Delft, 22 November 2018: We are pleased to announce that Brightsight has been recognised by EMVCo as a Full Software-Based Mobile Payments (SBMP) evaluation lab. Payment markets, retailers and consumers are demanding new ways to make EMV-based purchases using mobile consumer devices. The number of payment solutions leveraging these devices is increasing. In order to address these changes, the payment industry is developing a trust model that relies not only on the use of Secure Elements, but also on software-based technologies. This is why, in an effort to provide an efficient and flexible offering for product developers and promote a robust and consistent security foundation for SBMP products, EMVCo has recently established a Security Evaluation process for software-based mobile payments that consolidates existing processes and industry best practices. Brightsight is recognised to do hardware and software evaluations for SBMP. We have also been recognised by EMVCo to perform evaluations on ICs, Platforms and ICCs. Software security evaluation is primarily concerned with products whose security is implemented by software means only. These kinds of products are executed on untrusted platforms and cannot rely on security features of the underlying hardware or operating system. Some examples of software-only products are Mobile applications, HCE and Virtual TEE. Software-only security evaluations focus on assessing the resistance of pure software security countermeasures such as obfuscation, antitampering and white-box cryptography. In contrast, SBMP hardware security evaluation focuses on products to which certain hardware characteristics are relevant. Some examples of products that can undergo EMVCo hardware security evaluations are Trusted Execution Environments and CD-CVM solutions. Although the security of these kinds of products depends largely on software countermeasures, it also depends on the proper use of hardware security features. Some examples of hardware functionalities evaluated during this type of security evaluation are boot of trust, secure clock and hardware-provided isolation (MMUs, TrustZone). Dirk-Jan Out, CEO at Brightsight, says: “We are very happy to be able to perform another type of evaluation for EMVCo. This recognition shows their trust in our services. We will continue to expand our portfolio to support our customers in obtaining the approvals they need.” Brightsight has several years of experience in conducting SBMP evaluations on various products.
If you are interested in more information, please feel free to get in touch: email@example.com