digital abstract of payments

Payment HSM Certifications Explained

With millions of payment operations occurring every second, safeguarding financial assets, sensitive customer data, and organizational reputations is critical. This is where Payment Hardware Security Modules (HSMs) come into play.

This blog explores the key certifications for Payment HSMs, their importance, and how they help organizations navigate the complex world of secure digital payments.

Test and validate payment applications with the Atalla AT1000 Simulator

Understanding the Basics Behind the Payment HSM Certificates

Digital payment operations are one of the most sensitive digital processes as the security level of their execution determines the protection of several factors involved in and related to the transaction, such as:

  • Financial values of individuals and organizations, such as money or cryptocurrencies
  • Customers' data, such as their personal information or further data that are covered by the bank secrecy
  • Sensitive organizational data belonging to banks, issuers, and acquirers involved in payment transactions
  • Reputation of organizations involved in the digital payment transactions

Certifications: The Central Framework for Security and Trust in Digital Payments

Executing digital payment processes in the most secure way and efficiently protecting all parties and data involved is the clear goal. But not everyone can be an expert in the field of cybersecurity. Even if someone is, they cannot test and attest the security and functionality of every product. To release users from this burden, the payment industry defined various security guidelines and the compliance to these guidelines resulting into certifications.

These certifications provide clear security requirements for organizations involved in the payment processes and applications, guiding them on how to secure both their processes – physical and digital. As part of this, certifications require the use of specific cybersecurity solutions that have been validated to meet the necessary security levels.

Besides the proven compliance with specific regulations, certified products have many advantages, such as safety assurance, quality, and reliability, ensuring customers can trust them. The same advantages also apply to the core payment and cryptographic backbone for digital payment security: Hardware Security Modules. Payment HSM, a specific type of HSM dedicated to acting as the Root of Trust for payment-related processes, must conform to:

  • PCI PTS HSM: the certification accepted by the Payment Card Industry (PCI).
  • FIPS 140-2 or FIPS 140-3: standards set by the National Institute of Standards and Technology (NIST).

Most of the HSMs available today, whether in traditional on-premises deployment or as a Service-offering, claim to have both certifications, enabling a Qualified Security Assessor (QSA) to tick the boxes. However, if the focus is on assuring security rather than “just” getting through a PCI assessment, you might want to know what these certifications are all about.

Key Payment HSM Certifications

FIPS 140-2 and FIPS 140-3 by NIST

The FIPS (Federal Information Processing Standard) standards are used by the US and Canadian governments for government purchases. Still, many have been adopted in the commercial world without relevant industry norms. FIPS 140-2 is the second version of the standard for secure cryptography modules, first published in 1994. The third version, FIPS 140-3, was officially introduced in 2019 and is aiming to become the successor of FIPS 140-2 but both FIPS standards are still accepted as active and current.

Vendors typically choose what part of their product is FIPS-certified. Payment HSM manufacturers in general tend to certify just the core cryptographic module as the most significant technology in the HSM, but not firmware and applications.

PCI PTS HSM by PCI

The Payment Card Industry standards provide regulations referring to payment transactions that must be fulfilled by every organization that accepts, processes, stores, or transmits credit card information.

PCI introduced its own HSM standard under the PTS (PIN Transaction Security) program in 2009, now in its fourth version. Some of the PCI PTS HSM requirements are derived from FIPS. The PCI standard is specifically for Payment HSMs, covering the whole HSM (including firmware and applications) and device management during manufacturing and shipment. But there are gotchas to look out for.

Because firmware and applications are included, vendors may not get all versions approved, or urgent updates may be released before getting approval. To ensure an HSM is PCI-approved, you need to check the installed software version is listed in the online approval from PCI.

The HSM vendor may offer a software customization service, or the HSM may have a facility to run customer-developed software. Use of these facilities would mean that the HSM is no longer approved – unless the custom software has been put through the approval process.

PCI approval may limit the HSM to being deployed in a controlled environment, which puts the onus on the user to ensure they provide an acceptable environment.

Key Considerations Beyond Certifications

Payment HSMs almost certainly do have a FIPS 140-2 / FIPS 140-3 or PCI PTS HSM approval to meet QSA's needs. However, there are plenty of opportunities to invalidate the approval.

To understand what has actually been tested and approved on a specific HSM offering, it is recommended to carefully read the approval material on the NIST (for FIPS) and PCI websites, particularly the HSM’s Security Policies.

It is also important to make sure that the business requirements are met and the HSM is usable following the compliance mandates in the given environment. In some cases, the requirements are opposing. For example: FIPS standards do not allow using TDES algorithms but Payment HSMs are predominantly dependent on it. So, an HSM explicitly enforcing all the FIPS requirements on the hardware, firmware, and application level will be unusable for this application. In this case, having just the core cryptographic module of a Payment HSM certified provides the advantage that you can meet both requirements.

Utimaco’s Portfolio of Certified Payment HSMs

Utimaco provides various FIPS- and PCI-certified Payment HSM offerings, both on-premises as well as cloud-based as a Service-offerings, providing reliable cryptographic support for the secure handling of your payment applications while covering your organization’s individual needs.

With the Atalla AT1000 Payment HSM, our flagship product, we provide you with the ideal product specifically designed for secure and compliant non-cash retail payment transactions and cardholder authentication.

The Atalla AT1000 Payment HSM is FIPS 140-2 Level 3 certified, FIPS 140-2 Level 4 (physical design) compliant, as well as PCI PTS HSM v3 certified to comply with the highest security requirements in the payment field.

Ready to secure your payment systems? Explore Utimaco’s certified Payment HSM solutions or contact us today for a consultation.

Test and validate payment applications with the Atalla AT1000 Simulator

Authors

About the Authors

Silvia Clauss

Silvia Clauss

Head of Product Marketing
Manish Upisani

Manish Upasani

Head of Product Management

¿En qué podemos ayudarle?

Hable con uno de nuestros especialistas y descubra cómo Utimaco puede ayudarle hoy mismo.
Ha seleccionado dos tipos diferentes de Download, por lo que necesita presentar formularios diferentes que puede seleccionar a través de las dos pestañas.

Su(s) solicitud(es) de Download:

    Al enviar el siguiente formulario, recibirá enlaces a las descargas seleccionadas.

    Su(s) solicitud(es) de Download:

      Para este tipo de documentos, es necesario verificar su dirección de correo electrónico. Recibirá los enlaces a las Download seleccionadas por correo electrónico después de enviar el siguiente formulario.

      Descargas de Utimaco

      Visite nuestra sección de descargas y seleccione recursos como folletos, fichas técnicas, libros blancos y mucho más. Puede ver y guardar casi todos ellos directamente (pulsando el botón de descarga).

      Para algunos documentos, es necesario verificar su dirección de correo electrónico. El botón contiene un icono de correo electrónico.

      Download via e-mail

      Al hacer clic en dicho botón se abre un formulario en línea que le rogamos rellene y envíe. Puede recopilar varias descargas de este tipo y recibir los enlaces por correo electrónico simplemente enviando un formulario para todas ellas. Su colección actual está vacía.