Payment Services

Product security evaluation services for the payment industry

The payments industry is the backbone of modern commerce, encompassing a vast network of technologies and processes that facilitate secure financial transactions. From point-of-sale (POS) terminals and mobile payment applications to payment gateways and network infrastructure, the industry relies on a complex ecosystem to ensure the seamless and secure movement of funds. Given the sensitive nature of financial data, security is paramount. Any vulnerability can lead to devastating consequences, including financial fraud, data breaches, and reputational damage.

Safeguarding the critical ecosystem

Brightsight specializes in safeguarding this critical ecosystem. We provide comprehensive security evaluation services for any product or network that plays a role in the payments industry. Our expertise spans a wide range of technologies, including hardware security modules (HSMs), payment terminals, mobile payment applications, and payment networks.

We don't just tick boxes

Brightsight's evaluations are more than just a checklist; they are a deep dive into the security architecture of your payment systems. We deliver detailed reports based on the scheme requirements, enabling you to strengthen your security posture and build trust with your customers. Our independent, objective assessments provide the assurance you need to navigate the complex landscape of payment security. Moreover, our expert reports that need to be submitted to the relevant schemes and certification bodies, will help you in achieving final certification.

By partnering with Brightsight, you gain access to our extensive expertise and experience in payment security evaluations. We help you review that your payment solutions meet the highest security standards, protecting your business and your customers from evolving threats.

Security evaluations services

Brightsight offers security evaluation services for each phase of the development process. Our services aim to provide support such that development can be performed in the shortest possible time frames. Evaluations are performed in a structured way and with a planning the developer can rely on. Our evaluation process consists of evidence check, compliance assessment, in-depth vulnerability analysis and (penetration) testing, to identify and mitigate potential security risks.

Hardware and software security design review

At specifically selected milestones along the development process, the implementation is assessed for obvious security concerns. This service can be applied at various stages of the process, from initial design to concrete implementation. Depending on developer preference, the assessment can be performed interactively, remotely or as a combination of these two methods.

Full security evaluation

Once developed and considered ready, the final implementation is subjected to a full formal and highly structured evaluation process that allows for planning and facilitates essential implementation revisions with minimal impact on time-to-market. The added value of the Brightsight evaluation process is the educational component that brings the development team to a higher level for future developments.

Training

Standard or custom-made per scheme, product or industry. Examples:

PCI PTS
PCI MPoC
Android, iOS

Advisory developer support

Evaluation-oriented. Examples:

Development cycle support
Pre-assessment
Design review
Gap analysis

Pre-evaluation

Preparation for formal evaluation. Examples:

HW/SW pre-evaluation
Readiness validation
Documentation analysis

Evaluation

Assessment of security compliance. Examples:

Full evaluation
Delta evaluation
Renewal or Maintenance
Annual checkpoint
Site audit

Software-Based Security

Payment terminals

Payment smart cards

Software-Based Security

Software-based products cannot always rely on the security provided by the hardware. The running environment is assumed to be untrusted and open to all kinds of attacks. This is why software-based products implement techniques that assess, mitigate, and protect systems from vulnerabilities. These techniques vary from local security protection mechanisms to remote cloud-based monitoring systems. They ensure that the software continues to operate, secure and safe from attacks. Software has to endure a sometimes hostile, unpredictable environments.

SBS Standards and recognitions

Payment terminals

Brightsight performs evaluations for multiple payment:

standards such as PCI PTS POI, PCI MPoC, PCI 3DS SDK.
schemes such as Common.SECC (Germany and the United Kingdom) and GBIC (Germany).
products such as payment terminals, secure card readers (SCR), secure card reader for PIN (SCRP) and hardware security module (HSM).

Payment terminals standards and recognitions

Payment smart cards

Payment smart cards are the cornerstone of secure financial transactions, embedding sophisticated security features within a compact form factor. These cards, used for everything from contactless payments to secure identification, rely on complex hardware and software to protect sensitive financial data. The integrity of these systems is paramount, as any security breach can lead to widespread fraud and erosion of consumer trust.

Brightsight offers security evaluations on consumer card devices. These include contact-card based products like Common Core Definition (CCD), Common Payment Application (CPA) as well as security evaluations for Chip & Platform products.

Brightsight specializes in ensuring the robust security of payment smart cards. We provide comprehensive security evaluation services, assessing the hardware and software security of these devices against industry standards and best practices, including EMVCo and GlobalPlatform specifications. We evaluate the payment cards under the requirements of EMVCo (including Visa, Mastercard, JCB, American Express, Discover) or the French payment scheme Cartes Bancaires.

We understand the unique security challenges associated with payment smart cards. These challenges include protecting against physical attacks, logical attacks, and side-channel attacks. Our rigorous evaluation process involves in-depth analysis of the card's hardware architecture, cryptographic implementations, and software security, including penetration testing and vulnerability assessments.