[Owasp-appsensor-project] PCISSC and Mobile Payments on Non-Dedicated Devices

Colin Watson colin.watson at owasp.org
Sun Sep 16 20:42:05 UTC 2012


The PCISSC published new guidance for "developers" (device, OS,
application and merchants) on Friday:

   https://www.pcisecuritystandards.org/documents/Mobile%20Payment%20Security%20Guidelines%20v1%200.pdf

Interesting phrases in "Guidelines for the risk and controls in the
supporting environment":

   "ability to monitor events and to distinguish normal from abnormal events"

   "ability to report events (e.g. via a log, message, or signal)
including cryptographic key
    changes, escalation of privileges, invalid login attempts
exceeding a threshold,
    updates to application software or firmware, and similar actions"

   "providing the capability for the device to produce an alarm or
warning if there is an attempt
    to root or jail-break the device

    "create the ability to remotely disable the payment application"

Colin


More information about the Owasp-appsensor-project mailing list