Hardware Security Modules are a critical component in data integrity and confidentiality assurance of business transactions. Corporate organizations and banks employ security services such as encryption, decryption and strong authentication between identities and applications.
HSMs are deployed by enterprises for the defense of secret business communication. The security of the HSM must be ensured during the complete lifecycle starting from product development, consignment, deployment and decommissioning stages. Since the HSM are the most indispensable segment in charge of the information privacy as well as uprightness of business exchanges, the security of the entire business is at stake in case an HSM gets compromised.
The standard document PCI PTS (PIN Transaction Security) HSM v3 enlightens the core security aspects regarding every stage of the lifecycle of HSM. All HSM vendors must comply with these security requirements and guidelines which are mandatory to acquire PCI PTS HSM device approval.
A Little about PCI SSC & PCI DSS
PCI SSC (Payment Card Industry Security Standards Council) is a governing body established in September 2006 as a joint venture by MasterCard, American Express, Visa, JCB International and Discover Financial Services. It holds the mandate of managing the development in PCI and alignment of company’s policies to PCI DSS (Payment Card Industry Data Security Standard) which is an information security standard to prevent credit card scams and numerous additional security threats & vulnerabilities. Credit/Debit card processors such as MasterCard and Visa etc. implement the mechanism and security controls specified suggested in the PCI DSS. The entities that store, process and transmit the card information are required to follow PCI DSS.
PCI PTS HSM Version 3.0
PCI PTS HSM version 3.0 is the latest standard which was released on June 2016. PCI PTS HSM has displayed necessities for HSMs during their whole lifecycle (fabricating, conveyance, utilization, and decommissioning) which ought to be agreed by the HSM sellers referred as PCI PTS (PIN Transaction Security) HSM "Modular Security Requirements". PCI PTS are operational/technical security requirements for the protection of the cardholder-data along with cardholder authentication, payment processing and cryptographic key management etc. The principle goal of these necessities isn't to kill the plausibility of business cheats, however to decrease its likelihood and point of confinement its significances. All the HSM vendors and applications which store, process or transmit cardholder data must comply with this standard. PCI PTS HSM (v1 - v3) requirements deal with the following HSM features:
- PIN processing
- Card verification
- 3-D Secure
- Card production and personalization
- ATM interchange
- Data integrity
- Cash-card reloading
- Key generation
- Chip-card transaction processing
- Key injection
Evaluation Modules of PCI PTS HSM v3
PCI PTS HSM v3 presents four evaluation modules for HSM validation. Each module has its own respective requirements. These requirements will be used as the minimum acceptable criteria because the PCI has defined these requirements using a risk-reduction methodology that identifies the associated benefit when measured against acceptable costs to design and manufacture HSM devices. All the specified requirements are derived from the current ANSI, ISO and NIST standards which are already known/accepted as best practices by the financial payments industry. Once an HSM is approved by the PCI as per the above mentioned requirements, it is listed on their website.
This article discusses the guidance and direction for appropriately designing HSMs to meet the security needs for the protection of HSMs from the manufacturing phase to initial deployment. It is divided in four evaluation modules which are core requirements, key-loading devices, remote administration and device management security requirements. These mentioned requirements are the minimum acceptable criteria to be PCI PTS HSM version 3 certified.
About the author
Ulrich Scholten is an internationally active entrepreneur and scientist. He holds a PhD in information technology and owns several patents on cloud-based sensors. His research on cloud computing is regularly published in highly rated journals and conference papers. From 2008 - 2015, he was associated research scientist at the Karlsruhe Service Research Institute (KSRI), a partnership by KIT and IBM, where he researched network effects around web-platforms together with SAP Research.