The pressure to maintain secured financial transactions has never been more important or more demanding. As new threats emerge on a daily basis, it is critical for CIOs, CISOs, and IT Managers to ensure they remain diligent when it comes to safeguarding their environments.
This is especially true when it comes to payment processing and Hardware Security Modules (HSMs). Here are three critical areas of focus when it comes to understanding the Payment Card Industry (PCI) HSM certifications and how they can affect your business.
What is PCI HSM Certification
Before going to deep into the impacts of the PCI HSM certification, it is important to have a clear understanding of what it encompasses. Simply put, the PCI HSM is a set of security compliance standards that include both the logical and physical aspects of payment processing. Certification for PCI HSM is a fundamental requirement for mission-critical payment processing operations such as:
- PIN Processing
- ATM Interchange
- 3-D Secure
- Card Verification
- Card Production & Personalization
- Cash Card Reloading
- Chip Card Transaction Processing
- Data Integrity
It is important to note that these compliance requirements are built on the foundation of many other accepted standards such as ISO, ANSI, and FIPS 140-2.
Risks of Non-Certified HSMs
Armed with an understanding of the PCI standards for HSMs, it is now possible to explore the exposure for non-certified payment processing hardware. One of the main tenets of the certification is that the HSM remains secure throughout its lifecycle - but not beyond. This includes everything from the manufacturing process of the hardware to its decommissioning and ultimate, well-defined end of life.
Beware of old PCI HSM versions
The reason why HSMs have a defined end of life, is that attack vectors change over time. Older versions of PCU HSM protection profiles may simple not be secure anymore because the intelligence and capabilities of attackers has improved over time.
Utilizing a non-certified payment HSM is just as dangerous as using an HSM that is certified according to an out of date protection profile. It exposes the organization to the risk of cyber attack that could result in a costly data breach. This risk exists anywhere along the payment chain as outlined in the processes covered by the PCI HSM certification.
In the event of a breach, it is the responsibility of the organization that owns the payment operations and processes to prove that the Card PIN was secure per the PCI guidelines. It is more effective and cost efficient to purchase a certified HSM as opposed to undergoing the process of proving compliance.
Handling Expired PCI HSM Certification
For organizations that had previously purchased and implemented Payment HSMs that were compliant with version 1.0, they are now dealing with the possibility of certificate expiration. The first step in handling the possibility of an expired HSM certification is to contact the vendor. The support contract can include an obligation for the vendor to provide an update to the latest version of the PCI HSM - however, this may not always be possible, depending on the degree of change in the protection profile.. This update will need to have been validated against the latest standards which can be a costly process for the vendor since they may need to update every piece of hardware that they have deployed across multiple customers.
Certification: make or buy?
In the event the organization does not have a support agreement with their vendor for ongoing certification updates, they will have to undertake the process to prove compliance on their own. Some vendors provide assistance with this. This will usually become an extensive and expensive undertaking, but it may be worth your while. If not, it may be best to pursue the replacement of your payment processing hardware altogether.
As you can see, navigating the process of maintaining PCI HSM certification of payment processing hardware can be challenging and needs to be seen as an investment into the future of your business . By considering these areas of focus, organizations can stay ahead of the compliance curve.
Blog post by Paul Abraham