What is an HSM-based Payment Server

The Banking and financial services industry is challenged - for example by PSD2. On top of this, they need to manage Identity and access management, cryptographic key management, use blockchains, go to the cloud and stay compliant. 

Technology, for example for payment HSMsis continually evolving. New challenges appear and must be responded to. Because payment systems are unique, hardware vendors often find themselves at odds with trying to keep up with market developments. The need to implement modifications to existing hardware security modules (HSMs) while staying within PCI compliance have become an ever present and inescapable reality for the payment industry, banks and financial services companies.

This article explains what a payment HSM-is, the need for it to be within PCI compliance under PCI Hardware Security Module (HSM) and the importance of being PCI-HSM-certified and ask if the distinction between this a General purpose HSMs is still timely

What is a Payment HSM?

The payment industry, banks and financial services companies rely on specialized payment HSM-to securely a number of functions:..

  • Verifying user-entered PIN against reference PIN held by card issuer
  • Verifying debit/credit card transactions by conducting host processing duties for EMV-based transactions or checking CSVs
  • Supporting a crypto-API with an EMV
  • Re-encrypting a PIN block to be sent another authorization host
  • Performing secure key management
  • Supporting POS ATM network management protocol
  • Supporting host-host key/data exchange API standards
  • Generation and printing of “PIN mailer”
  • Generating PVV and CVV data for magnetic stripe cards
  • Generating a card keyset and supporting the smart card personalization process

Why Hardware Security Modules?  Advantages

A hardware security module (HSM) is a piece of computer hardware that can be added to a computer or network server. It is typically made in the hardware form of an external device that can be connected via cable or as a card that can be installed inside a computer or service. As a norm, these devices do not feature a standard API.

An HSM’s function is to protect and manage digital keys for strong authentication with specialized functions that are required for processing transactions and general-purpose functions. It is used primarily to support transaction authorizations and payment card personalization by performing such activities as mentioned in previous para.

HSMs are normally kept within secure environments. Additional external physical security precautions and protections are required to prevent unauthorized access that would jeopardize the nature of the HSM’s secure functions.

The PCI Security Standard

Financial institutions composed a decade ago, a security standard to provide a set of best practices helping to keep customers data secure. The standard is not a theoretical work, it is proven by practice - every line of it. If you perform all procedures required by that standard, you can reach a relatively good level of security. Indeed, it does not mean, you don't have to think…you still always need to keep your mind on security!

Nowadays, security requirements that are dictated by PCI are high. All security-related devices and tools and software must meet these requirements. HSM-based payment servers are required to meet the security requirements for PCI compliance as set by the Payment Card Industry Security Standards Council. The PCI Hardware Security Module (HSM) was developed from existing ISO, ANSI and Federal standards along with generally accepted and known best practices that are recognized by the financial industry as applicable to multi-chip devices that have robust security and assurance features, this including standards for:

  • Physical security
  • Logical security
  • Device security during manufacturing
  • Device security between manufacturer and initial key loading

Why is PCI-HSM Certification Critical?

If we have some standards, we must also have some tools and practices to ensure that the devices or software meet requirements. Those practices and tools need to be applied to any vendor productions. Those tools and practices are a part of process named “the certification.” The certification process is a long procedure, and includes the following steps:

  1. A device (in our case - I HSM) that is built to detailed specifications
  2. A device should pass all tests 
  3. A device should be able to resist any possible attacks (in case of an EMV payment card - more than 80 types of attack)

This is a really hard work. In fact, the independent laboratory doing these tests develops a significant part of the user’s security. But after completion, the final user can be sure that he is buying a really good product that meets a high degree of security requirements.

Processing card payments requires an extreme level of security to prevent breaches that jeopardize both customers’ personal information and the security of the payees’ information systems. The PCI-HSM was the first document to address this issue back in April 2009, as it defined a set of payment industry-specific logical and physical security standards for HSMs. The PCI HSM specification was updated further in May 2012.

In addition to this, there has been a lot of M&A activity in the payment HSM market. Old technology platforms are being phased out, new ones introduced. 

Banks, Insurance providers, service provider to either and Fintechs to stay up to date, flexible and deal with the complexity of running legacy systems while saving costs - an almost impossible task. 

On top of this, they need to manage Identity and access management, cryptographic key management, use blockchains, go to the cloud and stay compliant. 

General Purpose HSMs 

Currently, most General Purpose HSMs adhere to the FIPS 140-2 security certification scheme developed by NIST to provide security assurance throughout the payments infrastructure.

Formally Defined Security Levels

Years ago, NIST created a formal definition of security assurance levels. Those levels are not fully adequate to current security landscape but are very well defined and practically proven. 

FIPS Levels 1-4

NIST’s FIPS 140-2 advocates for the highest level to be applied to the payment card industry, banks and financial services companies to ensure secure transactions. There are four levels in this security scheme, including:

  • Level 1. It is the lowest security that can be applied to a cryptographic module. The only basis for this level’s security is that it uses a cryptographic function.
  • Level 2. Modules under this level have tamper evidence as an additional security feature. The cryptographic device allows authorized operators to open the seals and access the keys after successfully authenticating.
  • Level 3. This security level is measured through tamper detection and response, enhanced protection for private key pairs and identity-based authentication. 
  • Level 4. This is the highest level security and the one that applies to HSM-based devices for payments. In order to be certified as a Level 4 device, the model must be tamper-resistant and provide environmental failure protection for such conditions as voltage or temperature.

The Future of Payment vs general Purpose HSMs - or both? 

From a Bank, financial service provider or software provider in the industry, an ideal HSM would be able to do both: payment and General Purpose functionality. 

What would it take to make this possible ? 


For now, the need for PCI-HSM certification is critical to remain PCI compliant with HSM-based payment systems and keep up with market developments. Certification of Payment HSMs provides the ability to maintain the integrity of credit and debit card transactions for the payment card industry, banks and financial services companies. As the payment processing industry continues to evolve in response to growing security concerns, HSM-based payment servers and payment servers will need to continue to evolve to address those concerns.

About the author

Ulrich Scholten is an internationally active entrepreneur and scientist. He holds a PhD in information technology and owns several patents on cloud-based sensors. His research on cloud computing is regularly published in highly rated journals and conference papers. From 2008 - 2015, he was associated research scientist at the Karlsruhe Service Research Institute (KSRI), a partnership by KIT and IBM, where he researched network effects around web-platforms together with SAP Research.

To find more blog posts related with below topics, click on one of the keywords:

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.