Regulated Payments & Embedded Security
Payments & Embedded Security
Securing Payments and Embedded Systems in Regulated Environments
From PCI-MPoC certification to embedded OS hardening — security architecture that passes audit
The Landscape
Payment systems and embedded platforms operate under the strictest compliance regimes in technology. A mobile payment app must satisfy PCI-MPoC, EMV, and Visa security requirements simultaneously. A network router must meet FIPS 140-3 and Common Criteria. A central bank digital currency must address sovereign-grade threat models.
These are not checkbox exercises. They require security architecture that is designed for certification from day one — and an architect who has been through the certification process.
I have designed, built, and certified systems across all three domains.
Core Services
Mobile Payment Security Architecture
- PCI-MPoC compliant payment acceptance design
- EMV contactless and QR code payment integration
- Digital wallet security architecture
- Mobile threat defense SDK design and implementation
- Certification documentation and security lab coordination (Riscure, UL)
Central Bank Digital Currency (CBDC)
- Mobile endpoint security architecture for digital currency
- Non-custodial wallet design and implementation
- Threat modeling for sovereign digital currency infrastructure (STRIDE, FAIR)
- Offline payment capability security analysis
- Mobile platform security principles and risk assessment
Embedded Systems Security
- Router and network equipment OS hardening
- Address Space Layout Randomization (ASLR) enablement across embedded platforms
- Cryptographic library migration (OpenSSL 3.x) on embedded Linux (Yocto)
- FIPS 140-3 mode configuration for embedded cryptographic modules
- Secure boot and firmware integrity architecture
- Linux kernel security module design
Open Banking & API Security
- Secure API architecture (OAuth 2.0, OIDC)
- Third-party provider integration security
- Consent management and transaction monitoring
- Financial data protection and regulatory compliance
Relevant Experience
Ciena — Embedded Security Engineering (2025–Present)
Hardened the security posture of Ciena’s router operating system. Enabled full ASLR across all embedded OS executables. Led OpenSSL 3.5.0 migration including FIPS mode configuration and approved entropy source integration. Supported FIPS 140-3 and Common Criteria certification processes.
Bank of Canada — CBDC Mobile Security Architect (2022–2025)
Architected mobile endpoint security for the Canadian Central Bank Digital Currency initiative. Defined mobile platform security principles, led system-level threat modeling, and implemented a non-custodial digital currency wallet proof of concept. Evaluated and benchmarked mobile threat defense products for sovereign-grade deployment.
Amadis — PCI-MPoC Payment Platform (2019–2022)
Designed and led implementation of a PCI-MPoC certified mobile payment acceptance platform. Built a mobile threat defense system, implemented white-box cryptographic controls, and managed the full certification lifecycle with security laboratories. Provided presales architecture support for enterprise deployment.
Irdeto — IoT & DRM Security (2011–2019)
Designed a Linux Security Module (LSM) for kernel-level IoT threat monitoring and security posture assessment. Maintained obfuscated software secure elements for Set-Top Box conditional access systems. Built multithreaded DRM notification subsystems for mobile platforms.
Schlumberger — Payment Terminal Architecture (1997–1998)
Designed the payment stack for point-of-sale terminals, including backend server integration — foundational payment systems engineering.
Compliance & Standards Expertise
| Domain | Standards & Frameworks |
|---|---|
| Payment | PCI-MPoC, PCI-DSS, EMV, Visa Security, ISO 20022, FIDO |
| Certification | FIPS 140-3, Common Criteria |
| Mobile | OWASP MASVS, Android NDK/SDK, iOS platform security |
| Embedded | Yocto/Linux, secure boot, ASLR, kernel hardening |
| Threat Modeling | STRIDE, FAIR, MITRE ATT&CK |
| Cryptography | OpenSSL, MbedTLS, WolfSSL, HSM/TPM, PKI/X.509, white-box |
Engagement Models
- Payment security architecture — design or review for PCI-MPoC, EMV, or CBDC systems
- Embedded security assessment — hardening review for Linux-based embedded platforms
- Certification support — documentation, lab coordination, and technical Q&A for FIPS / CC / PCI
- Threat modeling — structured analysis of payment or embedded system attack surfaces
- Technical advisory — ongoing guidance during design, implementation, or certification
Contact me to discuss your payment or embedded security architecture needs.