[Owasp-appsensor-project] PCISSC and Mobile Payments on Non-Dedicated Devices

Colin Watson colin.watson at owasp.org
Sun Sep 16 20:42:05 UTC 2012

The PCISSC published new guidance for "developers" (device, OS,
application and merchants) on Friday:


Interesting phrases in "Guidelines for the risk and controls in the
supporting environment":

   "ability to monitor events and to distinguish normal from abnormal events"

   "ability to report events (e.g. via a log, message, or signal)
including cryptographic key
    changes, escalation of privileges, invalid login attempts
exceeding a threshold,
    updates to application software or firmware, and similar actions"

   "providing the capability for the device to produce an alarm or
warning if there is an attempt
    to root or jail-break the device

    "create the ability to remotely disable the payment application"


More information about the Owasp-appsensor-project mailing list