TryTRY
BuyBUY
  • newsletter
  • contact
  • corporate
  • careers
Utimaco
TRYour free HSM simulator
BUYget a quote
  • home
  • solutions
  • products
  • services
  • blog
  • downloads
  • partners
  • company

Utimaco Portal

Here you will find everything you need as a partner and customerLogin required

  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research

Home / Blogs / PCI DSS – Physical Security Requirements for HSMs

PCI DSS – Physical Security Requirements for HSMs

November 09, 2020

Organizations have been crucially reliant on the internet for their business workflows. Due to this enhanced exposure, organizations are facing new threats on a daily basis that dictates the incorporation of cryptographic services.

In the past, the malicious adversaries used to target the corporate sectors such as finance and banking, but today, every platform is targeted. Hence the protection of user data and information has been highlighted in every business sector. A vital element used to address some security issues is HSM. PCI SSC has mandated the inclusion of HSM as a part of PCI DSS compliance.

This article covers the physical security requirements for HSMs.

Hardware Security Module (HSM)

An HSM is a dedicated hardware/physical computing device that is responsible for secure key life cycle management along with providing performance-enhanced & accelerated crypto operations. Corporate organizations and banks have expanded their businesses around the world through e-commerce.

HSMs are widely deployed by enterprises for the protection of the client’s sensitive information and business transactions. HSM is the security component that acts as the backbone of the cryptographic infrastructure of the organization and protects the crypto keys at every phase from generation to destruction which also includes the physical security of cryptographic keys and sensitive data from unauthorized access and adversaries.

The tasks performed by HSM can be categorized as:

  • Hardware-based secure key generation & management (storage, distribution, backup, and destruction)
  • Protection (Physical & Logical) of sensitive data and cryptographic key material
  • Accelerated Crypto (Symmetric/Asymmetric/Hash) Operations

New call-to-actionPCI SSC & PCI DSS

PCI SSC (Payment Card Industry Security Standards Council) is a governing body established in September 2006 as a joint venture by MasterCard, American Express, Visa, JCB International and Discover Financial Services. It holds the mandate of managing the development in PCI and alignment of the company’s policies to PCI DSS (Payment Card Industry Data Security Standard).

PCI DSS is an information security standard to prevent credit card scams and numerous additional security threats & vulnerabilities. Credit/Debit card provider companies/corporations such as MasterCard and Visa etc. implement the mechanism and security controls specified and suggested in the PCI DSS. The entities that store, process and transmit the card information also implement PCI DSS. The importance of HSM can be explained from the fact that HSM has been defined as a role and mandatory component for PCI DSS compliance.

Physical Security Requirements for HSMs

PCI SSC mandates the following physical security requirements for HSMs:

a. Tamper Detection and Erasure

Since HSMs hold the cryptographic keys and sensitive data and the main aim is to restrict it from falling in wrong hands. The HSM must implement security mechanisms (tamper switches, zeroization circuitries and firmware) which should readily/automatically erase and zeroize all clear-text secret information in a way that it is impossible to recover.

b. Multiple Security Mechanisms for One Threat

One important factor that HSM design considerations must accord is that the failure of a standalone security mechanism doesn’t compromise the security of the whole HSM. There must be at least two security mechanisms for protection against a particular threat.

c. Physical Tamper Evidence

The HSM must include controls for visible tamper detection which can prove the physical penetration of the device. Specially designed tamper stickers that are impossible or very hard to reproduce are placed on the HSM’s opening screws and accessories. This protective measure is not only used to deter the attacker but also to prevent HSM users or other staff from intentionally or accidentally opening the device. The air intakes/vents must also be designed in a way that it is impossible to probe the HSM from the outside.

d. EMI/EMC Secure

HSM design must assure that it is Electromagnetic interference (EMI) and Electromagnetic Compatibility (EMC) secure. There should be no practical way to deduce any sort of sensitive information based on power consumption & electromagnetic emissions.

e. Impossible to Replicate / Fabricate

The HSM design must guard against substitution and cloning attacks. Cloning of HSM deals with the successful extraction of the HSM key and backup partition from a compromised/stolen HSM and replicating it into a full-fledged separate HSM. There should be no practical way to duplicate or refabricate it from the accessories and components that are available commercially.

f. Separation of Cryptographic Boundary

HSM design consideration should follow the strict implementation segregation between the normal HSM device boundaries and the cryptographic boundaries. The reason for this is to ensure that there is no chance that the core crypto module holding the CSP (Critically Secure Parameters) is exposed during the maintenance or service of HSM. The sensitive information must only be dealt with in the protected areas of HSM such that these are not prone to accidental or intentional modification or substitution.

g. Detailed Security Policy for HSM Management

HSM vendor must provide a detailed security policy which addresses the proper use of the HSM, key management mechanisms, administrative functionalities, and environmental requirements. The security policy must include all the roles supported by the HSM and illustrate the permissions of each designated role. All the approved functions & operations performed by the HSM must be documented in the security policy and the HSM should not include any hidden feature/functionality.

h. Resistant to Environmental Conditions

The security of HSM must be resistant to the changes in operational and environmental conditions which include but not limited to heat/temperate, humidity and operating voltage.

Conclusion

HSM is a vital security component used for the protection of business transactions and user information. Since the PCI SSC has mandated the inclusion of HSM as a mandatory feature for PCI DSS compliance, so the physical security requirements of HSM have also gained importance.

This article summarized and highlighted the core physical security requirements of HSM as per the directions of PCI SSC & PCI DSS.

New call-to-action

References and Further Reading

  • Read more articles on PCI HSM Security Requirements (2018 – today) by Asim Mehmood, Martin Schmidt, Utimaco and more
  • PIN Transaction Security (PTS) Hardware Security Module (HSM) –
    Summary of Requirements Changes from Version 2.0 to 3.0 (2016), by the Payment Card Industry (PCI)
  • Payment Card Industry (PCI) Hardware Security Module (HSM) Security Requirements, Version 1.0 (April 2009), by the Payment Card Industry (PCI)
Back to overview

Stay on top of our news
Don’t miss out on any Utimaco updates

Subscribe to Utimaco Newsletter

We will keep you posted with news from Utimaco and the industries we protect, as well as information on upcoming events and webinars.

Subscribe now

Partners

Fornetix - Utimaco Hardware Security Modules Partner Compumatica secure networks B.V. CREAplus Italia S.r.l MTG - Utimaco Hardware Security Modules Partner CEGA Security Utimaco HSM - InfoGuard Swiss Cyber Security cv cryptovision GmbH Cryptomathic GmbH Cyber Armor Pte Ltd Throughwave (Thailand) Co.,Ltd - Utimaco Hardware Security Modules Partner Encryption Consulting LLC Secure Source Distribution (M) Sdn Bhd - Utimaco Hardware Security Modules Partner Baas Control s.r.o. Microexpert Limited Cryptomathic A/S PrimeKey Labs GmbH Fortiedge Pte Ltd. Utimaco HSM - QuintessenceLabs CREA plus d.o.o. Primekey Solutions AB Cogito Group Pty Ltd AKEA S.A. - Utimaco Hardware Security Modules Partner SecureMetric Technology Sdn. Bhd. Abrantix AG Rohde & Schwarz Cybersecurity GmbH Skytech Computing Solutions Limited. - Utimaco Hardware Security Modules Partner EUROPEAN DYNAMICS SA. Nexus - Utimaco Hardware Security Modules Partner intarsys AG Utimaco HSM - PTESA_profesionales en transacciones electronicas CertiSur S.A. JJNet International Co., Limited - Utimaco Hardware Security Modules Partner Altacom UAB IQuantics Corp VAR Group SpA - Utimaco Hardware Security Modules Partner Clearkey Consulting - Utimaco Hardware Security Modules Partner Telegrupp AS Ascertia - Utimaco Hardware Security Modules Partner CewTec S.A. Versasec Nexus - Utimaco Hardware Security Modules Partner Perceptus-sp.-z-o.-o. E-Sign S.A. Thomas-Krenn.AG Compumatica secure networks GmbH PETA (Thailand) Co., Ltd. Cryptomathic Inc. Softline Solutions GmbH Synergy Computers (Pvt.) Ltd. - Utimaco Hardware Security Modules Partner Envoy Data Corporation - Utimaco Hardware Security Modules Partner ESYSCO Sp. z o.o. Astel (UK) Ltd. - Utimaco Hardware Security Modules Partner MIcrosec Nexus Technology GmbH Safesoft Kft. Real security d.o.o. MALKOM D.Malińska i Wspólnicy s.j. Macroseguridad Komar Consulting Inc. - Utimaco Hardware Security Modules Partner PKI Solutions Inc.
Find a partner

Share this page

EMEA

Utimaco IS GmbH
Germanusstraße 4
52080 Aachen
Germany
Phone: + 49 241 1696 200

Americas

Utimaco Inc.
900 E Hamilton Ave., Suite 400
Campbell, CA 95008
USA
Phone: +1 844 UTIMACO

APAC

Utimaco IS Pte Limited
80 Raffles Place,
#32-01, UOB Plaza
Singapore 048624
Phone: +65 6622 5347

Utimaco

  • support
  • corporate
  • careers
  • legal
  • terms & conditions
  • privacy
  • cookie-policy
© 2021
to top
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research