MENU

Software Based Mobile Payment: Evaluation and certification of SBMP components and solutions

Your SBMP component or solution independently checked

Like everyday life, payment transactions are becoming increasingly digital and mobile. Juniper Research forecasted in 2019 that nearly 2.1 billion consumers worldwide will be using an e-wallet to make a payment or send money. This makes it all the more important that this payment method of tomorrow is also secure against potential threats.

Here we support manufacturers of SBMP components or solutions, such as TEE, CDCVM, attestation, software protection tools, mobile applications or software development kits (SDK), with consulting and preparation for the certification as well as the evaluation against the EMVCo SBMP requirements itself.
 

Software Based Mobile Payment: Evaluation and certification of SBMP components and solutions Software Based Mobile Payment: Evaluation and certification of SBMP components and solutions Software Based Mobile Payment: Evaluation and certification of SBMP components and solutions Software Based Mobile Payment: Evaluation and certification of SBMP components and solutions

Our services in the area of software based mobile payments

Services in the area of software based mobile payments: Orientation workshop Services in the area of software based mobile payments: Orientation workshop Services in the area of software based mobile payments: Orientation workshop Services in the area of software based mobile payments: Orientation workshop

Orientation workshop to discuss specific SBMP requirements and the evaluation/certification process

Services in the area of software based mobile payments: GAP analysis Services in the area of software based mobile payments: GAP analysis Services in the area of software based mobile payments: GAP analysis Services in the area of software based mobile payments: GAP analysis

GAP analysis to classify the actual security level and identify potential vulnerabilities

Services in the area of software based mobile payments: Assessing security mechanisms Services in the area of software based mobile payments: Assessing security mechanisms Services in the area of software based mobile payments: Assessing security mechanisms Services in the area of software based mobile payments: Assessing security mechanisms

Assessing security mechanisms like obfuscation or White-Box cryptography implemented by SDKs as elementary building blocks of secure mobile applications

Services in the area of software based mobile payments: Security evaluation of mobile applications Services in the area of software based mobile payments: Security evaluation of mobile applications Services in the area of software based mobile payments: Security evaluation of mobile applications Services in the area of software based mobile payments: Security evaluation of mobile applications

Security evaluation of mobile applications integrating pre-tested components

Services in the area of software based mobile payments: Testing of conformity with the relevant security guidelines of the payment industry Services in the area of software based mobile payments: Testing of conformity with the relevant security guidelines of the payment industry Services in the area of software based mobile payments: Testing of conformity with the relevant security guidelines of the payment industry Services in the area of software based mobile payments: Testing of conformity with the relevant security guidelines of the payment industry

Testing of conformity with the relevant security guidelines of the payment industry

Services in the area of software based mobile payments: Analysis of the source code and penetration tests Services in the area of software based mobile payments: Analysis of the source code and penetration tests Services in the area of software based mobile payments: Analysis of the source code and penetration tests Services in the area of software based mobile payments: Analysis of the source code and penetration tests

Analysis of the source code and penetration tests

Services in the area of software based mobile payments: On-site audit of the development and production sites Services in the area of software based mobile payments: On-site audit of the development and production sites Services in the area of software based mobile payments: On-site audit of the development and production sites Services in the area of software based mobile payments: On-site audit of the development and production sites

On-site audit of the development and production sites

Services in the area of software based mobile payments: Drafting of security assessment reports Services in the area of software based mobile payments: Drafting of security assessment reports Services in the area of software based mobile payments: Drafting of security assessment reports Services in the area of software based mobile payments: Drafting of security assessment reports

Drafting of security assessment reports

CASE STUDY

MeaWallet: Successful security evaluation according to the EMVCo SBMP Evaluation Process


As a company with many years of experience in the payment industry, MeaWallet knows the challenges of the sector quite well. For this reason, the digital payments enabler had its Mea Token Platform Software Development Kit (MTP-SDK) tested by TÜViT against the EMVCo SBMP security standards.
  

Your benefits at a glance

  • Security and robustness of your SBMP component or solution: Your component or solution offers the best possible protection against the loss of money and values.
  • Security as a quality characteristic: Particularly in payment transactions, the security of means of payment and their components is a decisive characteristic for quality. 
  • Increased trust in the market: The objectively proven security of your SBMP component or solution gives your customers more confidence in your solution.
  • Competitive advantage: You can prove that you comply with internationally recognized payment requirements and take into account the recommendations and requirements of the major payment service providers, which sets you apart from competitors with lower security requirements.
  • International recognition: With an evaluation or certification according to EMVCo, you rely on an internationally recognized standard.
Listen now


In our new Short Pod, Eric Behrendt, Global Corporate Development Manager at TÜViT, talks about why developers of software development kits (SDK) and apps for mobile payment should keep IT security in mind and how SDKs can be audited and certified. 
 

Why evaluate and certify your SBMP component or solution to EMVCo standards?

In contrast to traditional chip- and hardware-based secure element solutions, SBMP applications must operate in a more vulnerable consumer device environment. To reduce potential threats, SBMP solutions therefore rely on a multi-layered security approach based on different device and software components. For this particular approach, EMVCo has developed specific standards for evaluating the security of SBMP components and solutions. In this context, an evaluation model for "components" and "integration" makes it possible to evaluate components independently or together in order to validate the security of the overall solution. 

With an evaluation and certification according to the EMVCo standards specifically tailored to SBMP, you prove that your product has implemented certain security measures and protection mechanisms and thus meets the required high level of IT security. This gives you a decisive advantage in the market: because payment service providers are interested in using only secure device and software components when developing their own SBMP solution. As a result, your product stands out from the crowd due to its proven security, which becomes a quality feature
 

Schematic Overview of Software Based Mobile Payment Schematic Overview of Software Based Mobile Payment Schematic Overview of Software Based Mobile Payment Schematic Overview of Software Based Mobile Payment

Why we are a strong partner for you

Official accreditation for EMVCo

TÜViT is an accredited test lab for security evaluation for Integrated Circuit (IC), Platform, Integrated Circuit Card (ICC), Full SBMP and Modular Label.

Expertise

With us you have one of the leading experts in the field of cyber security at your side, certified by the BSI as an IT security service provider for IS revision, IS consulting and penetration tests.

Industry experience

Due to many years of experience in different branches of industry we can serve companies from a wide range of industries.

Tailor-made for you

We focus on individual services - and solutions - that optimally fit your current company situation and your set goals.

International network of experts

Around the globe: We consult and support you both nationally and internationally. Our global network of experts is ready to help you in word and deed in all IT security issues.

Independence

Our employees are not subject to any conflicts of interest, as they are not committed to any product suppliers, system integrators, stakeholders, interest groups or government agencies.
You have questions? We are pleased to help!

  

Eric Behrendt

Global Corporate Development Manager Asia-Pacific

+49 30 2007700 66
Fax : +49 30 2007700-99

e.behrendt@tuvit.de

Further services

Evaluation Body for IT Security

With its evaluation body for IT security, TÜViT is one of the world's leading providers of testing services for IT products and systems. The evaluation body has been recognized by the German Federal Office for Information Security (BSI) since 1991 and accredited by the DAkkS, the German Accreditation Body, according to DIN EN ISO/IEC 17025.
Read more

Common Criteria

Globally-recognized security evaluations for IT components, products and systems: TÜViT is one of the world's leading testing service providers for Common Criteria. With our 50 licensed evaluators, we have successfully completed over 600 evaluation projects according to CC (from EAL1 to EAL6+).
Read more

Hardware

Hardware tests for more security: Hardware security modules or chip cards are used for the protection of sensitive data. TÜViT evaluates these IT products and their components in accordance with recognized international security standards and performs the necessary penetration tests in its own hardware test laboratory.
Read more

Software

Making software subsequently secure is always complicated and expensive. This is why it is important to consider the subject of IT security at the beginning and throughout the entire life cycle within the framework of a Common Criteria (CC) evaluation.
Read more

Site Certification

Audit of development and production environments: If IT products are certified in accordance with the Common Criteria IT security standard or EMVCo, audits of development and production environments represent an integral part of the evaluation process. For many years now, TÜViT has been successfully carrying out site audits for production and development environments.
Read more

Technical Guidelines of the BSI

Security for government applications and health data: TÜViT is recognized by the German Federal Office for Information Security (BSI) as an evaluation body for Technical Guidelines (TR).
Read more

FIPS 140-2

Testing of crypto modules and crypto algorithms: The TÜViT test laboratory is approved by the National Institute of Standards and Technology (NIST, USA) for testing and validation according to FIPS PUB 140-2.
Read more

FIDO

The FIDO Alliance has developed open standards especially for authentication solutions, allowing manufacturers to objectively demonstrate the security of their products. As a security laboratory accredited by the FIDO Alliance, TÜViT is entitled to perform corresponding evaluations.
Read more