Regulated Payments & Embedded Security

Payments & Embedded Security

Mobile Payment and Embedded Platform Security

Application security, mobile threat defense, cryptography, and platform hardening for systems that carry financial or operational risk

The Landscape

Payment systems, mobile wallets, and embedded platforms operate where application security, cryptography, device assumptions, and certification expectations meet. A mobile payment app may need PCI-MPoC, EMV, and Visa security requirements. A network router may need FIPS 140-3 and Common Criteria. A central bank digital currency wallet must protect cryptographic assets and transaction flows on user-controlled devices.

These are not checkbox exercises. They require implementation-aware security architecture, mobile threat modeling, runtime protection, cryptographic key-management design, and evidence that can withstand lab or stakeholder review.

I have designed, implemented, hardened, and supported certification work across these domains.

Core Services

Mobile Payment Security Architecture

PCI-MPoC compliant payment acceptance design
EMV contactless and QR code payment integration
Digital wallet security architecture
Mobile threat defense SDK design and implementation
Runtime application self-protection and application hardening
Certification documentation and security lab coordination (Riscure, UL)

Central Bank Digital Currency (CBDC)

Mobile endpoint security architecture for digital currency
Non-custodial wallet design and implementation
Threat modeling for sovereign digital currency infrastructure (STRIDE, FAIR)
Offline payment capability security analysis
Mobile platform security principles, cryptographic key management, secure storage, and transaction signing

Embedded Systems Security

Router and network equipment OS hardening
Address Space Layout Randomization (ASLR) enablement across embedded platforms
Cryptographic library migration (OpenSSL 3.x) on embedded Linux (Yocto)
FIPS 140-3 mode configuration for embedded cryptographic modules
Secure boot and firmware integrity architecture
Linux kernel security module design
TLS, X.509, and certificate-validation hardening

Open Banking & API Security

Secure API architecture (OAuth 2.0, OIDC)
Third-party provider integration security
Consent management and transaction monitoring
Financial data protection and regulatory compliance

When to Engage

Payment and embedded security architecture should be reviewed before design decisions become expensive to unwind:

A mobile payment, wallet, CBDC, or open-banking product is heading toward certification or regulatory review
A Linux-based embedded platform needs hardening, FIPS mode configuration, secure boot, or cryptographic migration
Security controls must account for hostile endpoints, reverse engineering, compromised devices, or adversarial customers
Product teams need certification-ready documentation, threat models, and implementation guidance

Relevant Experience

Ciena — Embedded Security Engineering (2025–Present)

Hardened the security posture of Ciena’s router operating system. Enabled full ASLR across router OS executables. Led OpenSSL 3.5 migration and strengthened the TLS/X.509 and cryptographic stack by fixing defects, removing weak algorithms, enforcing modern cipher suites, and improving certificate validation. Supported FIPS 140-3 and Common Criteria work through code review, gap assessment, evaluator Q&A, compliance testing, and remediation.

Bank of Canada — CBDC Mobile Security Architect (2022–2024)

Assessed mobile platform security for the Canadian Central Bank Digital Currency initiative. Defined mobile security and cryptographic key-management principles, contributed to system-level threat modeling and risk assessment, and implemented a non-custodial digital currency wallet proof of concept with secure storage, transaction signing, application hardening, and runtime security posture monitoring. Evaluated mobile threat defense products.

Amadis — PCI-MPoC Payment Platform (2019–2022)

Architected and led implementation of secure mobile payment acceptance systems. Built mobile threat defense for payment apps, integrating white-box cryptography and runtime application self-protection. Led PCI-MPoC certification work with Riscure and UL labs, including documentation, code reviews, gap assessments, evaluator Q&A, compliance testing, and remediation.

Irdeto — IoT & DRM Security (2011–2019)

Designed a Linux Security Module for kernel-level IoT monitoring and security posture assessment. Maintained obfuscated software secure elements for set-top box conditional access systems. Built mobile DRM components and supported HSM-backed key management used for set-top box provisioning.

Compliance & Standards Expertise

Domain	Standards & Frameworks
Payment	PCI-MPoC, PCI-DSS, EMV, Visa Security, ISO 20022, FIDO
Certification	FIPS 140-3, Common Criteria
Mobile	OWASP MASVS, Android NDK/SDK, iOS platform security
Embedded	Yocto/Linux, secure boot, ASLR, kernel hardening
Threat Modeling	STRIDE, FAIR, MITRE ATT&CK
Cryptography	OpenSSL, MbedTLS, WolfSSL, HSM/TPM, PKI/X.509, white-box

Engagement Models

Payment security architecture — design or review for PCI-MPoC, EMV, or CBDC systems
Embedded security assessment — hardening review for Linux-based embedded platforms
Certification support — documentation, lab coordination, and technical Q&A for FIPS / CC / PCI
Threat modeling — structured analysis of payment or embedded system attack surfaces
Technical advisory — ongoing guidance during design, implementation, or certification

Typical Deliverables

Payment or embedded threat model with prioritized remediation plan
PCI-MPoC, EMV, FIPS, or Common Criteria readiness review
Mobile endpoint, device-binding, key-protection, and runtime-defense architecture notes
Embedded Linux hardening review covering ASLR, secure boot, cryptographic libraries, and platform assumptions
Certification-support package: diagrams, control rationale, lab Q&A support, and defect-resolution guidance

Contact me to discuss your payment or embedded security architecture needs.