The Cryptomathic EMV CA is an essential service component for EMV card authentication.  The main purpose of the EMV CA is to allow a central authority to issue and manage the certificates of Card Issuers within a given region.


EMV card authentication is based on PKI (Public Key Infrastructure) but unlike traditional PKI, which is based on a standard called X.509, EMV is a standard of its own. Even though EMV is a proprietary standard it is widely used across the globe, with billions of EMV smart cards issued since its initial roll-out.

EMV CA Diagram 400

A Complete EMV PKI Solution

EMV CA supports several CAs, which may each have a number of self-signed CA certificates.
A CA issues Issuer Personal Key certificates, below IPK certificates, using a specific CA key.  A CA can be set up to be compliant with either MasterCard or VISA. The compliance determines which formats are used for data exchange with other systems. EMV CA manages all certificate related tasks:

  • Lifecycle management of EMV Issuer CA (scheme issuers') certificates
  • Issue certificates
  • Export certificates
  • Revoke certificates
  • Certification authority CRL (Certificate Revocation List)
  • Issuer CRL (Certificate Revocation List)

System Architecture

The architecture of EMV CA is straight forward and easy to set up, and the solution consists of four key elements:

  • EMV CA Server
  • EMV CA Administration Client
  • Database
  • Hardware Security Module (HSM)


EMV CA is designed in a flexible client-server structure enabling the payment scheme provider to tailor the system to the specific needs of its organisation in-line with e.g. regional and national requirements.

Download white paper