Common Criteria for Smart Cards
Understanding EAL levels and certification process.
Common Criteria for Smart Cards
Common Criteria (CC, ISO/IEC 15408) is the international framework for evaluating and certifying the security properties of IT products, including smart cards and secure elements. A CC certificate from an accredited evaluation laboratory gives procurers an independent, reproducible assurance that a card's EAL claims are genuine.
Use the EAL Comparator to compare evaluation levels across card families and understand which assurance tier matches your deployment requirements.
EAL Levels — Assurance Hierarchy
Common CriteriaCommon CriteriaSecurityInternational IT security evaluation standard.Click to view → defines seven Evaluation Assurance Levels. Each level adds more rigorous analysis and documentation requirements than the last. Smart cards are almost universally evaluated at EAL4+ or higher.
| EAL | Name | Key methods | Typical use |
|---|---|---|---|
| EAL1 | Functionally tested | Functional testing only | Low-risk general IT |
| EAL2 | Structurally tested | Grey-box testing, vulnerability search | Legacy systems |
| EAL3 | Methodically tested | White-box testing, development lifecycle | Access control hardware |
| EAL4 | Methodically designed and tested | Formal design, independent pen test | Smartcard baseline, most ID cards |
| EAL4+ | EAL4 augmented | Additional assurance components (e.g. ALC_DVS.2) | ePassportePassportApplicationPassport with embedded contactless chip.Click to view →, payment chips |
| EAL5 | Semiformally designed | Semiformal design and architecture verification | High-security government |
| EAL5+ | EAL5 augmented | AVA_VAN.5 (high attack potential) | National ID, CACCACIdentityUS DoD identification smart card.Click to view →, PIVPIVIdentityUS federal identity card standard.Click to view → |
| EAL6 | Semiformally verified design | Formal policy model | Cryptographic HSMHSMSecurityPhysical device for key management.Click to view → modules |
| EAL7 | Formally verified design | Full formal verification | Classified / military |
Most commercial smart cards target EAL4+ with AVA_VAN.5 augmentation, which requires the evaluator to demonstrate resistance against attackers with high attack potential — the standard used to certify chips for European national eIDeIDIdentityNational ID with embedded chip.Click to view →, EMVEMVApplicationGlobal chip payment card standard.Click to view →, and banking programmes.
Protection Profiles
A Protection Profile (PP) is a reusable security requirements document authored by a community of interest rather than a single vendor. A card that claims conformance to a PP must satisfy all requirements in that PP, enabling procurement based on standardised benchmarks rather than vendor-specific Security Targets.
| Protection ProfileProtection ProfileSecuritySecurity requirements document for CC.Click to view → | Domain | Common CC scheme |
|---|---|---|
| BSI-PP-0084 (PP for SSCD) | Qualified electronic signatures | European (BSI/ANSSI) |
| PP-0099 Security IC | Chip hardware platform | JILJILComplianceGuidelines for consistent smart card hardware attack evaluation.Click to view → (SOGIS) |
| PP-0117 Composite Smart Card | Multi-application cards | SOGIS MRA |
| PP for ePassport | ICAO 9303ICAO 9303ComplianceICAO standard for ePassport chip data and security protocols.Click to view → Machine Readable Travel Documents | International |
| EMVCoEMVCoStandardBody managing EMV payment standards.Click to view → PP for Payment ICC | EMV payment cards | EMVCo/JIL |
Composite evaluation — where the chip hardware PP is evaluated separately from the OS and applet PPsPPsProtocolCard-reader parameter negotiation.Click to view → — allows silicon vendors, OS developers, and application providers to each hold their own certificates and combine them without full re-evaluation.
Certification Process
The Common Criteria evaluation workflow follows five phases:
-
Security Target authoring — The developer writes the Security Target (ST), which specifies the protection profile conformance claims, Security Functional Requirements (SFRs), and Security Assurance Requirements (SARs) the product must satisfy.
-
Evaluation by ITSEFITSEFComplianceAccredited lab that performs Common Criteria smart card evaluations.Click to view → — An accredited IT Security Evaluation Facility (ITSEF) performs independent testing: functional testing, design analysis, vulnerability analysis (penetration testing) rated to the claimed EAL.
-
Certification body review — A national scheme (BSI in Germany, ANSSI in France, NLNCSA in the Netherlands, etc.) reviews the evaluation report and issues the certificate.
-
Mutual recognition — Certificates issued under SOGIS-MRA (Europe) or CCRA (global, up to EAL2 for hardware; specific domains up to EAL4) are mutually recognised across signatory nations — a single evaluation can cover multiple markets.
-
Maintenance and re-evaluation — A certified product that undergoes significant change must undergo delta evaluation or re-evaluation. Minor non-security changes may be handled by an Assurance Continuity (ACO) process.
Practical Implications for Smart Card Buyers
When procuring certified smart cards, verify:
- The certificate is current (not expired or withdrawn) on the issuing scheme's public register
- The scope (TOE boundary) covers the applet or OS version you will actually deploy
- The attack potential in AVA_VAN matches your threat model: AVA_VAN.3 (moderate) is insufficient for high-value credentials; AVA_VAN.5 (high) is the minimum for government identity documents and banking chips
See Key Management for Smart Cards for how certified hardware roots support HSM-backed key hierarchies in real deployments.
Perguntas frequentes
Common Criteria (ISO/IEC 15408) is the international framework for evaluating IT product security. For smart cards, a CC certificate provides independent assurance that the chip hardware, operating system, and application meet defined security requirements. Governments, payment schemes, and enterprises mandate CC certification — typically EAL4+ for payment and EAL5+ or higher for passports and national ID — before deployment.
EAL4+ (Methodically Designed, Tested, and Reviewed) involves systematic vulnerability analysis and is standard for payment card platforms. EAL5+ (Semiformally Designed and Tested) requires formal security modeling and is mandated for ePassport chips and high-assurance government credentials. EAL6 (Semiformally Verified Design and Tested) adds semiformal verification of the implementation and is used for the most sensitive secure elements such as SIM/eSIM platforms and military applications.
A Protection Profile (PP) is a reusable, implementation-independent security specification for a product category. BSI and other national bodies publish smart card PPs such as the 'Security IC Platform Protection Profile' (BSI-PP-0084) for hardware and the 'JavaCard System' PP for JVM platforms. Vendors evaluate against a PP to achieve a Standard Configuration certificate, simplifying procurement without requiring custom Security Targets per model.
A full CC evaluation for a smart card platform at EAL5+ typically takes 12–24 months, depending on the complexity of the TOE (Target of Evaluation), the evaluation laboratory's workload, and the certification body's review process. Composite evaluations — where a pre-certified hardware platform is reused and only the application layer is evaluated — can reduce timelines to 3–9 months for qualifying products.
Our guides cover a range of experience levels. Getting Started guides introduce smart card fundamentals. Security guides address Common Criteria certification and key management. Programming guides target developers working with APDU commands, JavaCard applets, and GlobalPlatform card management.