Does the security auditor have a point?

Security_auditor_Irdeto

On a recent flight, I was sat next to a security auditor. He asked “can someone steal keys used to encrypt credit cards from the server memory?” It depends, was my reply. But his question left me wondering. Why hasn’t anyone built a server side white box implementation?

Why does it depend?
Like any implementation, some are more secure than others. If the server side code was using ‘standard cryptographic APIs’ and they were black box implementations then

Opening the door for a new era of payments

Opening_door_new_payments_era_Irdeto

The EU Payment Service Directive (PSD2) aims to enhance consumer security, increase competition and create a single EU-wide market for payments. No doubt this market disruptive initiative opens the door for innovation. But will PSD2 inadvertently introduce more vulnerability for the cybercriminals to exploit?

Radical change
Achieving its aims all hinges on the banks sharing their customer data with anyone that holds the required license. This third party access to accounts (XS2A) ensures that banks cannot block the move to a new payment services market.