We are currently in the early planning stages of developing a PCI PTS/SSF-compliant payment terminal and have selected the STM32U5 series as our target MCU due to its advanced security features (TrustZone, PCROP, HUK, etc.).
To ensure we start on the right foundation, we would greatly appreciate your guidance on the following:
1. Recommended Software Stack:
Which version of STM32Cube_FW_U5 and Trusted Firmware-M (TFM) / SBSFU is currently recommended or validated for security-critical applications like payment systems?
Are there any known issues or errata in older versions (e.g., V1.7.0) that we should avoid for certification purposes?
2. PCI-Specific Resources:
Does ST offer any reference designs, evaluation reports, or application notes specifically tailored for PCI PTS/SSF compliance on the STM32U5 platform?
Are there pre-validated secure boot, secure firmware update, or key management implementations we can leverage?
3. Documentation & Tooling:
Could you share the latest Security Reference Manual, Security Evaluation Report, or Threat Model documentation for STM32U5?
Are there recommended tools or workflows for secure debugging, firmware signing, or vulnerability assessment?
4. Support Path:
Is there a dedicated security team or partner program at ST that assists customers with PCI certification projects?
Can you recommend any approved PCI testing laboratories or consultants familiar with STM32-based designs?
We aim to align our development process with industry best practices from the outset to streamline the certification journey. Any pointers to starter kits, code examples, or community resources would be invaluable.
Thank you in advance for your time and support. We look forward to your response.
