Beyond Common Criteria: SESIP, PSA, ESA, EMVCo, and MIFARE

Common Criteria is the most widely-recognised security certification framework, but it is not the only one. Several adjacent or sector-specific schemes operate in parallel, particularly in IoT, payment, and chip-platform contexts. NenkinTracker monitors five of these alongside its CC coverage. This entry summarises each one, what it certifies, who runs it, and how it relates to the CC ecosystem.

Summary: SESIP, PSA Certified, ESA, EMVCo, and MIFARE are non-CC certification schemes covering IoT platforms, ARM-based devices, Chinese-market security ICs, payment terminals, and NXP smart card platforms. Some borrow CC methodology; others are independent.

Why the non-CC schemes matter

Common Criteria’s strengths (high-assurance, internationally recognised, formal methodology) are also its constraints. CC evaluations are expensive and slow, which makes them a poor fit for high-volume, fast-moving product categories like IoT sensors or microcontroller platforms. The schemes below filled that gap, in different ways:

SESIP is a CC-derived methodology adapted for IoT-scale economics
PSA Certified is a vendor-driven scheme aimed at Arm-based device platforms
ESA is a Chinese-domestic scheme for security ICs
EMVCo is the payment industry’s own certification regime
MIFARE certifications come from NXP’s smart card platform program

SESIP (Security Evaluation Standard for IoT Platforms)

What it is: A standardised evaluation methodology for IoT platform components such as microcontrollers, secure elements, and trusted execution environments. SESIP defines five assurance levels (SESIP1 through SESIP5), with SESIP3 broadly comparable to CC’s AVA_VAN.3 and SESIP5 to AVA_VAN.5.

Who runs it: Published by GlobalPlatform; evaluations are performed by accredited security labs, many of which also operate as CC evaluation facilities.

What it certifies: Connected-device platforms and components, with a focus on reusability: a SESIP-certified IoT platform can be re-used as the assurance basis for a higher-level product certification (SESIP-to-EUCC composition, for example).

Catalog scale: As of May 2026, NenkinTracker indexes 91 SESIP certifications covering 84 products from 30 distinct vendors.

Relation to CC: Methodologically derivative of CC, with simplified evaluator workload to support IoT economics. The European Union has formally recognised SESIP within the EUCC framework as a basis for certain composition scenarios.

PSA Certified

What it is: A platform-security certification programme for connected devices, particularly those built on Arm-based silicon. PSA Certified defines three levels: Level 1 (questionnaire-based, vendor self-assertion), Level 2 (lab-evaluated, time-boxed penetration testing), and Level 3 (lab-evaluated, more extensive resistance to substantial attack potential).

Who runs it: Founded by Arm and a consortium of partners; administered by PSA JSA Limited (a joint security agency formed by Arm and several industry participants). Evaluations at Levels 2 and 3 are conducted by approved labs.

What it certifies: Hardware roots of trust, secure microcontroller platforms, and the firmware components that bind them. PSA certifications often appear on chip and module products that simultaneously hold a CC, EUCC, or SESIP certification.

Catalog scale: 267 certifications across 260 products and 112 vendors. The largest non-CC scheme NenkinTracker tracks.

Relation to CC: PSA’s threat model and evaluation framework are independent of CC’s, but in practice many products certified under PSA also pursue CC or EUCC certification at the platform level. The schemes are complementary rather than competing.

ESA

What it is: A Chinese certification scheme for security integrated circuits. Evaluations cover secure elements, smart card ICs, and related components, with assurance language broadly mapped to CC SAR families.

Who runs it: Operated within China’s national cybersecurity certification framework. Most certificate holders are Chinese semiconductor vendors.

What it certifies: Domestic secure ICs from vendors such as Eastcompeace, Beijing Huahong, CEC Huada, and Megahunt. Many of the same vendors also pursue CCRA certifications; ESA serves the domestic Chinese market specifically.

Catalog scale: 58 certifications across 48 products and 13 vendors.

Relation to CC: Methodologically related to CC SARs but not part of CCRA mutual recognition. Procurement teams sourcing security components from Chinese vendors will encounter ESA certificates regularly.

EMVCo

What it is: The certification regime operated by EMVCo, the consortium that owns the EMV payment specifications. EMVCo certifications fall into two broad categories: functional (does the product implement the EMV protocols correctly?) and security (does it resist relevant attacks at the chip and terminal level?).

Who runs it: EMVCo is jointly owned by American Express, Discover, JCB, Mastercard, UnionPay, and Visa.

What it certifies: Payment cards (chip and contactless), payment terminals, mobile payment SDKs, and related components. Security evaluations rely on accredited laboratories and a documented attack methodology specific to the payment domain.

Catalog scale: NenkinTracker monitors EMVCo’s certificate registry but, as of May 2026, has zero indexed entries. The collector is in place; the data has not yet been ingested.

Relation to CC: Distinct framework with its own attack methodology, but the same underlying secure elements often hold CC certifications as well. A payment card might be issued under EMVCo (as a finished product) while its underlying chip holds a CCRA EAL5+ certification.

MIFARE

What it is: Certifications associated with NXP’s MIFARE smart card platform family. MIFARE is itself a product line (cards, tags, readers); the certifications cover specific products and platform variants under various assurance regimes.

Who issues them: NXP and the labs evaluating MIFARE-based products.

What it certifies: MIFARE Classic, MIFARE DESFire, MIFARE Plus, MIFARE Ultralight family products and related chips deployed in transit, access control, and identification applications.

Catalog scale: 111 certifications across 97 products from 6 distinct vendors.

Relation to CC: Many MIFARE products also hold CC certifications. The MIFARE designation is more of a product-platform identifier than a parallel certification scheme; it is included in NenkinTracker’s coverage because the MIFARE line is operationally significant in real procurement decisions.

How these schemes interact with CC

A single secure-element product can carry multiple certifications: a CCRA EAL5+ for the chip, a SESIP certification for the platform built on top, a PSA Level 3 for the platform’s role in an Arm device, and an EMVCo security certification if it ships in a payment card. These are layered, not competing.

For procurement and compliance teams, the practical implication is that CC alone is rarely a complete picture. Knowing which non-CC schemes also certify a given product class lets you ask sharper questions about what assurance you actually have.

Tracking the full landscape

NenkinTracker indexes all five schemes alongside CCRA and EUCC, presenting them in a unified product and vendor view. Where the same physical product holds certifications under multiple schemes, the catalogue links them via shared product or vendor records.