Payment Assurance (PA) Device Security Evaluator - Ottawa, ON

PA Device Security Evaluator is involved with cybersecurity evaluations of payment devices to various Payment Card Industry (PCI) requirements including:


* PIN Transaction Security (PTS) Point of Interaction (POI)


* PIN Transaction Security (PTS) Hardware Security Module (HSM)


* Software-based PIN Entry on COTS (SPoC)


* Contactless Payments on COTS (CPoC)


* Mobile Payments on COTS (MPoC)

Evaluations can include the following types of assessments:


* Physical device security


* Tamper detection mechanisms (e.g., the electrical/electronic components)


* Side-channel analysis


* Secure boot


* Cryptographic key management


* Source-code review


* Firmware/OS hardening


* Secure software development lifecycle


* Malformed input (i.e., fuzzing)


* Vulnerability assessment and penetration testing


* Reverse engineering


* Mobile application testing (e.g., OWASP MASVS/MSTG)


* Policy, process, and procedure review

It is expected that a candidate will have expertise in a few of the above areas with at least an interest in the remaining areas.

Skills in the remaining areas can be gained through on-the-job training.

Device security analysis and assessments can require the use or knowledge of:


* Standard hand tools


* Drilling and rotary tools


* Soldering


* Heat and solvents


* Electronic circuits


* PCB design


* File formats


* Communication protocols


* Secure coding and common weaknesses


* iOS and Android application protections

The work is being done on client devices and as such, communicating the results of testing is necessary and done through technical reports.

In order to produce high quality reports, the following is needed:


* Attention to detail including consistency and completeness


* Ability to communicate effectively in English


* Good use of figures, images, and tables


* Effective use of the Office suite (Word and Excel in particular)

Additional skills that are sought in a candidate include:


* Communicating and working effectively within a small team


* Communicating with clients


* Being able to work in a shared lab environment


* Being able to work independently


* Being able to identify and understand limitations in tests


* Being able to come up with new test plans or improvements on existing test plans

For this position, work is mainly in the office with potential for on-site client visits.

In addition to the assessment work, there will be opportunities to develop and deliver training and consulting to clients, which could be done virtually or on-site.

While the position is for the Payment Assurance area of the company, work in other related areas of the company (e.g., IoT security) may be assigned as needed.

The work requires a mixture of hardware, software (firmware/OS level), and communications knowledge.

A post-secondary degree or diploma, or equivalent wo...