TryTRY
BuyBUY
  • newsletter
  • contact
  • corporate
  • careers
Utimaco
TRYour free HSM simulator
BUYget a quote
  • home
  • solutions
  • products
  • services
  • blog
  • downloads
  • partners
  • company

Utimaco Portal

Here you will find everything you need as a partner and customerLogin required

  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research

Home / Blogs / PCI DSS technological requirements for Certified Devices

PCI DSS technological requirements for Certified Devices

November 09, 2020

The Payment Card Industry Data Security Standard (PCI DSS) was created by the major credit card companies to serve as a guide for merchants who save, process, and transmit credit card data towards initiating more sophisticated security measures.

 

The payment card industry data security standard (PCI DSS) has a large security baseline that it requires for all financial institutions to comply with. Some financial institutions process a small amount of credit card transactions per year and some process larger amounts of more than 6 million.

The financial institutions that process large amounts like issuing banks are obligated to fulfill the requirements of the PCI-DSS ranging from technological and environmental resources required to safeguard client’s information.

In technological terms for issuing banks, a secure infrastructure with encryption capabilities will be the greatest asset in this regard.

The PCI DSS 12 requirements:

1. Install and maintain a firewall configuration to protect cardholder data:

The PCI DSS Requirement 1 requires the installation of a firewall among other necessities. A simple firewall does not cut it as it needs to be configured for inward and outward traffic. The firewall needs to be set up within different wireless networks.

2. Do not use vendor-supplied defaults for system passwords and other security parameters:

Phishers often access vendor-supplied default passwords and to extract sensitive information. Hackers can easily decipher the password patterns as they are common. It is recommended to change the default password to a more sophisticated password or delete the account to prevent the hackers from accessing the account with the default password.

3. Protect stored cardholder data.

The requirement 3 of the PCI DSS stipulates that stored cardholder data should be protected by all means. Protection methods to be considered include encryption, hashing, truncation, and masking. Stronger protective measures should be also be employed by identifying all systems including servers, laptops, databases that include cardholder data and encrypt any information available. Requirement 3.5 states that an organization dealing with clients’ funds should protect any keys used for encryption of cardholder data from disclosure and misuse.

4. Encrypt transmission of cardholder data across open, public networks:

Requirement 4 of the Payment Card Industry Data Security Standard addresses safe transmission of cardholder data from sender to receiver, across open networks. Encryption and authentication protocols should be sophisticated enough and wireless networks should be configured properly as hackers can maneuver and gain access to the Cardholder Data Environment (CDE)

5. Use and regularly update antivirus software:

Malware and viruses like Trojans, worms, the rootkit can easily penetrate an organizational network with simple organizational functions such as internet usage, employee emails, storage hardware, etc. Anti-virus software must be installed on every system to protect it against malware threats. Regular updates must also be made to protect against new threats as viruses are created daily.

6. Develop and maintain secure systems and applications:

The requirement 6 of the PCI DSS focuses on applications that store, process or transmit cardholder data. The compliance with this requirement, therefore, is mainly the responsibility of software developers and the availability of relevant IT services.

7. Restrict access to cardholder data by business need-to-know:

This requirement postulates that the fewer the number of individuals with direct access to the cardholder data, the lesser the probability of a PCI DSS violation. It is therefore important to limit access to only people who have a strong reason for accessing the cardholder data. Ensuring these measures are taken will prevent deliberate or reckless handling of cardholder data.

8. Assign a unique ID to each person with computer access:

When a unique ID is assigned to every individual, it aids accountability in the event of a data breach. For compliance to requirement 8; all assigned employed should be assigned a unique ID number. A strong system should be developed to manage additions, modification or deletion of existing IDs.

9. Restrict physical access to cardholder data:

The PCI DSS Requirement 9 stipulates that physical access should be restricted for all onsite personnel, visitors and media personnel. Onsite personnel include all individuals who work as employees of the company in any capacity. If physical access to devices and systems that hold cardholder data is not restricted, it can lead to data theft and data loss.

10. Track and monitor all access to network resources and cardholder data:

The PCI DSS requirement 10 stipulates that the organization should develop a system to keep a track of all activities on the network so that in case of breach of information the activity logs can trace the cause of the security breach. A strong and reliable system should be able to generate report of every log and interpret the report for further processing.

11. Regularly test security systems and processes:

To ensure that your organization is compliant to the PCI DSS, it is important to update the organization’s security system regularly.  This is the best way to achieve PCI DSS compliance. It confirms the needed level of network protection in your system and ensures that no loopholes are unattended to during routine operations and information security procedures.

12. Maintain a policy that addresses information security:

Any information security policy must be in accordance with the PCI DSS but in the same breath, it is important to create a comprehensive policy that tackles other regulatory compliance and organizational requirements. Organizations that have an information security policy only specific to PCI compliance will find it hard to maintain multiple policies and might risk themselves in having policies that align with business processes.

HSM devices and certification requirement

New call-to-actionFor a bank to fulfill these requirements especially 3.5 for protection of encryption keys, it is imperative to implement hardware security modules (HSM). These cryptographic modules differ in nature and use such that some are as small as removable flash drives, and some can be placed in the PCI slot on the motherboard while some are large external devices that must be installed in the data center.

HSM devices must meet the certification requirements of the federal information processing standards (FIPS 140-2) regulation.

Banks must procure a certified device that has gone through the cryptographic module validation program (CMVP) to gain assurance that the technologies claimed by the manufacturer in the device can perform specific cryptographic functions as approved by the federal government.

HSM devices provide a critical function in playing a third-party role independent for key production and management. A master key is produced and kept safely away from other networks and this will, in turn, be used to encrypt the data keys that will be used in production creating a bastion host security to the keys.

HSM will play the role of decrypting the keys and checking in its database if the keys originated from itself. The network firewall devices were designed to mainly focus on verifying and defending against layer 3(network) attacks and they can get compromised at times and made to believe that illegitimate traffic or request if coming from a trusted source. To circumvent this effect, HSM was introduced to play a role of independently verifying origins of keys and certificates, and to decrypt them since it would have created them.

New Call-to-action

Back to overview

Stay on top of our news
Don’t miss out on any Utimaco updates

Subscribe to Utimaco Newsletter

We will keep you posted with news from Utimaco and the industries we protect, as well as information on upcoming events and webinars.

Subscribe now

Partners

JJNet International Co., Limited - Utimaco Hardware Security Modules Partner SecureMetric Technology Sdn. Bhd. Synergy Computers (Pvt.) Ltd. - Utimaco Hardware Security Modules Partner CEGA Security Cyber Armor Pte Ltd MALKOM D.Malińska i Wspólnicy s.j. Astel (UK) Ltd. - Utimaco Hardware Security Modules Partner Compumatica secure networks GmbH Compumatica secure networks B.V. Envoy Data Corporation - Utimaco Hardware Security Modules Partner PETA (Thailand) Co., Ltd. CREA plus d.o.o. CewTec S.A. Baas Control s.r.o. PrimeKey Labs GmbH Softline Solutions GmbH Skytech Computing Solutions Limited. - Utimaco Hardware Security Modules Partner Nexus - Utimaco Hardware Security Modules Partner Safesoft Kft. Altacom UAB intarsys AG MIcrosec ESYSCO Sp. z o.o. AKEA S.A. - Utimaco Hardware Security Modules Partner Versasec Nexus Technology GmbH MTG - Utimaco Hardware Security Modules Partner Secure Source Distribution (M) Sdn Bhd - Utimaco Hardware Security Modules Partner CREAplus Italia S.r.l Encryption Consulting LLC Cryptomathic GmbH Thomas-Krenn.AG Rohde & Schwarz Cybersecurity GmbH cv cryptovision GmbH Primekey Solutions AB Komar Consulting Inc. - Utimaco Hardware Security Modules Partner E-Sign S.A. EUROPEAN DYNAMICS SA. Abrantix AG Utimaco HSM - QuintessenceLabs Perceptus-sp.-z-o.-o. Macroseguridad Fortiedge Pte Ltd. PKI Solutions Inc. Utimaco HSM - InfoGuard Swiss Cyber Security Microexpert Limited Cryptomathic A/S IQuantics Corp Cogito Group Pty Ltd VAR Group SpA - Utimaco Hardware Security Modules Partner CertiSur S.A. Utimaco HSM - PTESA_profesionales en transacciones electronicas Throughwave (Thailand) Co.,Ltd - Utimaco Hardware Security Modules Partner Fornetix - Utimaco Hardware Security Modules Partner Nexus - Utimaco Hardware Security Modules Partner Ascertia - Utimaco Hardware Security Modules Partner Telegrupp AS Clearkey Consulting - Utimaco Hardware Security Modules Partner Real security d.o.o. Cryptomathic Inc.
Find a partner

Share this page

EMEA

Utimaco IS GmbH
Germanusstraße 4
52080 Aachen
Germany
Phone: + 49 241 1696 200

Americas

Utimaco Inc.
900 E Hamilton Ave., Suite 400
Campbell, CA 95008
USA
Phone: +1 844 UTIMACO

APAC

Utimaco IS Pte Limited
80 Raffles Place,
#32-01, UOB Plaza
Singapore 048624
Phone: +65 6622 5347

Utimaco

  • support
  • corporate
  • careers
  • legal
  • terms & conditions
  • privacy
  • cookie-policy
© 2021
to top
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research