Compliance & certifications

Apple's Wallet Access Program (WAP) governs which credential providers and reader manufacturers can issue and accept Apple Wallet credentials. CPs must be approved by Apple before they can issue credentials. Readers must support ECP 2.x (Enhanced Contactless Polling) to work with Express Mode. This is a contractual and technical certification — not a third-party audit program.

Google Smart Tap is Google's NFC protocol for reading Corporate Badge credentials from Google Wallet. Reader manufacturers must obtain a Collector ID from Google — a cryptographic credential provisioned into the reader that authenticates the reader to the cardholder's device before credential data is released. Without Smart Tap certification, a reader cannot receive credential data from a Google Wallet device.

OSS-SO (Open Security Standards — Standard Offline) is an interoperability standard for offline access control credentials, widely used in EU enterprise deployments. It defines how credentials are encoded and presented to offline locks that don't have continuous network connectivity. Relevant for EU customers with mixed card/mobile environments or offline lock infrastructure. LEGIC Connect supports payloads formatted per the latest OSS-SO Wallet extension. OSS-SO Parts II and III support is an open question. HID and Wavelynx OSS-SO status is currently unknown.

ISO 18013-5 defines the mDL (mobile Driving Licence) standard — a cryptographically-verified identity document stored on a mobile device. While primarily a DMV/government identity standard, it is increasingly relevant for enterprise access control as organizations consider accepting mDLs as identity proofs at onboarding. Apple Wallet supports mDL storage and presentation in supported US states. Corporate badge credentials (the primary AE use case) are a separate credential type and are not mDL.

NIST SP 800-63 defines identity assurance levels (IAL), authenticator assurance levels (AAL), and federation assurance levels (FAL) for digital identity systems. Mobile wallet credentials can serve as AAL2 authenticators (something you have + device unlock PIN/biometric). Relevant for US federal customers and contractors subject to FICAM requirements. The specific assurance level achieved depends on the full provisioning and verification chain, not just the credential format.

GDPR governs how personal data of EU residents is collected, stored, and processed. Mobile credential deployments touch PII at multiple points: cardholder name, email, photo, and device identifiers. Key GDPR obligations include data minimisation, right to erasure, and processor agreements with all sub-processors (including CP vendors). All three CPs (Wavelynx, HID, LEGIC) must execute DPAs when serving EU customers. AE acts as a data processor; the customer is the data controller.

ISO 27001 is the international standard for information security management systems (ISMS). Certification demonstrates that an organization has systematically assessed security risks and implemented controls. Relevant for enterprise procurement and vendor due diligence. Certification status for the CP vendors varies.