PCI PIN Transaction Security (PTS) HSM v3 Requirements

Hardware Security Modules are a critical component in data integrity and confidentiality assurance of business transactions. Corporate organizations and banks employ security services such as encryption, decryption and strong authentication between identities and applications.

HSMs are deployed by enterprises for the defense of secret business communication. The security of the HSM must be ensured during the complete lifecycle starting from product development, consignment, deployment and decommissioning stages. Since the HSM are the most indispensable segment in charge of the information privacy as well as uprightness of business exchanges, the security of the entire business is at stake in case an HSM gets compromised.

The standard document PCI PTS (PIN Transaction Security) HSM v3 enlightens the core security aspects regarding every stage of the lifecycle of HSM. All HSM vendors must comply with these security requirements and guidelines which are mandatory to acquire PCI PTS HSM device approval.

A Little about PCI SSC & PCI DSS

PCI SSC (Payment Card Industry Security Standards Council) is a governing body established in September 2006 as a joint venture by MasterCard, American Express, Visa, JCB International and Discover Financial Services. It holds the mandate of managing the development in PCI and alignment of company’s policies to PCI DSS (Payment Card Industry Data Security Standard) which is an information security standard to prevent credit card scams and numerous additional security threats & vulnerabilities. Credit/Debit card processors such as MasterCard and Visa etc. implement the mechanism and security controls specified  suggested in the PCI DSS. The entities that store, process and transmit the card information are required to follow PCI DSS.

PCI PTS HSM Version 3.0

PCI PTS HSM version 3.0 is the latest standard which was released on June 2016. PCI PTS HSM has displayed necessities for HSMs during their whole lifecycle (fabricating, conveyance, utilization, and decommissioning) which ought to be agreed by the HSM sellers referred as PCI PTS (PIN Transaction Security) HSM "Modular Security Requirements". PCI PTS are operational/technical security requirements for the protection of the cardholder-data along with cardholder authentication, payment processing and cryptographic key management etc. The principle goal of these necessities isn't to kill the plausibility of business cheats, however to decrease its likelihood and point of confinement its significances. All the HSM vendors and applications which store, process or transmit cardholder data must comply with this standard. PCI PTS HSM (v1 - v3) requirements deal with the following HSM features:

  • PIN processing
  • Card verification
  • 3-D Secure
  • Card production and personalization
  • ATM interchange
  • Data integrity
  • Cash-card reloading
  • Key generation
  • Chip-card transaction processing
  • Key injection

Evaluation Modules of PCI PTS HSM v3

PCI PTS HSM v3 presents four evaluation modules for HSM validation. Each module has its own respective requirements. These requirements will be used as the minimum acceptable criteria because the PCI has defined these requirements using a risk-reduction methodology that identifies the associated benefit when measured against acceptable costs to design and manufacture HSM devices. All the specified requirements are derived from the current ANSI, ISO and NIST standards which are already known/accepted as best practices by the financial payments industry. Once an HSM is approved by the PCI as per the above mentioned requirements, it is listed on their website.


This article discusses the guidance and direction for appropriately designing HSMs to meet the security needs for the protection of HSMs from the manufacturing phase to initial deployment. It is divided in four evaluation modules which are core requirements, key-loading devices, remote administration and device management security requirements. These mentioned requirements are the minimum acceptable criteria to be PCI PTS HSM version 3 certified.

About the author

Ulrich Scholten ist ein international tätiger Unternehmer und Wissenschaftler. Sie hat einen Doktortitel in Informationstechnologie und besitzt mehrere Patente für cloudbasierte Sensoren. Seine Forschung zum Thema Cloud Computing wird regelmäßig in renommierten Zeitschriften und Konferenzbeiträgen veröffentlicht. Von 2008 bis 2015 war er wissenschaftlicher Mitarbeiter am Karlsruher Service Research Institute (KSRI), einer Partnerschaft von KIT und IBM, wo er gemeinsam mit SAP Research Netzwerkeffekte im Zusammenhang mit Webplattformen erforschte.

To find more press releases related with below topics, click on one of the keywords:

Wie können wir Ihnen helfen?

Sprechen Sie mit einem unserer Spezialisten und erfahren Sie, wie Utimaco Sie unterstützen kann.
Sie haben zwei verschiedene Arten von Downloads ausgewählt, so dass Sie verschiedene Formulare absenden müssen, die Sie über die beiden Tabs auswählen können.

Ihre Download-Sammlung:

    Direkt nach dem Absenden des Formulars erhalten Sie die Links zu den von Ihnen ausgewählten Downloads.

    Ihre Download-Sammlung:

      Für diese Art von Dokumenten muss Ihre E-Mail Adresse verifiziert werden. Sie erhalten die Links für die von Ihnen ausgewählten Downloads per E-Mail, nachdem Sie das unten stehende Formular abgeschickt haben.

      Downloads von Utimaco

      Besuchen Sie unseren Download-Bereich und wählen Sie aus: Broschüren, Datenblätter, White-Papers und vieles mehr. 

      Fast alle können Sie direkt ansehen und speichern (indem Sie auf den Download-Button klicken).

      Für einige Dokumente muss zunächst Ihre E-Mail-Adresse verifiziert werden. Der Button enthält dann ein E-Mail-Symbol.

      Download via e-mail


      Der Klick auf einen solchen Button öffnet ein Online-Formular, das Sie bitte ausfüllen und abschicken. Sie können mehrere Downloads dieser Art sammeln und die Links per E-Mail erhalten, indem Sie nur ein Formular für alle gewählten Downloads ausfüllen. Ihre aktuelle Sammlung ist leer.