Since the release of PCI PIN Transaction Security (PTS) Hardware Security Module (HSM) version 3.0 in June 2016, companies had started working on v3.0 compliant HSMs which is necessary for security and legal obligations.
HSMs are meant to be certified by the PCI, ISO, NIST and ANSI etc. Utimaco has released the HSM Atalla AT1000 which is not only PCI PTS HSM Version 3.0 compliant but also FIPS 140-2 Level 3 validated system.
AT1000 is based on Atalla Cryptographic Subsystem (ACS) delivering the best possible security and governance by managing and safeguarding the cryptographic keys and corresponding sensitive information regarding business transactions as per the latest standards within a tamper-resistant and responsive hardware HSM. Other core features offered by the AT1000 w.r.t scalability and deployment are easy integration and backward compatibility with the previous models. Utimaco provisions the corporate organizations to comply with the latest PCI DSS requirements by incorporating Atalla AT1000 HSM into their business solutions. This article enlightens the core security aspects of the HSM regarding the PCI PTS HSM v3 compliance certification.
Atalla AT1000 features w.r.t PCI PTS HSM v3
HSMs support a variety of cardholder-authentication and payment-processing functionalities and applications. Since the Atalla AT1000 fully complies the PCI PTS HSM v3, then it supports all the PCI PTS HSM v3 directs the security requirements regarding PIN processing, Card verification, 3-D Secure, EFTPOS, Card production and personalization, ATM interchange, Data integrity, Cash-card reloading, Key generation, Chip-card transaction processing & Key injection etc.
Atalla AT1000: Key Loading and Remote Management
The distinctive requirements between PCI PTS HSM version 2.0 and version 3.0 are:
- Key Loading: is functionality that must be met by devices that perform key injection of either clear-text or enciphered keys or their components.
- Remote Management: HSMs are mostly deployed in data centers which are physically secure by many access control mechanisms. Therefore, the need for remote administration of HSMs is a basic requirement which includes the basic device management functions such as checking the status and upgrading firmware to advanced level operation such as device configuration and key-loading services.
Atalla AT1000 by Utimaco has incorporated an exclusive methodology for HSM and key management by enabling a remote workflow-based model which also satisfies the PCI Dual Control Requirement without the physical presence of HSM administrators and operators. The remote management solution streamlines software and license upgrades, HSM security policy management, key loading, backup and restoration via the “SCA (Secure Configuration Assistant)”. SCA is a versatile tablet-based application that serves the functionality for local and remote management of the HSM intuitively. Through the use of SCA, HSM administrators can simply and efficiently configure commands, define parameters, calculate cryptograms, and inject cryptographic keys into Atalla HSMs. SCA is designed with easy to use GUI with a natural event and decision flow enlightening the security administrator user experience and productivity and plummeting the risks of mistakes.
Smart Card Authentication
The Logical Security Requirement B7 in PCI PTS HSM version 3.0 states “Access to sensitive services states requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, PINs, and passwords. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data”. Atalla AT1000 HSM provisions digitally signed smartcard-based authentication to allow secure management of smartcards. ASK (Atalla Secure Keypad) is the tamper-reactive device for security-critical data entry such as key components and PINs for authentication purposes.
Dual Control for Critical Operations
PCI PTS HSM version 3.0 guides that the HSM must be designed in such a way that input of more than one password (dual or multiple controls) must be required in order to enter a sensitive state. Atalla AT1000 has successfully implemented the dual control in the critical operations such as backup and restoration process through a customizable policy to configure “M of N” smartcards required for a restore complying the dual control requirements.
Atalla AT1000 Key Block
Atalla AT1000 HSM comprises the AKB (Atalla Key Block) is a key block format approved by the ANSI standards community for the interchange of symmetric keys in a secure means that with key attributes included in the exchanged data. AKB stands at the core building block of all modern cryptographic block formats approved by PCI and ANSI. It solves important issues regarding the security of keys when they are in transit within a potentially hostile environment. (Read the main article on the Atalla Key Block)
High Availability
Atalla AT1000 HSM is designed to support High Availability (HA) and redundancy to ensure minimum downtime by incorporating redundant HDDs, Network Interface Cards (NIC) and power supplies etc.
Remote Administration
Remote Administration also makes the AT1000 attractive to key infrastructures depending on distributed data centers / locations in different time zones. It is as such a stepping stone for corporate cloud strategies.
Conclusion
Utimaco has released the HSM Atalla AT1000 which is not only PCI PTS HSM Version 3.0 compliant, but also FIPS 140-2 Level 3 validated system. The core supported features regarding the compliance to
PCI PTS HSM version 3 are secure key loading and remote administration. Other important features are smart card based authentication and dual control for critical operations.
About the author
Ulrich Scholten is an internationally active entrepreneur and scientist. He holds a PhD in information technology and owns several patents on cloud-based sensors. His research on cloud computing is regularly published in highly rated journals and conference papers. From 2008 - 2015, he was associated research scientist at the Karlsruhe Service Research Institute (KSRI), a partnership by KIT and IBM, where he researched network effects around web-platforms together with SAP Research.