• Payment 


Product Security Evaluation Services for Payment

In addition to the generally accepted contact and magnetic stripe-based banking cards, other technologies are becoming available for our everyday purchases. Hardware to support contactless payments is being rolled out widely and paving the way to using our smart mobile devices for electronic payments.

Solutions using smart mobile devices are not built with the physical security provisions that we tend to see in traditional payment cards. This is compensated for with different risk management; for example, online monitoring is possible and prime assets are not stored and processed in the physically less protected hardware. Host Card Emulation (HCE) relies heavily on tokenization, where the systems work with credentials that have limited value for criminals.

The introduction of these new technologies has an effect on the security requirements and risk models appropriate in the domains of mobile payment, payment terminals and payment cards. SGS Brightsight offers security evaluation services of global payment solutions to help you mitigate risk and increase transaction trust. 

Security evaluations in the payment domain

SGS Brightsight offers security evaluation services for each phase of the development process. Our services aim to provide support such that development can be performed in the shortest possible time frames, as time-to-market is extremely important in the payment market. Evaluations are performed in a structured way and with a planning the developer can rely on.

Hardware and software security design reviews
At specifically selected milestones along the development process, the implementation is assessed for obvious security concerns. This service can be applied at various stages of the process, from initial design to concrete implementation. Depending on developer preference, the assessment can be performed interactively, remotely or as a combination of these two methods.

Full formal security compliance evaluations 
Once developed and considered ready, the final implementation is subjected to a full formal and highly structured evaluation process that allows for planning and facilitates essential implementation revisions with minimal impact on time-to-market. The added value of the SGS Brightsight evaluation process is the educational component that brings the development team to a higher level for future developments.

In addition, SGS Brightsight can support you at any stage of the development process and has a proven concept and track record in helping our customers get certifications:

  • Customised training
    • PIN Entry Device and terminal security training course
    • CC training course
    • Dedicated subjects: Android, TEE
  • Pre-evaluation
    • Design and / or code review
    • Identify possible weaknesses in the security architecture of the payment terminal in an early stage.
  • Pre-testing
    • Perform a predefined set of penetration tests on the hardware part of your product.
    • CC document review
    • Verify the completeness in terms of content, presentation and readability of CC evidence

Security services

Payment Standards & Recognitions