laptop with bank and atm icons

What is an HSM-based Payment Server

To be classified as fit for business and compliant by governmental regulatory instances, the Banking and Financial Services industry has a magnitude of compliance requirements to adhere to.

Other than staying compliant, the Banking and Financial Services industry needs to handle identity and access management, cryptographic key management, be able to use blockchains, and go to the cloud securely. Not an easy feat. 

Hardware security modules have become a key part of our modern infrastructure. However, with new challenges appearing constantly that need to be addressed, the technology behind payment HSMs is continually evolving. Because new and innovative payment systems are coming up on the market, hardware vendors often find themselves trying to keep up with market developments and demands. The need to implement modifications to existing hardware security modules, while at the same time staying within PCI compliance, have become a challenge for the payment industry, banks, and financial services companies.

This article explains what a payment HSM is, the need for it to be within PCI compliance under PCI Hardware Security Module (HSM), and the importance of being PCI-HSM-certified. 

What does a Payment HSM do?

The payment industry, banks, and fintech companies rely on specialized payment HSMs to securely process functions such as:

  • Verifying user-entered PIN against reference PIN held by card issuer
  • Verifying debit/credit card transactions by conducting host processing duties for EMV-based transactions or checking CSVs
  • Supporting a crypto-API with an EMV
  • Re-encrypting a PIN block to be sent another authorization host
  • Performing secure key management
  • Supporting POS ATM network management protocol
  • Supporting host-host key/data exchange API standards
  • Generation and printing of “PIN mailer”
  • Generating PVV and CVV data for magnetic stripe cards
  • Generating a card keyset and supporting the smart card personalization process

Why Hardware Security Modules?  Advantages

A hardware security module (HSM) is a piece of highly trusted computer hardware that can be added to a computer or network server. It is typically made in the hardware form of an external device that can be connected via cable or as a PCIe card that can be installed inside a computer or service. As a norm, these devices do not feature a standard API.

An HSM’s function is to protect and manage digital keys for strong authentication with specialized functions that are required for processing transactions and general-purpose functions. It is used primarily to support transaction authorizations and perform payment card personalization activities, such as the ones above. 

The performance of an HSM is outstanding and unmatched, with a robust Operating System, and restricted network access. Its sole objective is to hide and protect cryptographic material, and it has a special hardware that uses a physical process to create randomness and generate perfectly random keys. 

Being tamper-resistant and tamper-evident devices, HSMs are normally kept within secure environments. Additional external physical security precautions and protections are required to prevent unauthorized access that would jeopardize the nature of the HSM’s secure functions.

The Payment Card Industry Security Standard – PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) was formed in 2006 by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. It consists of twelve significant requirements including multiple sub-requirements, against which businesses can measure their own payment card security policies, procedures, and guidelines. The goal of setting these requirements for any organization that accepts, stores, or transmits credit card information is simple - to enhance the security of customer data.

The twelve security requirements are: 

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

5. Protect all systems against malware and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business need-to-know

8. Identify and authenticate access to system components

9. Restrict physical access to cardholder data

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

12. Maintain a policy that addresses information security for all personnel

PCI PTS HSM Compliance 

The PCI PIN HSM security requirements ensure that HSM devices provide the strongest protection for critical data elements used in card verification, PIN processing, chip transaction processing, payment card personalization, secure cryptographic key loading, remote HSM administration and other payment authentication activities. 

For organizations in the payment industry to be PCI HSM compliant, a set of physical and logical security compliance standards need to be met, along with compliance standards for device security during manufacturing, and device security between manufacturer and initial key loading. The certification process is a long procedure, and includes the following steps:

  • A device - in our case an HSM, that is built to detailed specifications
  • The device should pass all tests 
  • The device should be able to resist any possible attacks (in case of an EMV payment card - more than 80 types of attacks)

This is quite the endeavor. But after completion, the users can be sure that they are buying a really good product that meets a high degree of security requirements.

Processing card payments requires an extreme level of security to prevent breaches that jeopardize both customers’ personal information and the security of the financial organizations’ information systems. 

General Purpose HSMs 

Currently, most General Purpose HSMs adhere to the FIPS 140-2 security certification scheme developed by NIST to provide security assurance throughout the payment’s infrastructure.

FIPS Levels 1-4

Currently, most General Purpose HSMs adhere to the FIPS 140-2 security certification scheme developed by NIST to provide security assurance throughout the payment’s infrastructure.

  • Level 1. The lowest security that can be applied to a cryptographic module. The only basis for this level’s security is that it uses a cryptographic function..
  • Level 2. Modules under this level have tamper evidence as an additional security feature. The cryptographic device allows authorized operators to open the seals and access the keys after successfully authenticating.
  • Level 3. This security level is measured through tamper detection and response, enhanced protection for private key pairs, and identity-based authentication. 
  • Level 4. This is the highest-level security and the one that applies to HSM-based devices for payments. To be certified as a Level 4 device, the module must be tamper-resistant and protect against security compromise due to environmental conditions or fluctuations outside of the module's normal operating ranges for voltage and temperature. 


The need for the PCI PTS HSM certification is critical to remain PCI compliant with HSM-based payment systems and keep up with market developments. Certification of Payment HSMs provides the ability to maintain the integrity of credit and debit card transactions for the payment card industry, banks, and financial services companies. As the payment processing industry continues to evolve in response to growing security concerns, HSM-based payment servers and payment servers will need to continue to evolve to address these concerns.



Productos relacionados

Productos relacionados

To find more press releases related with below topics, click on one of the keywords:

¿En qué podemos ayudarle?

Hable con uno de nuestros especialistas y descubra cómo Utimaco puede ayudarle hoy mismo.
Ha seleccionado dos tipos diferentes de Download, por lo que necesita presentar formularios diferentes que puede seleccionar a través de las dos pestañas.

Su(s) solicitud(es) de Download:

    Al enviar el siguiente formulario, recibirá enlaces a las descargas seleccionadas.

    Su(s) solicitud(es) de Download:

      Para este tipo de documentos, es necesario verificar su dirección de correo electrónico. Recibirá los enlaces a las Download seleccionadas por correo electrónico después de enviar el siguiente formulario.

      Descargas de Utimaco

      Visite nuestra sección de descargas y seleccione recursos como folletos, fichas técnicas, libros blancos y mucho más. Puede ver y guardar casi todos ellos directamente (pulsando el botón de descarga).

      Para algunos documentos, es necesario verificar su dirección de correo electrónico. El botón contiene un icono de correo electrónico.

      Download via e-mail

      Al hacer clic en dicho botón se abre un formulario en línea que le rogamos rellene y envíe. Puede recopilar varias descargas de este tipo y recibir los enlaces por correo electrónico simplemente enviando un formulario para todas ellas. Su colección actual está vacía.