pci hsm certificate

What is the PCI-HSM certification?

The pressure to maintain secured financial transactions has never been more important or more demanding. As new threats emerge on a daily basis, it is critical for CIOs, CISOs, and IT Managers to ensure they remain diligent when it comes to safeguarding their environments.

This is especially true when it comes to payment processing and Hardware Security Modules (HSMs). Here are three critical areas of focus when it comes to understanding the Payment Card Industry (PCI) HSM certifications and how they can affect your business.

What is PCI HSM Certification

Before going to deep into the impacts of the PCI HSM certification, it is important to have a clear understanding of what it encompasses. Simply put, the PCI HSM is a set of security compliance standards that include both the logical and physical aspects of payment processing. Certification for PCI HSM is a fundamental requirement for mission-critical payment processing operations such as:

  • PIN Processing
  • ATM Interchange
  • 3-D Secure
  • Card Verification
  • Card Production & Personalization
  • Cash Card Reloading
  • Chip Card Transaction Processing
  • Data Integrity

It is important to note that these compliance requirements are built on the foundation of many other accepted standards such as ISO, ANSI, and FIPS 140-2.

Risks of Non-Certified HSMs

Armed with an understanding of the PCI standards for HSMs, it is now possible to explore the exposure for non-certified payment processing hardware. One of the main tenets of the certification is that the HSM remains secure throughout its lifecycle - but not beyond. This includes everything from the manufacturing process of the hardware to its decommissioning and ultimate, well-defined end of life.

Beware of old PCI HSM versions

The reason why HSMs have a defined end of life, is that attack vectors change over time. Older versions of PCU HSM protection profiles may simple not be secure anymore because the intelligence and capabilities of attackers has improved over time.  

Utilizing a non-certified payment HSM is just as dangerous as using an HSM that is certified according to an out of date protection profile. It exposes the organization to the risk of cyber attack that could result in a costly data breach. This risk exists anywhere along the payment chain as outlined in the processes covered by the PCI HSM certification.

In the event of a breach, it is the responsibility of the organization that owns the payment operations and processes to prove that the Card PIN was secure per the PCI guidelines. It is more effective and cost efficient to purchase a certified HSM as opposed to undergoing the process of proving compliance.

Handling Expired PCI HSM Certification

For organizations that had previously purchased and implemented Payment HSMs that were compliant with version 1.0, they are now dealing with the possibility of certificate expiration. The first step in handling the possibility of an expired HSM certification is to contact the vendor. The support contract can include an obligation for the vendor to provide an update to the latest version of the PCI HSM - however, this may not always be possible, depending on the degree of change in the protection profile.. This update will need to have been validated against the latest standards which can be a costly process for the vendor since they may need to update every piece of hardware that they have deployed across multiple customers.

Certification: make or buy?

In the event the organization does not have a support agreement with their vendor for ongoing certification updates, they will have to undertake the process to prove compliance on their own. Some vendors provide assistance with this. This will usually become an extensive and expensive undertaking, but it may be worth your while. If not, it may be best to pursue the replacement of your payment processing hardware altogether.

As you can see, navigating the process of maintaining PCI HSM certification of payment processing hardware can be challenging and needs to be seen as an investment into the future of your business . By considering these areas of focus, organizations can stay ahead of the compliance curve.

Blog post by Paul Abraham

About the author

Dawn M. Turnerは、技術的な規制と標準、および企業の運営と業界全般への関連性と影響に情熱を傾けるプロの著者です。Dawnは、ハードウェア、プログラミング、システム、およびネットワークエンジニアリングにおいて、IT業界で10年以上の経験があります。同氏の学歴には、コンピューター操作およびプログラミング修了証書、A+、MCSE、MCPを含むCompTIAとマイクロソフト認定資格、ビジネス専攻およびコンピューターサイエンスを副専攻とする準学士、ビジネスフォレンジック専攻および会計学を副専攻とする科学学士号、金融と経済学を中心としたMBAが含まれます。

To find more press releases related with below topics, click on one of the keywords:

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.
You have selected two different types of downloads, so you need to submit different forms which you can select via the two tabs.

Your download request(s):

    By submitting below form you will receive links for your selected downloads.

    Your download request(s):

      For this type of documents, your e-mail address needs to be verified. You will receive the links for your selected downloads via e-mail after submitting below form.





      Download via e-mail