CRYPTOMATHIC FREQUENTLY ASKED QUESTIONS

CRYPTOGRAPHY SOLUTIONS FAQS

The Cryptomathic enterprise-grade cryptographic platform enables secure, compliant and seamless protection of sensitive data cross on-prem, hybrid and multicloud environments, unlocking innovation without compromising control. 

Mobile App Security Core (MASC) Frequently Asked Questions (FAQs)

What is Mobile App Security Core (MASC)?
MASC is Cryptomathic’s SDK-based solution that embeds security directly into mobile apps. It combines runtime threat detection, code hardening, secure storage, and network/API protection to defend apps against tampering, fraud, and data theft.

How can banks protect mobile banking apps against threats?
Banks can protect mobile apps using Cryptomathic’s Mobile App Security Core (MASC), which enforces in-app cryptographic controls, runtime protection, and code hardening. MASC aligns with OWASP MASVS and ENISA guidelines, helping banks secure sensitive operations even in zero-trust environments.

How does MASC protect apps at runtime?
MASC uses sentinel-based Runtime Application Self-Protection (RASP) to monitor the app environment in real time. It detects anomalies like rooting, debugging, or malware, and responds immediately—blocking, alerting, or adapting app behavior.

What types of apps use MASC?
MASC is built for high-risk, high-compliance apps, such as mobile banking, e-payment wallets, eID/EUDI wallets, and any application that processes sensitive data or transactions.

How does MASC support compliance?
Out of the box, MASC aligns with 94% of OWASP Mobile App Security Verification Standard (MASVS) requirements and ENISA smartphone security guidelines—helping organizations meet regulatory and audit obligations.

Key Management Frequently Asked Questions (FAQs)

What is enterprise-grade key management?
It’s a centralized, automated system—typically a platform like CrystalKey 360—that handles the entire lifecycle of cryptographic keys, automates routine operations, enforces policy consistently, and delivers robust auditing for compliance and security at scale.

How does CrystalKey 360 manage key lifecycle—from generation to retirement?
CrystalKey 360 automates key generation, import, export, rotation, renewal, backup, revocation, versioning, and destruction. It enforces usage policies, distributes keys securely (even across HSMs), and maintains tamper-evident logs—ensuring reliability, efficiency, and reduced human error.

How does CrystalKey 360 help with compliance and auditing?
It automatically logs every key operation in tamper-proof audit trails, enables easy demonstration of compliance with standards like PCI-DSS and GDPR, and simplifies passing both internal and external audits.

What does cryptographic agility and future-proofing mean?
CrystalKey 360 is designed to evolve—allowing you to seamlessly transition to new algorithms or post-quantum cryptography, adapt to emerging regulatory requirements, and avoid vendor lock-in across multi-cloud or multi-HSM deployments.

What is Post-Quantum Cryptography (PQC)?
PQC refers to cryptographic algorithms designed to remain secure against attacks from quantum computers. While traditional algorithms could be broken by large-scale quantum machines, PQC algorithms are built to withstand this new threat landscape. CrystalKey 360 is engineered with PQC readiness, ensuring organizations can migrate smoothly when standards mature.

How does PQC affect compliance requirements?
Regulatory bodies and standards organizations are already preparing for the quantum era. NIST has published draft PQC standards, and frameworks like PCI DSS, eIDAS 2, and GDPR will evolve to mandate quantum-safe protections. By adopting a platform like CrystalKey 360—with built-in PQC readiness and cryptographic agility—enterprises can stay ahead of compliance deadlines and avoid disruptive migrations later.

Obsidian Frequently Asked Questions (FAQs)

What is Obsidian?
Obsidian is a modular payment issuer platform that integrates key card services—issuance, PIN management, transaction authorization, certificate authority, and key management—into a scalable, modern solution for virtual and physical card programs. It can be deployed in both on-premise and cloud environments.

Which modules does Obsidian include?
Key modules include:

Card Issuance – Manage the lifecycle of virtual and physical EMV® cards, including batch and instant issuance.
PIN Management – Secure, multi-channel PIN generation, selection, reminder, and reset.
EMV Authorization – Handle script execution, risk parameters, and real-time payment decisions.
Certificate Authority (CA) – Manage root and issuer certificates for EMV compliance.
Payment Key Management – Lifecycle control of keys used throughout the card issuance and personalization process.

How does Obsidian accelerate go-to-market and modernize issuing operations?
It centralizes issuer workflows into a single platform, enabling quick issuance of new cards (digital or physical) and seamless integration of modern payment methods and wallet deployment—reducing complexity and cost while enabling innovation.

What compliance and security features does Obsidian offer?
Obsidian embeds PCI compliance. It supports the full cryptographic and operational requirements of issuer environments to safeguard card data and maintain regulatory alignment.

Digital Identities & Signatures Frequently Asked Questions (FAQs)

What is a Trust Service Provider (TSP)?
Under the eIDAS regulation, a Trust Service Provider (TSP) is an entity authorized to offer electronic trust services—like issuing qualified digital certificates, electronic signatures, seals, timestamps, and preservation services. TSPs must meet stringent requirements to operate legally across member states.

What is eIDAS?
eIDAS is an EU regulation governing digital identities and trust services. It defines legal frameworks for electronic signatures, seals, timestamps, and trust services, establishing standards for advanced and qualified electronic signatures that ensure cross-border interoperability and legal validity across the EU.

What is Signer?
Signer is Cryptomathic’s digital signing solution that enables organizations to deliver Qualified Electronic Signatures (QES) at scale. It provides WYSIWYS (What You See Is What You Sign) assurance, integrates with QSCDs (Qualified Signature Creation Devices), and ensures signatures are legally binding under eIDAS. Signer is widely used by banks, governments, and TSPs to provide citizens and customers with secure, frictionless digital signing experiences.

What is a QSCD?
A Qualified Signature Creation Device (QSCD) is a secure hardware or software component certified under eIDAS to generate and protect signing keys used for Qualified Electronic Signatures. A QSCD ensures that only the legitimate signatory can access their private signing key and that the key cannot be copied, tampered with, or misused. By law, signatures generated with a QSCD qualify as having the same legal value as a handwritten signature across the EU.

What makes Signer a Qualified Electronic Signature (QES) solution?
Signer delivers QES-level assurance by leveraging a Qualified Signature Creation Device (QSCD)—a secure, certified hardware or software module that ensures only the signatory has control over the signing key. QES carries the same legal weight as handwritten signatures across the EU under eIDAS.

What is "What You See Is What You Sign" (WYSIWYS) and why does it matter?
WYSIWYS ensures users digitally sign exactly what they see on-screen—preventing hidden data or content changes between viewing and signing. Signer uses WYSIWYS to enhance legal certainty and prevent disputes around what was actually signed.