GSMA SAS

Compliance

GSMA Security Accreditation Scheme -- a certification program for SIM card manufacturers, eSIM platform operators, and personalization bureaus. SAS-UP covers UICC production security, SAS-SM covers subscription management platform security, ensuring the integrity of telecom credentials throughout the supply chain.

又称为: SAS-UP SAS-SM Security Accreditation Scheme

GSMA SAS -- Security Accreditation for SIM/eSIM Manufacturing

The GSMA Security Accreditation Scheme (SAS) is a certification program that audits and accredits organizations involved in the production and management of SIM cards, eSIM/eUICC platforms, and telecom credentials. SAS ensures the integrity and confidentiality of sensitive subscriber data -- including cryptographic keys (Ki, OPc), IMSI values, and operator profiles -- throughout the manufacturing and provisioning supply chain.

Accreditation Tracks

GSMA SASGSMA SASComplianceGSMA security certification for SIMSIMApplicationSmart card for mobile network authentication.Click to view →/eSIMeSIMApplicationProgrammable embedded SIM chip.Click to view → manufacturers.Click to view → operates two primary accreditation tracks. SAS-UP (UICC Production) covers the physical manufacturing, electrical personalization, and graphical personalization of SIM cards, evaluating physical site security, personnel vetting, key management procedures, production line integrity, and data handling controls. SAS-SM (Subscription Management) covers SM-DP+ and SM-SR platform operators, evaluating the security of remote profile generation, storage, and delivery for eSIM devices. Both tracks require annual surveillance audits and full re-accreditation every three years.

Audit Scope

A SAS audit examines multiple security domains. Physical security includes perimeter protection, access control, CCTV, and secure destruction of waste materials containing sensitive data. Logical security covers HSM management, key ceremony procedures, key diversification algorithms, and network segmentation between production and corporate systems. Personnel security includes background checks, security awareness training, and separation-of-duties enforcement. Data handling covers the encryption of personalization data files in transit and at rest, chain-of-custody for finished cards, and audit trail completeness.

Industry Significance

Mobile network operators typically require their SIM suppliers to maintain GSMA SAS accreditation as a contractual condition. Without SAS certification, a personalization bureau cannot receive operator key material and therefore cannot produce SIM cards for that operator. For eSIM ecosystems, SAS-SM accreditation of the SM-DP+ platform is required before operators will entrust their profile packages to the platform. Major accredited facilities include Thales, IDEMIA, Giesecke+Devrient, and Valid -- the same vendors that dominate the global SIM and eSIM manufacturing market.

Related Content

SIM Card Types Explained

Getting Started

…certified to Common Criteria — typically EAL4+ against the GSMA SAS protection profile. The security boundary enforces:…

Card Personalization Systems

Developer Tools

…ISO/IEC 27001 Information security management GSMA SAS-SM For SIM/eSIM personalisation The issuer typically…

常见问题

The smart card glossary is a comprehensive reference of technical terms, acronyms, and concepts used in smart card technology. It covers protocols (APDU, T=0, T=1), security (Common Criteria, EAL, HSM), hardware (SE, EEPROM, contact pad), and applications (EMV, ePassport, eSIM). It serves developers, product managers, and engineers.

Yes. SmartCardFYI provides glossary definitions in 15 languages including English, Korean, Japanese, Chinese, Spanish, Portuguese, Hindi, Arabic, French, Russian, German, Turkish, Vietnamese, Indonesian, and Thai.