With millions of payment operations occurring every second, safeguarding financial assets, sensitive customer data, and organizational reputations is critical. This is where Payment Hardware Security Modules (HSMs) come into play.
This blog explores the key certifications for Payment HSMs, their importance, and how they help organizations navigate the complex world of secure digital payments.
Test and validate payment applications with the Atalla AT1000 Simulator
Understanding the Basics Behind the Payment HSM Certificates
Digital payment operations are one of the most sensitive digital processes as the security level of their execution determines the protection of several factors involved in and related to the transaction, such as:
- Financial values of individuals and organizations, such as money or cryptocurrencies
- Customers' data, such as their personal information or further data that are covered by the bank secrecy
- Sensitive organizational data belonging to banks, issuers, and acquirers involved in payment transactions
- Reputation of organizations involved in the digital payment transactions
Certifications: The Central Framework for Security and Trust in Digital Payments
Executing digital payment processes in the most secure way and efficiently protecting all parties and data involved is the clear goal. But not everyone can be an expert in the field of cybersecurity. Even if someone is, they cannot test and attest the security and functionality of every product. To release users from this burden, the payment industry defined various security guidelines and the compliance to these guidelines resulting into certifications.
These certifications provide clear security requirements for organizations involved in the payment processes and applications, guiding them on how to secure both their processes – physical and digital. As part of this, certifications require the use of specific cybersecurity solutions that have been validated to meet the necessary security levels.
Besides the proven compliance with specific regulations, certified products have many advantages, such as safety assurance, quality, and reliability, ensuring customers can trust them. The same advantages also apply to the core payment and cryptographic backbone for digital payment security: Hardware Security Modules. Payment HSM, a specific type of HSM dedicated to acting as the Root of Trust for payment-related processes, must conform to:
- PCI PTS HSM: the certification accepted by the Payment Card Industry (PCI).
- FIPS 140-2 or FIPS 140-3: standards set by the National Institute of Standards and Technology (NIST).
Most of the HSMs available today, whether in traditional on-premises deployment or as a Service-offering, claim to have both certifications, enabling a Qualified Security Assessor (QSA) to tick the boxes. However, if the focus is on assuring security rather than “just” getting through a PCI assessment, you might want to know what these certifications are all about.
Key Payment HSM Certifications
FIPS 140-2 and FIPS 140-3 by NIST
The FIPS (Federal Information Processing Standard) standards are used by the US and Canadian governments for government purchases. Still, many have been adopted in the commercial world without relevant industry norms. FIPS 140-2 is the second version of the standard for secure cryptography modules, first published in 1994. The third version, FIPS 140-3, was officially introduced in 2019 and is aiming to become the successor of FIPS 140-2 but both FIPS standards are still accepted as active and current.
Vendors typically choose what part of their product is FIPS-certified. Payment HSM manufacturers in general tend to certify just the core cryptographic module as the most significant technology in the HSM, but not firmware and applications.
PCI PTS HSM by PCI
The Payment Card Industry standards provide regulations referring to payment transactions that must be fulfilled by every organization that accepts, processes, stores, or transmits credit card information.
PCI introduced its own HSM standard under the PTS (PIN Transaction Security) program in 2009, now in its fourth version. Some of the PCI PTS HSM requirements are derived from FIPS. The PCI standard is specifically for Payment HSMs, covering the whole HSM (including firmware and applications) and device management during manufacturing and shipment. But there are gotchas to look out for.
Because firmware and applications are included, vendors may not get all versions approved, or urgent updates may be released before getting approval. To ensure an HSM is PCI-approved, you need to check the installed software version is listed in the online approval from PCI.
The HSM vendor may offer a software customization service, or the HSM may have a facility to run customer-developed software. Use of these facilities would mean that the HSM is no longer approved – unless the custom software has been put through the approval process.
PCI approval may limit the HSM to being deployed in a controlled environment, which puts the onus on the user to ensure they provide an acceptable environment.
Key Considerations Beyond Certifications
Payment HSMs almost certainly do have a FIPS 140-2 / FIPS 140-3 or PCI PTS HSM approval to meet QSA's needs. However, there are plenty of opportunities to invalidate the approval.
To understand what has actually been tested and approved on a specific HSM offering, it is recommended to carefully read the approval material on the NIST (for FIPS) and PCI websites, particularly the HSM’s Security Policies.
It is also important to make sure that the business requirements are met and the HSM is usable following the compliance mandates in the given environment. In some cases, the requirements are opposing. For example: FIPS standards do not allow using TDES algorithms but Payment HSMs are predominantly dependent on it. So, an HSM explicitly enforcing all the FIPS requirements on the hardware, firmware, and application level will be unusable for this application. In this case, having just the core cryptographic module of a Payment HSM certified provides the advantage that you can meet both requirements.
Utimaco’s Portfolio of Certified Payment HSMs
Utimaco provides various FIPS- and PCI-certified Payment HSM offerings, both on-premises as well as cloud-based as a Service-offerings, providing reliable cryptographic support for the secure handling of your payment applications while covering your organization’s individual needs.
With the Atalla AT1000 Payment HSM, our flagship product, we provide you with the ideal product specifically designed for secure and compliant non-cash retail payment transactions and cardholder authentication.
The Atalla AT1000 Payment HSM is FIPS 140-2 Level 3 certified, FIPS 140-2 Level 4 (physical design) compliant, as well as PCI PTS HSM v3 certified to comply with the highest security requirements in the payment field.
Ready to secure your payment systems? Explore Utimaco’s certified Payment HSM solutions or contact us today for a consultation.
Test and validate payment applications with the Atalla AT1000 Simulator