Skip to searchSkip to main content
Brightsight

  • Security evaluation services for the payments industry

    Contact us
Industries Payment

Product security evaluation services for the payment industry

The payments industry is the backbone of modern commerce, encompassing a vast network of technologies and processes that facilitate secure financial transactions.

From point-of-sale (POS) terminals and mobile payment applications to payment gateways and network infrastructure, the industry relies on a complex ecosystem to ensure the seamless and secure movement of funds.

Given the sensitive nature of financial data, security is paramount. Any vulnerability can lead to devastating consequences, including financial fraud, data breaches, and reputational damage.

Safeguarding the critical ecosystem

Brightsight, a leading security evaluation lab, specializes in safeguarding this critical ecosystem. We provide comprehensive security evaluation services for any product or network that plays a role in the payments industry. Our expertise spans a wide range of technologies, including hardware security modules (HSMs), payment terminals, mobile payment applications, and payment networks.

We understand the unique security challenges faced by the payments industry, including compliance with stringent regulations such as PCI DSS and EMVCo standards.

Our rigorous evaluation process involves in-depth vulnerability analysis, penetration testing, and compliance assessments to identify and mitigate potential security risks.

We don't just tick boxes

Brightsight's evaluations are more than just a checklist; they are a deep dive into the security architecture of your payment systems. We deliver detailed reports based on the scheme requirements, enabling you to strengthen your security posture and build trust with your customers. Our independent, objective assessments provide the assurance you need to navigate the complex landscape of payment security. Moreover, our expert reports that need to be submitted to the relevant schemes and certification bodies, will help you in achieving final certification.

By partnering with Brightsight, you gain access to our extensive expertise and experience in payment security evaluations. We help you review that your payment solutions meet the highest security standards, protecting your business and your customers from evolving threats.

Security evaluations in the payment domain

Brightsight offers security evaluation services for each phase of the development process. Our services aim to provide support such that development can be performed in the shortest possible time frames, as . Evaluations are performed in a structured way and with a planning the developer can rely on.

Hardware and software security design reviews

At specifically selected milestones along the development process, the implementation is assessed for obvious security concerns. This service can be applied at various stages of the process, from initial design to concrete implementation. Depending on developer preference, the assessment can be performed interactively, remotely or as a combination of these two methods.

Full formal security compliance evaluations

Once developed and considered ready, the final implementation is subjected to a full formal and highly structured evaluation process that allows for planning and facilitates essential implementation revisions with minimal impact on time-to-market. The added value of the Brightsight evaluation process is the educational component that brings the development team to a higher level for future developments.

In addition, Brightsight can support you at any stage of the development process and has a proven concept and track record in helping our customers get certifications:

Customised training

  • PIN Entry Device and terminal security training course
  • CC training course
  • Dedicated subjects: Android, TEE

Pre-evaluation

  • Design and/or code review
  • Identify possible weaknesses in the security architecture of the payment terminal in an early stage.

Pre-testing

  • Perform a predefined set of penetration tests on the hardware part of your product.
  • CC document review
  • Verify the completeness in terms of content, presentation and readability of CC evidence
Software-Based Security
Payment terminals
Payment smart cards
Software-Based Security

Product security evaluation services for Software-Based Security (SBS)

Software-based products cannot always rely on the security provided by the hardware. The running environment is assumed to be untrusted and open to all kinds of attacks. This is why software-based products implement techniques that assess, mitigate, and protect systems from vulnerabilities. These techniques vary from local security protection mechanisms to remote cloud-based monitoring systems. They ensure that the software continues to operate, secure and safe from attacks. Software has to endure a sometimes hostile, unpredictable environments.

Brightsight has experience with various Software-Based Solutions (SBS) technologies, schemes and products.

Technologies and products

  • TEE

  • Software Protection tools

  • DRM

  • Authentication and access control

  • Virtual Environments

  • QR-code

  • NFC

  • MPA (Mobile payment applications)

  • Tap on Phone Terminals (MasterCardVisa)

  • PIN on Consumer Device

  • SDK (Software Development Kits)

SBS Standards and recognitions

FIDO alliance logo
Payment terminals

Security evaluation services for payment terminals

Brightsight performs payment terminal evaluations for multiple (banking) schemes:

An international standard in this area. It is required for terminals processing e.g. American Express, Discover, JCB, MasterCard or Visa transactions. The requirements for this certification are the basis of many other banking schemes. Similar products can be evaluated under PCI:
  • POI (Point of Interaction), also known as standard payment terminals
  • EPP (Encrypting PIN Pad)
  • UPT (Unattended Payment Terminal)
  • SCR (Secure Card Reader)
  • SCRP (Secure Card Reader for PIN)
  • HSM (Hardware Security Module)
  • Common SECC (CC oriented, Germany and the United Kingdom have harmonized their requirements)
  • GBIC (Germany)

Payment terminals standards and recognitions

Payment smart cards

Security evaluation services for payment smart cards

Payment smart cards are the cornerstone of secure financial transactions, embedding sophisticated security features within a compact form factor. These cards, used for everything from contactless payments to secure identification, rely on complex hardware and software to protect sensitive financial data. The integrity of these systems is paramount, as any security breach can lead to widespread fraud and erosion of consumer trust. 

Brightsight offers security evaluations on consumer card devices. These include contact-card based products like Common Core Definition (CCD), Common Payment Application (CPA) as well as security evaluations for Chip & Platform products. 

Brightsight, a leading security evaluation lab, specializes in ensuring the robust security of payment smart cards. We provide comprehensive security evaluation services, assessing the hardware and software security of these devices against industry standards and best practices, including EMVCo and GlobalPlatform specifications. We evaluate the payment cards under the requirements of EMVCo (including Visa, Mastercard, JCB, American Express, Discover) or the French payment scheme Cartes Bancaires.

We understand the unique security challenges associated with payment smart cards. These challenges include protecting against physical attacks, logical attacks, and side-channel attacks. Our rigorous evaluation process involves in-depth analysis of the card's hardware architecture, cryptographic implementations, and software security, including penetration testing and vulnerability assessments.

Contact us to discuss your next smart card security project.

Payment cards standards and recognitions

PURE payments logo