To be classified as fit for business and compliant by governmental regulatory instances, the Banking and Financial Services industry has a magnitude of compliance requirements to adhere to.
Other than staying compliant, the Banking and Financial Services industry needs to handle identity and access management, cryptographic key management, be able to use blockchains, and go to the cloud securely. Not an easy feat.
Hardware security modules have become a key part of our modern infrastructure. However, with new challenges appearing constantly that need to be addressed, the technology behind payment HSMs is continually evolving. Because new and innovative payment systems are coming up on the market, hardware vendors often find themselves trying to keep up with market developments and demands. The need to implement modifications to existing hardware security modules, while at the same time staying within PCI compliance, have become a challenge for the payment industry, banks, and financial services companies.
This article explains what a payment HSM is, the need for it to be within PCI compliance under PCI Hardware Security Module (HSM), and the importance of being PCI-HSM-certified.
What does a Payment HSM do?
The payment industry, banks, and fintech companies rely on specialized payment HSMs to securely process functions such as:
- Verifying user-entered PIN against reference PIN held by card issuer
- Verifying debit/credit card transactions by conducting host processing duties for EMV-based transactions or checking CSVs
- Supporting a crypto-API with an EMV
- Re-encrypting a PIN block to be sent another authorization host
- Performing secure key management
- Supporting POS ATM network management protocol
- Supporting host-host key/data exchange API standards
- Generation and printing of “PIN mailer”
- Generating PVV and CVV data for magnetic stripe cards
- Generating a card keyset and supporting the smart card personalization process
Why Hardware Security Modules? Advantages
A hardware security module (HSM) is a piece of highly trusted computer hardware that can be added to a computer or network server. It is typically made in the hardware form of an external device that can be connected via cable or as a PCIe card that can be installed inside a computer or service. As a norm, these devices do not feature a standard API.
An HSM’s function is to protect and manage digital keys for strong authentication with specialized functions that are required for processing transactions and general-purpose functions. It is used primarily to support transaction authorizations and perform payment card personalization activities, such as the ones above.
The performance of an HSM is outstanding and unmatched, with a robust Operating System, and restricted network access. Its sole objective is to hide and protect cryptographic material, and it has a special hardware that uses a physical process to create randomness and generate perfectly random keys.
Being tamper-resistant and tamper-evident devices, HSMs are normally kept within secure environments. Additional external physical security precautions and protections are required to prevent unauthorized access that would jeopardize the nature of the HSM’s secure functions.
The Payment Card Industry Security Standard – PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) was formed in 2006 by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. It consists of twelve significant requirements including multiple sub-requirements, against which businesses can measure their own payment card security policies, procedures, and guidelines. The goal of setting these requirements for any organization that accepts, stores, or transmits credit card information is simple - to enhance the security of customer data.
The twelve security requirements are:
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel
PCI PTS HSM Compliance
The PCI PIN HSM security requirements ensure that HSM devices provide the strongest protection for critical data elements used in card verification, PIN processing, chip transaction processing, payment card personalization, secure cryptographic key loading, remote HSM administration and other payment authentication activities.
For organizations in the payment industry to be PCI HSM compliant, a set of physical and logical security compliance standards need to be met, along with compliance standards for device security during manufacturing, and device security between manufacturer and initial key loading. The certification process is a long procedure, and includes the following steps:
- A device - in our case an HSM, that is built to detailed specifications
- The device should pass all tests
- The device should be able to resist any possible attacks (in case of an EMV payment card - more than 80 types of attacks)
This is quite the endeavor. But after completion, the users can be sure that they are buying a really good product that meets a high degree of security requirements.
Processing card payments requires an extreme level of security to prevent breaches that jeopardize both customers’ personal information and the security of the financial organizations’ information systems.
General Purpose HSMs
Currently, most General Purpose HSMs adhere to the FIPS 140-2 security certification scheme developed by NIST to provide security assurance throughout the payment’s infrastructure.
FIPS Levels 1-4
Currently, most General Purpose HSMs adhere to the FIPS 140-2 security certification scheme developed by NIST to provide security assurance throughout the payment’s infrastructure.
- Level 1. The lowest security that can be applied to a cryptographic module. The only basis for this level’s security is that it uses a cryptographic function..
- Level 2. Modules under this level have tamper evidence as an additional security feature. The cryptographic device allows authorized operators to open the seals and access the keys after successfully authenticating.
- Level 3. This security level is measured through tamper detection and response, enhanced protection for private key pairs, and identity-based authentication.
- Level 4. This is the highest-level security and the one that applies to HSM-based devices for payments. To be certified as a Level 4 device, the module must be tamper-resistant and protect against security compromise due to environmental conditions or fluctuations outside of the module's normal operating ranges for voltage and temperature.
Conclusion
The need for the PCI PTS HSM certification is critical to remain PCI compliant with HSM-based payment systems and keep up with market developments. Certification of Payment HSMs provides the ability to maintain the integrity of credit and debit card transactions for the payment card industry, banks, and financial services companies. As the payment processing industry continues to evolve in response to growing security concerns, HSM-based payment servers and payment servers will need to continue to evolve to address these concerns.