Successful security evaluation according to the EMVCo SBMP Evaluation Process

As a company with many years of experience in the payment industry, MeaWallet knows the challenges of the sector quite well. For this reason, the digital payments enabler had its Mea Token Platform Software Development Kit (MTP-SDK) tested by TÜViT against the EMVCo SBMP security standards.

Scenario

MeaWallet has developed the Mea Token Platform Software Development Kit (MTP-SDK), a new SDK solution for software-based mobile payment. In order to successfully launch and establish their solution on the market and to build trust, the company wanted to objectively prove its security and robustness. Therefore, MeaWallet commissioned TÜViT with a security evaluation according to the EMVCo SBMP evaluation process.

Product tested

With the MTP-SDK, MeaWallet enables the securing of Mobile Payment Applications (MPA) in real world scenarios. It allows MPA developers and vendors who use MeaWallet‘s MTP-SDK to use Cloud Based Payments, including contactless and remote payments.

Challenges

Technical challenge

Mobile Payment Applications (MPA) must ensure secure payment services without the help of dedicated Hardware Security Modules (HSM) or Secure Elements (SE). In this context, they must implement a variety of software defenses to counter the numerous attack paths that a malicious actor could use to hack the MPAs and thus the security of the payment system.

Market access challenge

Payment providers, e.g. credit card companies, require evidence of security of payment solutions in order to protect their brands from damage due to security breaches. As a result, the proof of a payment application‘s security becomes a decisive market entry factor.

Marketing challenge

The payment industry is trust driven, i.e. success can only be achieved if customers trust the payment providers, payment systems and MPAs. Companies are therefore faced with the challenge of communicating and proving the trustworthiness of their products to the outside world.

Solution

A security evaluation according to the EMVCo SBMP Evaluation Process provides the solution to all three of the previously listed challenges. During a security evaluation, the product vendor‘s solution, in this case MeaWallet‘s MTP SDK, is thoroughly reviewed (Documentation Review, Source Code Review) and penetration testing is performed. This ensures that the product provider‘s technical solutions are sufficient and work as expected. Once the security evaluation has been successfully completed, an evaluation report is delivered to EMVCo, who in turn issues a Security Evaluation Certificate. This certificate allows entering the payment market and shows to potential customers that the product is trustworthy.

Benefits

• Objective proof of compliance with SBMP security standards
• Increased trust in the market due to the confirmed security and robustness of the MTP-SDK
• Possibility to cooperate with major payment providers such as VISA and MasterCard as a result of the demonstrated security
• Competitive advantage for MeaWallet by differentiating from other non-evaluated or non-certified competitors
• International recognition of the evaluation and certification, as it is based on the international standard EMVCo
• Increased product visibility by placement in the publicly visible EMVCo Evaluated Products list after a successful evaluation

Results

By performing an EMVCo SBMP Security Evaluation by TÜViT, MeaWallet is able to assure to payment providers, as well as their own customers, a high level of security and maturity regarding their MTP-SDK product. This helps MeaWallet differentiate their products from non-evaluated or non-certified competitors products, and enables them to work with major payment providers such as VISA and MasterCard.

1. What is MeaWallet's MTP-SDK and what does it do?

The Mea Token Platform Software Development Kit (MTP-SDK) is a tool that helps developers secure mobile payment applications (MPAs) for contactless and remote payments.

2. Why did MeaWallet have their MTP-SDK security evaluated?

• To objectively prove the security and robustness of their product.
• To build trust with potential customers and partners in the market.
• To meet market entry requirements set by payment providers.

3. What challenges do MPAs face in terms of security?

• MPAs lack dedicated Hardware Security Modules (HSM) or Secure Elements (SE) for added security.
• They rely on software-based defenses to counter potential hacking attempts.

4. How does an EMVCo SBMP security evaluation address these challenges?

• The evaluation thoroughly reviews the MTP-SDK's documentation, source code, and performs penetration testing.
• This ensures the product's technical solutions are secure and function as intended.
• Upon successful completion, MeaWallet receives a certificate demonstrating the MTP-SDK's security.

5. What benefits does this security evaluation offer MeaWallet?

• Objective proof: Provides evidence that the MTP-SDK meets industry security standards.
• Increased trust: Builds trust with payment providers and potential customers.
• Market access: Allows cooperation with major payment providers like Visa and Mastercard.

6. Who benefits from MeaWallet's MTP-SDK security evaluation?

• MPA developers: Can leverage a secure solution for their mobile payment applications.
• Payment providers: Can confidently partner with MeaWallet based on the MTP-SDK's proven security.
• End users: Can trust that their mobile payments are protected by a secure platform.