pci hsm certificate

What is the PCI-HSM certification?

The pressure to maintain secured financial transactions has never been more important or more demanding. As new threats emerge on a daily basis, it is critical for CIOs, CISOs, and IT Managers to ensure they remain diligent when it comes to safeguarding their environments.

This is especially true when it comes to payment processing and Hardware Security Modules (HSMs). Here are three critical areas of focus when it comes to understanding the Payment Card Industry (PCI) HSM certifications and how they can affect your business.

What is PCI HSM Certification

Before going to deep into the impacts of the PCI HSM certification, it is important to have a clear understanding of what it encompasses. Simply put, the PCI HSM is a set of security compliance standards that include both the logical and physical aspects of payment processing. Certification for PCI HSM is a fundamental requirement for mission-critical payment processing operations such as:

  • PIN Processing
  • ATM Interchange
  • 3-D Secure
  • Card Verification
  • Card Production & Personalization
  • Cash Card Reloading
  • Chip Card Transaction Processing
  • Data Integrity

It is important to note that these compliance requirements are built on the foundation of many other accepted standards such as ISO, ANSI, and FIPS 140-2.

Risks of Non-Certified HSMs

Armed with an understanding of the PCI standards for HSMs, it is now possible to explore the exposure for non-certified payment processing hardware. One of the main tenets of the certification is that the HSM remains secure throughout its lifecycle - but not beyond. This includes everything from the manufacturing process of the hardware to its decommissioning and ultimate, well-defined end of life.

Beware of old PCI HSM versions

The reason why HSMs have a defined end of life, is that attack vectors change over time. Older versions of PCU HSM protection profiles may simple not be secure anymore because the intelligence and capabilities of attackers has improved over time.  

Utilizing a non-certified payment HSM is just as dangerous as using an HSM that is certified according to an out of date protection profile. It exposes the organization to the risk of cyber attack that could result in a costly data breach. This risk exists anywhere along the payment chain as outlined in the processes covered by the PCI HSM certification.

In the event of a breach, it is the responsibility of the organization that owns the payment operations and processes to prove that the Card PIN was secure per the PCI guidelines. It is more effective and cost efficient to purchase a certified HSM as opposed to undergoing the process of proving compliance.

Handling Expired PCI HSM Certification

For organizations that had previously purchased and implemented Payment HSMs that were compliant with version 1.0, they are now dealing with the possibility of certificate expiration. The first step in handling the possibility of an expired HSM certification is to contact the vendor. The support contract can include an obligation for the vendor to provide an update to the latest version of the PCI HSM - however, this may not always be possible, depending on the degree of change in the protection profile.. This update will need to have been validated against the latest standards which can be a costly process for the vendor since they may need to update every piece of hardware that they have deployed across multiple customers.

Certification: make or buy?

In the event the organization does not have a support agreement with their vendor for ongoing certification updates, they will have to undertake the process to prove compliance on their own. Some vendors provide assistance with this. This will usually become an extensive and expensive undertaking, but it may be worth your while. If not, it may be best to pursue the replacement of your payment processing hardware altogether.

As you can see, navigating the process of maintaining PCI HSM certification of payment processing hardware can be challenging and needs to be seen as an investment into the future of your business . By considering these areas of focus, organizations can stay ahead of the compliance curve.

Blog post by Paul Abraham

About the author

Dawn M. Turner ist ein professioneller Autor mit einer Leidenschaft für technische Vorschriften und Normen sowie für deren Relevanz und Auswirkungen auf betriebliche Vorgänge und die Industrie im Allgemeinen. Dawn verfügt über mehr als 10 Jahre Erfahrung in der IT-Branche in den Bereichen Hardware, Programmierung sowie System- und Netzwerkentwicklung. Ihr Bildungshintergrund umfasst ein Zertifikat für Computeroperationen und -programmierung, CompTIA- und Microsoft-Zertifizierungen, einschließlich A+, MCSE und MCP, Associates-Abschluss mit Hauptfach Wirtschaft & Nebenfach Informatik, Bachelor of Science-Abschluss mit Hauptfach Wirtschaftskriminalität & Nebenfach Buchhaltung und einen MBA mit Fokus auf Finanzen & Wirtschaft.

To find more press releases related with below topics, click on one of the keywords:

Wie können wir Ihnen helfen?

Sprechen Sie mit einem unserer Spezialisten und erfahren Sie, wie Utimaco Sie unterstützen kann.
Sie haben zwei verschiedene Arten von Downloads ausgewählt, so dass Sie verschiedene Formulare absenden müssen, die Sie über die beiden Tabs auswählen können.

Ihre Download-Sammlung:

    Direkt nach dem Absenden des Formulars erhalten Sie die Links zu den von Ihnen ausgewählten Downloads.

    Ihre Download-Sammlung:

      Für diese Art von Dokumenten muss Ihre E-Mail Adresse verifiziert werden. Sie erhalten die Links für die von Ihnen ausgewählten Downloads per E-Mail, nachdem Sie das unten stehende Formular abgeschickt haben.

      Downloads von Utimaco

      Besuchen Sie unseren Download-Bereich und wählen Sie aus: Broschüren, Datenblätter, White-Papers und vieles mehr. 

      Fast alle können Sie direkt ansehen und speichern (indem Sie auf den Download-Button klicken).

      Für einige Dokumente muss zunächst Ihre E-Mail-Adresse verifiziert werden. Der Button enthält dann ein E-Mail-Symbol.

      Download via e-mail


      Der Klick auf einen solchen Button öffnet ein Online-Formular, das Sie bitte ausfüllen und abschicken. Sie können mehrere Downloads dieser Art sammeln und die Links per E-Mail erhalten, indem Sie nur ein Formular für alle gewählten Downloads ausfüllen. Ihre aktuelle Sammlung ist leer.