The HSM is a vital component in guaranteeing the secrecy and additionally information integrity of business transactions. HSMs are appropriately secure during their entire lifecycle to help incite trust in the authenticity of the business transactions. Since the release of PCI PIN Transaction Security (PTS) Hardware Security Module (HSM) version 3 in June 2016, companies have started working on v3 compliant HSMs which is necessary for security and legal obligations.
PCI PTS HSM started from the version 1.0 which was released in April 2009. After the release of version 1.0, hundreds of cryptographic modules & HSM vendors complied this standard and got their devices v1.0 validated. The updated version 2.0 which was publicly released in May 2012 is being used less since the inception of version 3.0. This article enlightens the merchants with a rundown of the distinctive critical security requirements against which their HSMs will be evaluated to get PCI PTS HSM version 3.0 certified.
The distinctive requirements between PCI PTS HSM v2.0 and v3.0 are
Key Loading is functionality that must be met by devices that perform key injection of either clear-text or enciphered keys or their components.
The detailed requirements of key loading are:
HSMs are mostly deployed in data centers which are physically secure by many access control mechanisms. Therefore, the need for remote administration of HSMs is a basic requirement which includes the basic device management functions such as checking the status and upgrading firmware to advanced level operation such as device configuration and key-loading services.
There is always a need for improvement in security. Since the release of PCI PTS HSM version 3.0, vendors are swiftly shifting/complying their devices to the latest standard. The updated v3.0 standard emphasizes on the requirements for key-loading devices and HSM remote administration from the basic device management functions to advanced level operations.