INTRODUCTION

This white paper examines the reason behind the rising interest in new domestic payment schemes, the technical requirements to establish such schemes, and the value proposition of an EMV Certificate Authority (EMV CA), particularly Cryptomathic’s Obsidian CA, as the essential cryptographic root of trust for any new payment scheme.

WHY NEW DOMESTIC PAYMENT SCHEMES EMERGE?

The global card payment landscape has long been dominated by international card schemes like Visa, Mastercard, and American Express, which process the majority of transactions worldwide. In the Eurozone, for example, Visa and Mastercard together handle roughly two-thirds of all card transactions – illustrating the extent of dependence on these external networks. This dominance has prompted many regions to re-evaluate their payment sovereignty.

PAYMENT SOVREIGNTY
Sovereignty is a primary motivation. Governments and central banks are increasingly concerned that relying on foreign-controlled payment rails could pose risks to national interests. Two factors highlight this concern:
- Geopolitical Risks: International card companies are subject to home-country policies and sanctions. For instance, when Visa and Mastercard suspended operations in certain markets (e.g., Russia in 2022), those countries were suddenly cut off 1. This incident demonstrated the danger of over-reliance on external networks, motivating countries like Turkey, Russia, India, Brazil, Egypt, and Saudi Arabia to develop domestic card schemes (e.g. Troy, Mir, RuPay, Elo, Meeza, Mada) to ensure continuity of service.
- Control Over Data and Operations: Owning a domestic scheme means sensitive payments data stays within local jurisdiction and is governed by local regulations. This can enhance data security and privacy under domestic laws.
COST OF TRANSACTION FEES

Another compelling driver is the financial cost of international network fees. Global card networks charge interchange and scheme fees for every transaction, which for domestic economies represent a direct outflow of money. Even if each transaction fee is small (fractions of a percent), the aggregate is enormous given the volume of transactions.

In Europe, retailers faced card commission increases of 34% between 2018 and 2022, reflecting rising costs of using global networks. These fees contribute to billions in annual revenue for the big networks, meaning billions leaving local banking ecosystems. By establishing a local scheme, countries hope to retain that revenue domestically and offer lower fees to merchants and issuers. Lower fees can incentivize businesses to adopt the local scheme, further reinforcing its usage.
LOCAL ECONOMIC DEVELOPMENT
Beyond sovereignty and cost, having a domestic payment network can spur local innovation and competition. It allows local banks, fintech’s, and processors to collaboratively develop tailored solutions (for example, linking with national ID programs or local mobile money systems) without being constrained by the business rules of global giants.

This trend is evident worldwide:
- Europe: The European Union launched the European Payments Initiative (EPI) to create a unified European scheme (with a new card and digital wallet) as an alternative to Visa/Mastercard. The goals include European control over a system that handles trillions of euros in payments and keeping fee revenues and consumer data under EU governance.
- Asia: India’s RuPay card scheme, launched by the National Payments Corporation of India, has grown rapidly under government support, capturing significant market share and saving local banks the hefty fees that would otherwise go to foreign networks. China’s UnionPay (though globally significant now) started essentially as a domestic scheme.
- Middle East & Africa: Mada in Saudi Arabia and Meeza in Egypt are examples of government-backed domestic networks aimed at greater financial independence. These schemes often began as debit card networks and expanded into broader digital payments. In several African countries (Nigeria, Kenya, etc.), discussions are underway to build regional switches or schemes to reduce dependence on international cards.
- Latin America: Brazil’s Elo is a domestic scheme created to compete with international players, and it has seen adoption for similar sovereignty and cost reasons.
PAYMENT SCHEMES FOR CLOSED LOOP SYSTEMS

Many closed loop payment systems are deployed or are being deployed in the world of transit or fuel cards and EV charging. These payment systems are typically based on EMV standards or are currently migrating to EMV standards.

EMV card specifications like Thales PURE or the White Label Alliance are used for payment card specifications. In this context, these payment systems also need their own EMV Certificate Authorities to allow off-line card authentication.

WHAT ARE THE REQUIREMENTS TO SET UP A NEW PAYMENT SCHEME?

Launching a new payment scheme is a complex endeavor. It requires not only strategic vision but also significant technical infrastructure to mirror what global networks provide. Below, we outline the key technical components and considerations.

EMV CO STANDARD COMPLIANCE

To ensure interoperability with the vast existing card ecosystem, new schemes almost universally adopt the EMV standards (originally developed by Europay, Mastercard, Visa). EMVCo specifications define the chip card technology and cryptographic processes that allow secure transactions. Domestic schemes use EMV so that any cards they issue can work in standard point-of-sale (POS) terminals and ATMs, and so that international acceptance is possible when desired.

EMV CERTIFICATE AUTHORITY

A critical component of the technical infrastructure is the EMV Certificate Authority. In an EMV card transaction, especially for offline transactions, trust is established via public-key certificates:

emvca

The EMV CA is the top-level root of trust that digitally signs the public keys of card issuers in the scheme. This allows a payment terminal to verify that a card is issued by a trusted bank under the scheme. In practice, each card carries a certificate (the Issuer Public Key Certificate) signed by the scheme’s CA. The POS terminal holds the scheme CA’s public key (distributed to all participants).
Setting up a domestic EMV CA means generating a root key pair and distributing the public key to all acceptance points. The CA then signs each issuer ’s public keys (and issues Issuer certificates) which get loaded onto cards. This ensures that even if a transaction is processed offline (no immediate connection to the issuer), the card and terminal can trust each other ’s keys because they chain up to the scheme’s CA.
The EMV CA must follow the EMV certificate format and policies. Typically, domestic schemes either hire an experienced provider or use a product like Cryptomathic’s ObsidianCA to implement this. The CA system should handle the full lifecycle: generating the CA keys, renewing them before expiration, signing issuer certificates, managing Certificate Revocation Lists (CRLs), and ensuring all processes are secure and compliant with EMVCo and PCI standards.

CARD ISSUANCE AND PERSONALIZATION

A new scheme needs its own payment brand on cards issued by issuer (physical plastic cards, or digital cards loaded in mobile phone wallets). Issuers must invest in:

Card Design & Production: Designing cards with the scheme’s brand and possibly working with card manufacturers to produce chip cards. These cards will carry the scheme’s logo (instead of Visa/MC) and an appropriate BIN (Bank Identification Number) range assigned to the scheme.
EMV Data Preparation: Preparing the chip data for each card (keys, certificates, personalization data). Tools like Cryptomathic’s CardInk or Obsidian Issuance system can generate EMV chip data and keys at scale for card issuance.
Card Personalization Equipment: Ensuring card bureaus or issuer sites can load the data onto chips and print/emboss cards. Instant issuance systems might be set up for immediate card delivery in branches or on digital channels for card provisioning into wallets.

PIN MANAGEMENT

If the scheme uses PINs for cardholder verification (as is common with debit), secure PIN generation, storage, and distribution systems are needed. Cryptomathic’s solutions include dedicated PIN management solution (ObsidianPIN) which handle PIN selection, PIN mailers or electronic PIN delivery, and compliance with PCI PIN security requirements.

SECURITY AND PCI COMPLIANCE

All components above must be secured to the level of international standards:

FIPS 140-2 Level 3 or PCI HSMs (Hardware Security Modules): Critical cryptographic operations (card personalization data prep, PIN generation, and especially the EMV CA signing) must be done inside certified HSMs. HSMs protect master keys and CA private keys from exposure.
PCI Compliance: The scheme infrastructure will need to comply with PCI DSS for data security, PCI CP (Card Production) for card issuance security, and likely PCI PIN standards if handling PINs. Leveraging vendors experienced in these areas (like Cryptomathic) helps meet these requirements through pre-designed secure systems and procedures.

INTEROPERABILITY AND PARTNERSHIPS CONSIDERATIONS

Often, new schemes consider co-badging or interoperability agreements with international networks for broader acceptance. For example, a domestic card might carry both the local scheme logo and a Visa/Mastercard logo, using the domestic network when used in-country and an international network abroad. This requires technical and business arrangements but can greatly increase a new card’s utility. Alternatively, partnerships like bilateral links between domestic schemes (as Discover has done by allying with many local networks) can extend acceptance without each scheme joining the global giants.

EMV CA - THE ESSENTIAL ROOT OF TRUST OF PAYMENT SCHEMES

ObsidianCA is the EMV Certificate Authority product offered by Cryptomathic, allowing payment schemes to deploy their root of trust and to manage CA keys and issue EMV certificates.

MAIN FUNCTIONS

Cryptomathic’s ObsidianCA allows managing all CA and Issuer certificate functions including:

Creation of multiple EMV CAs
Lifecycle management of EMV CA root keys and associated CA certificates
Export of CA certificates for distribution to acquirers
Export of CA’s Certificate Revocation Lists (CA CRL)
Signing of issuer certificates
Lifecycle management of issuer certificates
Export of Issuer ’s Certificate Revocation Lists (Issuer CRL)

Additionally, it supports a choice of EMV certificate requests/responses formats and the standard EMV certificate format.

ARCHITECTURE

The architecture of the Cryptomathic ObsidianCA solution is shown in the following figure:

emvca 2 Figure 1. Obsidian CA Architecture (backup is not shown)

The ObsidianCA solution comprises the following components:

ObsidianCA Administration Client: Administrators use smart cards for strong authentication and use the Administration Client to perform the required operational tasks.
ObsidianCA Server: The Server facilitates the management of certificates. The administrators can set up CAs, and operators can issue certificates for Issuers.
HSM: The FIPS 140-2 level 3 HSM provides secure key handling. CA keys are encrypted with a master key before they are stored in the database. The master key never leaves the HSM in plaintext form to ensure the operational security of the solution.
Database: The database stores all application data.

To ensure resilience of the solution, Cryptomathic recommends setting up one ObsidianCA Server for production (primary), one for backup and disaster recovery (secondary), and one for testing purposes. The database is replicated between the primary and secondary site. An additional test environment is deployed without physical HSM, but a software HSM.

EMVCA 3

BENEFITS

PROVEN TRACK RECORD
COMPLIANCE AND STANDARDS

ObsidianCA was built in alignment with EMV Co standards and supports the certificate formats of major schemes and proprietary ones. This means it can easily handle the specific certificate request/response formats that issuers might use, assuming they follow EMVCo requirements. It also adheres to PCI DSS and FIPS 140-2 Level 3 security requirements, ensuring the CA setup meets industry security benchmarks.
COMPREHENSIVE CERTIFICATE LIFE CYCLE MANAGEMENT
The system manages the full lifecycle of CA and issuer certificates:
- Creation of multiple CA instances (if a country runs multiple hierarchies or a test CA vs. production CA).
- Generation and secure storage of CA key pairs (within HSMs only).
- Issuing (signing) of Issuer certificates upon receiving certificate signing requests from issuers.
- Exporting public CA certificates (for distribution to acquirers and device manufacturers so they can load the trust anchor).
- Handling Certificate Revocation Lists (CRLs) for both CA and issuer certificates, to revoke any compromised or retired keys.
- Everything is done with strong administrative controls, including dual approvals for sensitive actions (e.g., two authorized admins to create a new CA or sign a CA certificate) and robust audit logging of every operation. This ensures traceability and trustworthiness of the CA operations, which is crucial when the CA underpins an entire payment scheme’s security.
SECURITY AND KEY MANAGEMENT

All private keys in ObsidianCA are protected by hardware. Cryptomathic’s solution integrates with certified Hardware Security Modules so that the CA’s private signing key is never exposed in software. Issuer certificates are signed inside the HSM, and key material is encrypted even in the database. The system supports multi-factor admin authentication (e.g., smart cards for admin login) and enforces role-based access control (segregating duties of Administrator, Operator, Auditor roles). This design means internal threats are mitigated – even an operator of the system cannot single-handedly compromise keys or issue rogue certificates without proper authorization and multiple people’s consent.
HIGH AVAILABILITY AND SCALING

ObsidianCA supports deployment in a clustered environment for high availability. For example, a primary and backup CA server can run in two data centers with a replicated database, ensuring an outage in one site does not bring down the CA service. This is important for a live scheme, as card issuance or certificate status updates should not be delayed. The system ’s ability to run multiple logical CAs on one cluster also provides cost efficiency (e.g., one platform can issue certificates for different programs or regions). It is designed to be scalable and stable for both current and future requirements, meaning as the scheme grows (more issuers, more cards), the CA can handle the increased load without a redesign.
FAST IMPLEMENTATION

Cryptomathic emphasizes that a fully accredited CA can be up and running in under 90 days with ObsidianCA. This rapid deployment is due to the turnkey nature of the product and the expertise Cryptomathic brings. The process includes assisting with certificate profile definitions (setting the right certificate attributes for the scheme), installing and configuring the server and HSMs, and training operators. A quick rollout of the CA accelerates the overall launch timeline of the payment scheme, since card issuers can begin testing and issuing cards sooner.
COST AND OPERATIONAL EFFICIENCY

By providing a centralized CA that can host multiple schemes or multiple issuers, ObsidianCA lowers the cost compared to each issuer running their own CA. Also, its compliance with Visa/Mastercard formats means that if the domestic scheme interoperates or co-badges with those networks, the same CA infrastructure can issue certificates recognized by the international schemes as well. This flexibility is a big advantage for countries that might start with a private scheme and later integrate with global networks – they won ’t need a separate CA for each purpose.

CONCLUSION

Amid a global payment landscape marked by the rapid emergence of new payment schemes—driven by payment sovereignty, cost and local economic development—robust, adaptable EMV CA infrastructure is more critical than ever.

ObsidianCA emerges as an indispensable solution for any organization seeking uncompromising security, operational efficiency, and future-proof scalability in their EMV certificate authority infrastructure.

The product’s robust protections—ranging from hardware-based key management and strict role segregation to comprehensive audit logging—ensure that both internal and external threats are effectively mitigated. Its clustering capabilities and support for rapid deployment mean that critical payment operations remain highly available, with minimal time to production.

Furthermore, the platform ’s cost efficiency and compliance with EMV standards deliver significant longterm advantages, particularly for schemes intending to expand or interoperate globally. For payment schemes who require a secure, scalable, and flexible EMV CA that is both easy to implement and futureready, ObsidianCA stands out as the clear and reliable choice.

cryptomathic_symbol_green_negative_transparent (1)

THE ESSENTIALS OF EMV CERTIFICATE AUTHORITY FOR A NEW PAYMENT SCHEME

INTRODUCTION

WHY NEW DOMESTIC PAYMENT SCHEMES EMERGE?

PAYMENT SOVREIGNTY

COST OF TRANSACTION FEES

LOCAL ECONOMIC DEVELOPMENT

PAYMENT SCHEMES FOR CLOSED LOOP SYSTEMS

WHAT ARE THE REQUIREMENTS TO SET UP A NEW PAYMENT SCHEME?

EMV CO STANDARD COMPLIANCE

EMV CERTIFICATE AUTHORITY

CARD ISSUANCE AND PERSONALIZATION

PIN MANAGEMENT

SECURITY AND PCI COMPLIANCE

INTEROPERABILITY AND PARTNERSHIPS CONSIDERATIONS

EMV CA - THE ESSENTIAL ROOT OF TRUST OF PAYMENT SCHEMES

MAIN FUNCTIONS

ARCHITECTURE

BENEFITS

PROVEN TRACK RECORD

COMPLIANCE AND STANDARDS

COMPREHENSIVE CERTIFICATE LIFE CYCLE MANAGEMENT

SECURITY AND KEY MANAGEMENT

HIGH AVAILABILITY AND SCALING

FAST IMPLEMENTATION

COST AND OPERATIONAL EFFICIENCY

CONCLUSION