Clover Mobile Security Policy 8
f. In addition to the device, the end user also receives
i. A power adapter
ii. A PIN Shield
iii. An overview guide
iv. A link to the help website where updated documentation
and FAQs are stored
2. Software Development Guidance
a. Clover Mobile software implements PCI security requirements for
authenticated applications.
b. No external developers are permitted to touch unencrypted
payment data. Clover makes certain that this data is already
encrypted immediately, that no clear-text data is outputted, and
that all applications are signed.
c. There are two types of APKs used for running software on the
device:
i. System Image APKs are controlled by the vendor. These
APKs are signed with the Clover Platform App Validation
Keypair. A hash of the each APK is also included in the
system files list checked at boot. The app that controls
payments is a System Image APK.
ii. Data Image APKs are submitted by the developer and if
approved by the vendor are signed by the source
developer’s key. Each APK has a whole file signature added
and the APK is signed with the Clover App Validation
Keypair. No data image APK has access to the payment
systems.
d. Non-Payment applications may install certificates into the system
default keystore. Application developers developing non-payment
applications should pin their server certificate (or public key) using
one of the techniques described here:
https://www.owasp.org/index.php/Certificate_and_Public_Key_Pin
ning
3. Networking the device
a. If you are connecting the device via Wi-Fi, you must only connect
to an access point that requires both username and password
encrypted authentication.
4. Software update and patch procedures
To Next Page
Loading...
Need help?
General
