cannot inject issuer scripts will fail those test cases.
  • MTIP test case numbering — Mastercard MTIP test cases follow the convention MC_<category>_<subcategory>_<sequence>, e.g. MC_CL_MCCS_001 (Contactless, MCCS kernel, case 1). Evidence must reference the exact test case ID — mismatched IDs cause submission rejections.
Visa

ADVT — Acquirer Device Validation Toolkit

Visa’s ADVT programme validates that POS and ATM devices connected to acquiring hosts correctly implement Visa chip and contactless specifications. Approval is mandatory for Visa deployment in all regions.

ADVT Toolkit Setup & Test Case Management

ADVT is a self-test toolkit distributed by Visa to registered acquirers and test facilities. The toolkit includes a host simulator component and a set of scripted test cases. Setup steps:

  • Environment configuration — the ADVT host simulator is configured with the acquirer’s terminal profile (terminal type, capabilities, floor limit configuration, random transaction selection parameters). Mismatches between the ADVT simulator configuration and the real host configuration are a frequent source of test failures that only manifest in production.
  • Terminal connection — the terminal under test connects to the ADVT host simulator over the standard ISO 8583 interface. Message format, header structure, and bit conventions must match exactly.
  • Test case management — the ADVT toolkit tracks pass/fail status for each test case and generates a summary report. All PASS results with field-level evidence must be included in the submission package to Visa’s VIST (Visa Integrated Software Testing) portal.

Visa payWave (VCPS 2.2) Contactless Test Cases

ADVT contactless test cases validate correct implementation of the Visa Contactless Payment Specification (VCPS) version 2.2 and the associated Visa Contactless Kernel (VCK):

  • PPSE response parsing and Visa AID (A0000000031010) selection via kernel routing
  • Contactless transaction limits — CVM limit enforcement (transactions below CVM limit proceed without PIN; above require online PIN or decline based on terminal config), contactless transaction limit (hard decline above threshold), and offline limit
  • Online authorisation — ARQC verification and ARPC generation for online-capable cards; correct DE55 construction with mandatory tags (9F26 ARQC, 9F36 ATC, 9F10 IAD, 9F37 unpredictable number, 9F02 amount, 5F2A currency code)
  • Visa payWave Express Payments — low-value transactions using the Visa Contactless Quick Payment Service (qVSDC) — offline-only cryptogram without issuer script support

Common ADVT Failures

  • TAC/IAC combination errors — the terminal combines its Terminal Action Codes (TAC-Denial, TAC-Online, TAC-Default) with the card’s Issuer Action Codes (IAC) using bitwise AND. Incorrect implementation — such as using OR instead of AND, or ignoring the IAC entirely — produces incorrect online/offline decisions that fail ADVT action analysis test cases.
  • Floor limit application — transactions below the terminal floor limit should be processed offline (when card and terminal capabilities allow). Terminals that always go online regardless of amount fail the offline transaction test cases. Conversely, terminals that apply the floor limit to contactless transactions where Visa requires online processing above CVM limit also fail.
  • Velocity checking — terminals must implement a consecutive transaction counter and a consecutive transaction amount limit to prevent offline fraud on contactless cards. Failure to correctly reset these counters on successful online authorisation is a common failure mode.
Multi-Scheme

CDET — Card Data Entry Device Testing

CDET validates the data entry functionality of payment terminals and devices — the foundational layer beneath EMV and scheme certification.

Scope: PED / SCR / CHD Devices

PED (PIN Entry Device)

Hardware-secured devices for PIN entry. CDET validates keypad response, character display masking, PIN bypass (no-PIN CVM), and correct PIN block formation before encryption.

SCR (Smartcard Reader)

Contact chip card readers. CDET validates correct card detection, power-up sequence, ATR (Answer to Reset) handling, T=0 and T=1 protocol support, and card removal detection.

CHD (Contactless RF Interface)

NFC/contactless readers. CDET validates RF field strength, anti-collision handling, Type A and Type B card detection, and correct polling loop implementation.

Test Categories

  • Character sets — full Latin character set entry, including uppercase, lowercase, and digits. Display must accurately render all entered characters without substitution or omission.
  • Special characters — symbols including @ # $ % & * ( ) and currency symbols. Critical for amount display and receipt printing accuracy. Many terminal firmware implementations handle only ASCII 32–127 and fail on extended or locale-specific characters.
  • Function keys — Enter, Cancel, Clear (backspace), and numeric function key mapping. Test cases verify correct action on each key press, including correct handling of multiple consecutive Clear presses and Cancel during PIN entry.
  • Card swipe (magnetic stripe) — correct Track 1 and Track 2 read across varying swipe speeds (slow, normal, fast), partial track data handling, and correct error reporting on bad-read events.
  • Card insert (contact chip) — chip card insertion detection, power-up timing, and card removal detection including mid-transaction card removal handling.
  • Card tap (contactless) — NFC polling activation timing, multi-card (card clash) detection and error message, and successful read within the required RF field envelope.
Simulators & Test Platforms

Third-Party Simulators & Scheme Test Platforms

Certification testing relies on approved simulator platforms. Our consultants have hands-on experience with all major tools used in Visa, Mastercard and EMVCo certification programmes.

Paragon (BASE24 Simulation)

Paragon provides ISO 8583 host simulation environments based on ACI Worldwide’s BASE24 switch platform — widely deployed at major acquirers and issuers globally. Paragon simulators are used in MTIP, ADVT, and domestic scheme certifications. Key capabilities:

  • Configurable response code injection for approval, decline, referral, and timeout scenarios
  • Issuer script (DE55 tag 71/72) injection for post-authorisation testing
  • Partial approval response testing (DE38 and DE54 configured per test case)
  • Full message logging with hex dump and field decode for evidence generation

Fime Test Platforms

Fime offers accredited laboratory services and test tools for EMVCo Level 1, Level 2, and Level 3 certification, as well as scheme certifications (MTIP, ADVT). Fime’s CAT (Contactless Automated Test) tool is widely used for Level 2 contactless kernel self-testing. Fime laboratories are recognised by both Visa and Mastercard as approved test facilities.

  • EMVCo L1 RF conformance testing with calibrated field strength measurement
  • L2 automated test script execution with card simulation
  • Formal test report generation accepted by EMVCo Letter of Approval process

UL / Collis Test Platforms

UL (formerly Collis) provides the Card Suite and Terminal Evaluation System (TES) test tools widely used for EMV and contactless kernel testing. UL Certification Laboratories are EMVCo-approved and offer testing services for all EMV transaction types. The UL Card Suite is commonly used by terminal manufacturers for pre-certification self-testing before formal submission.

Visa VTC & Mastercard MIP Simulator

Visa Test Center (VTC) — Visa’s own cloud-based test environment for ADVT and Visa chip certification. Provides scripted test cases, message logging, and automated pass/fail evaluation. VTC access is provisioned via the Visa Merchant Data Service portal to registered acquirers and test facilities.

Mastercard MIP Simulator — the Mastercard Interface Processor simulator validates ISO 8583 message construction, DE content, and transaction flow for all MTIP test case categories. Available through the Mastercard Connect developer portal to registered programme participants.

Frequently Asked Questions

Common questions from terminal manufacturers, acquirers and payment system integrators preparing for certification.

Mastercard Terminal Integration Process (MTIP) is the mandatory certification for terminals and POS systems that support Mastercard chip transactions. The process has three phases: pre-testing (self-assessment against the MTIP test plan, test script preparation, and engagement with a Mastercard-approved test tool); formal testing (execution of the defined test cases against the candidate terminal, typically using the Mastercard test tool or an approved simulator); and submission (uploading test results to the Mastercard certification portal with defect justifications). Timeline varies significantly based on preparation quality. Well-prepared teams with clean test scripts typically complete formal testing in 5–10 business days; teams with significant defects entering formal testing can take 6–12 weeks including defect rework cycles. FinPay's approach is to run a full pre-certification dry run before entering formal testing, achieving a clean first submission in every engagement to date.

Based on scheme defect reports, the most frequent MTIP defect categories are: incorrect or missing DE 55 ICC data — particularly ARQC generation errors, missing mandatory tags (e.g. 9F10, 9F26, 9F37), or incorrect ATC handling; DE 22 POS Entry Mode errors where the terminal reports an incorrect entry mode for chip, contactless, or fallback transactions; and CVM processing failures — incorrect CVM Result (tag 9F34) or failure to correctly handle the CVM list. For ADVT (Acquirer Device Validation Toolkit), common failures relate to contactless kernel configuration — incorrect UDOL or CDOL handling, improper PPSE directory selection, and incorrect handling of the Contactless Transaction Limit versus the CVM Required Limit. These defects are preventable with thorough pre-testing against the published test plan before formal submission.

MTIP is issuer-focused: it tests the issuer host's ability to correctly process chip transactions — ARQC verification, issuer script generation, risk management parameters, and response code handling. The candidate under test is the issuer's authorisation system and HSM. ADVT (Acquirer Device Validation Toolkit) is acquirer/terminal-focused: it tests the terminal's EMV kernel implementation against a simulated card (the ADVT card simulator), validating correct kernel flow, data element handling, and kernel configuration. CDET (Contactless Device Evaluation Tool) is the contactless-specific extension of ADVT, testing the contactless kernel (PayPass/M/Chip Advance or Visa payWave) configuration. MTIP requires an HSM and live host connection; ADVT/CDET require only the terminal and the test tool. Many acquirers must complete both MTIP (for issuer hosts) and ADVT (for terminal estate) as part of a full Mastercard certification.

Ready to accelerate your certification programme?

Whether you’re preparing for a first MTIP or ADVT submission, remediating after a failure, or planning a re-certification for a software upgrade, our consultants can reduce your time to approval and minimise costly re-test cycles. Engagements are available from a readiness assessment through to full certification project management.

Book a Certification Review ISO 8583 & 20022 Expertise