Is POS application required to PCI DSS compliant - pci-dss

I am eftPOS software Engineer, develop bank financial applications. Applications are MTIP, ADVT and CUP certified. A/c to PCI DSS, are we also need to compliant our app with PCI. I ask this question b/c POS stores credit card information untill settlement.

If credit credit card is stored, even though temporarily, application needs to comply withe PCI DSS

Related

5G Mobile Handset MCC & MNC

Q.1 I want to check the list of MCC supported by a 5G Handset without SIM card, Does Handset have Topple list of MCC/MNC? Or Mobile Handset is MCC/MNC agnostic means can support all MCC/MNC available across the world?
Q.2 What application/software we require to update binary of MCC/MNC in a handset
I tried to flash the binary with some software but futile.
Ask Customer care to support, they didn't.
I am trying to find support in MCC/MNC for test network like : 999/99 in a handset.

How safe is my code inside an ARM Cortex-M? Threat of hackers pulling it? MPU required?

I have an older product that is Microchip PIC 18F based. It's being knocked off in China. The clones are a cheap copy of the hardware, but 1:1 software. It's clearly my code on these. The code is programmed at initial device assembly and never again (no updates, no bootloader, etc). So the only way this could happen is if they defeated the read protections on the PIC 18F. I don't think that's unreasonable to assume given the age and my impression of that chip that lead me to switch away from them before this came to my attention.
I've migrated all new projects to ARM (M0+, M3, M4) already for other reasons. This doesn't do anything for my old code now. I am hoping the protections are better on the ARM Cortex chips (NXP, ST, Freesale, Ti, etc). I can find very little information on how this works.
Is it possible to defeat the chip read protections in place on ARM? Assuming full JTAG, SerialWireDebug, whatever. Even if you decap the chip to expose the die? Even if you really knew what you were doing? How safe is it? Because... 8bit PIC is apparently extremely unsafe.
I had a thought that in new projects I could require connection to a our server where I would record the unique ID (96-128bit) and authorize the device from there. Clones ID's would not be recognized. This is a logistical mess because I'll have a master list from the assembler, it'll be online, the user's device code will have to be sent and authorized with a firmware download... There are a few places for spoofing and abuse. This is a hassle on many levels. Are there simpler ways of ensuring protection than this: ?
We record the unique id at manufacturing
The user locks his name/info/unique number into the part
The user plugs into USB
Our web/java software talks with module
We store the unique ID of the chip and their unique info
If the chip isn't recognized (id not in the list), stop
If the chip is already linked to another user's info (spoofed ID), stop
If it's a new or already verified module, allow the user to work with it
The above is under the assumption that the unique id's built into the ARM die and could never be written over. Seems likely. But every mfg seems have to a different system in place, this seems to be a peripheral feature and not part of the core (some STM chips it's 96bit, some Freescale it's 128bit). I assume this is largely what the unique ID's are for, serialization and encryption schemes.
(Note: I hate DRM. And that's not really what I'm trying to do, but this product is part of a system that could be indirectly responsible for people's lives. We cannot have cheap knockoffs from China out there for many reasons, even if the software in mine, we can't verify their cheap hardware.)
I would recommend the following:
Look at ARM chips that have TrustZone and encryption. Some have per peripheral key locking.
If you want absolute security, then buy the arm IP and design a silicon chip with the code embedded in the hardware with no way to read/write it. Make it part of the silicon logic or an on chip ROM.

distributed network simulation in omnet

Most of the omnet modules are having a centralized communication model. I beg your forgiveness, but I an not able to track any complete decentralized module till now. I am more inclined to work with the INETMANET frame work as I want to implement the mesh deterministic approach or distributed reservation protocol in omnet.
If anybody can point me to any specific module with distributed communication model at mac layer, it would be a great help for me.
You are probably thinking of The INET Framework. OMNeT++ is a simulation engine; it does not contain simulation models, though (by default) it installs The INET Framework to help new users get started quickly.
The INET Framework can also simulate, e.g., WLAN cards operating in Ad Hoc mode, so this would fulfill your requirement for being able to simulate a decentralized system. Depending on what you want to simulate, there are many module libraries that are focusing completely on decentralized operation that might be more applicable to your question.
Some examples are Oversim for peer-to-peer networks, Castalia for wireless sensor and body area networks, or Veins for vehicular networks.

NFC Payment : mobile as reader and emulated card

As I understand NFC offers three modes of operations :
Reader/Writer mode :
Reading/Writing of/to NFC tags. (Coupons, SmartPoster tags)
Card Emulation mode (using the Secure Element):
Virtual cards are stored in Secure Element (PayWave, PayPass).
Peer-to-Peer mode:
Communication between two NFC enabled active devices used in contactless services ticketing, money transfers or lower security access control applications
more: About NFC
Is it possible to combine these modes, and have NFC transactions between two phones, one as an emulated card in a secure element and the second as the reader POS? all informations about the subject is appreciated
Thank you.
Yes, what you are after is possible. What you refer to as card emulation mode, is commonly associated with the term digital wallet. In this case, the phone behaves like an EMV enabled payment card and transmits the necessary signals using the phone's NFC hardware.
On the other end of the spectrum is a reader. This reader can be another phone, or can be a typical merchant terminal that you see in retail locations. As long as both parties implement the standards properly, the data exchange can occur.
The merchant terminals however typically have stronger range than the sensors found in phones, so a payment at a merchant terminal is a bit easier to execute. As new phones come out, they tend to have better NFC antennas embedded in them however (for example comparing Nexus S with S4), so hopefully this gap will close. The EMV standards dictate a 5cm range for a reader to be compliant, though I've stumbled across many readers that don't have that range.
As you have guessed probably, I'm familiar with this space. I'm a cofounder of Triangle.io and what we do is to allow you to use any Android device as a reader for free. You can learn more about our API at http://www.triangle.io if interested. To go back to the question on hand, you can use one phone in card emulation mode, and on the other, you can use our API to read the other phone's emulated card. The phone emulating the card needs to implement the EMV specifications properly.

hardware specification recommendation for Solr

I am looking for a hardware specification for Solr search engine. Our requirement is to build a search system which indexes about 5 to 9 million documents. The peak query per second is around 50 people. I checked the Dell website and think that maybe a Rack Server is good. So I made a sample product. How do you think about my choice? Do you have any experience on hardware specification for Solr system?
PowerEdge R815
R815 Chassis for Up to Six 2.5 Inch Hard Drives
Processor
2x AMD Opteron 6276, 2.3GHz, 16C, Turbo CORE, 16M L2/16M L3, 1600Mhz Max Mem
Additional Processor
No 3rd/4th Processors edit
Operating System
No Operating System edit
OS Media kits
None edit
OS and SW Client Access Licenses
None edit
Memory
64GB Memory (8x8GB), 1333MHz, Dual Ranked LV RDIMMs for 2 Processors edit
Hard Drive Configuration
No RAID for PERC H200 Controllers (Non-Mixed Drives) edit
Internal Controller
PERC H200 Integrated RAID Controller edit
Hard Drives
1TB 7.2K RPM SATA 2.5in Hot-plug Hard Drive edit
Data Protection Offers
None edit
Embedded Management
iDRAC6 Express edit
System Documentation
Electronic System Documentation and OpenManage DVD Kit edit
Network Adapter
IntelĀ® Gigabit ET NIC, Dual Port, Copper, PCIe-4 edit
Network Adapter
IntelĀ® Gigabit ET NIC, Dual Port, Copper, PCIe-4 edit
Host Bus Adapter/Converged Network Adapter
None edit
Power Supply
1100 Watt Redundant Power Supply edit
Power Cords
NEMA 5-15P to C13 Wall Plug, 125 Volt, 15 AMP, 10 Feet (3m), Power Cord edit
BIOS Setting
Performance BIOS Setting edit
Rails
No Rack Rail or Cable Management Arm edit
Bezel
PowerEdge R815 Bezel edit
Internal Optical Drive
DVD ROM, SATA, Internal
I agree with Marko (not myself, other Marko:).
You should use e.g. jMeter to test capabilities (the most important metric of course being: how response time changes with number of parallel users) of your configuration and then make educated decision based on those results.
Be prepared to play with JVM memory settings in order to see how if affects overall performance.
I'd also test various application servers to see how that decision affects response time.
PS If you choose to use jMeter you should definitely make use of jMeter Plugins, which will allow you (Composite graph) to show number of parallel users and response time with server's processor, memory and network loads on the same graph.
This is a hugely open ended question, with far too many details unknown - the straw-man hardware spec is really not very useful (TL;DR)
There is only one sensible way to go about tackling this problem and that is empirically.

Resources