Corporate organizations and banks have expanded their businesses around the world by using e-commerce which is secured by various security services such as encryption, decryption and strong authentication between identities and applications. Main cryptographic security control for the protection of business transactions is the Hardware Security Module (HSM).

Enterprises deploy HSMs for the protection of clients and business transactions. HSM is explicitly considered to guard the lifecycle of the crypto key at every phase. Logical and physical security of cryptographic keys from adversaries and unauthorized practice is managed by HSM. The importance of HSM can be understood from the fact that its deployment is a mandatory requirement for PCI DSS validation. This article enlightens the expiry of version 1.0 of the PCI PTS HSM validation and the latest standard available version 3.0.

PCI SSC & PCI DSS

PCI SSC (Payment Card Industry Security Standards Council) is a governing body established in September 2006 as a joint venture by MasterCard, American Express, Visa, JCB International and Discover Financial Services. It holds the mandate of managing the development in PCI and alignment of company’s policies to PCI DSS (Payment Card Industry Data Security Standard) which is an information security standard to prevent credit card scams and numerous additional security threats & vulnerabilities. Credit/Debit card provider companies/corporations such as MasterCard and Visa etc. implement the mechanism and security controls specified and suggested in the PCI DSS. The entities that store, process and transmit the card information also implement PCI DSS.

PCI PTS and Validation of HSMs

Since the HSM are the most vital component responsible for the data confidentiality and/or integrity of business transactions, the security of the whole business is on stake if then HSM is compromised. PCI SSC has presented requirements for HSMs during their entire lifecycle (manufacturing, delivery, usage, and decommissioning) which should be accorded by the HSM vendors referred as PCI PTS (Pin Transaction Security) HSM “Modular Security Requirements”.

PCI PTS are operational/technical security requirements for the protection of cardholder data. All the organizations which store, process or transmit cardholder data must comply with this standard. The main intent of these requirements is not to eliminate the possibility of business frauds, but to diminish its probability and limit its significance.

It enlists all the security requirements against which an HSM will be evaluated in order to obtain PCI PTS HSM device accreditation/approval. HSM supports a variety of applications such as cardholder authentication, payment processing and cryptographic key management etc.

Expiry of PCI PTS HSM Version 1.0

PCI PTS HSM version 1.0 was released in April 2009 and various HSMs and cryptographic modules were validated against this standard. But general public was issued by PCI SSC stating that the approval of devices which were validated against the PCI PTS HSM version 1.0 has been expired on 30 April 2019.

Since the HSM validations were carried out on very old version 1.0 of PCI PTS HSM, hence the HSM devices may not be able to withstand the latest generations of attacks and should therefore be replaced by the HSMs with latest standard validation as soon as feasible.

The PCI SSC website also maintains the list of approved PTS devices and the obsolete devices have also been removed from the approved list.

PCI SSC has also recommended the financial institutions, merchants, vendors (every point where the HSMs are being manufactured or used) and users of PTS HSM v1.0
devices to coordinate with their support for the provisioning of the latest approved HSM models.

PCI PTS HSM Version 3.0

PCI PTS HSM version 3.0 is the latest standard which was released in June 2016. It proposes the

following domains as per the PCI PTS HSM  requirements and validation:

1. PIN processing
2. Card verification
3. 3-D Secure
4. EFTPOS
5. Card production and personalization
6. ATM interchange
7. Data integrity
8. Cash-card reloading
9. Key generation
10. Chip-card transaction processing
11. Key injection

Since the inception of these requirements, they are being used as the minimum acceptable criteria because the PCI has defined these requirements using a risk-reduction methodology that identifies the associated benefit when measured against acceptable costs to design and manufacture HSM devices. All the specified requirements are derived from the current ANSI, ISO and NIST standards which are already known/accepted as best practices by the financial payments industry.

References and Further Reading

• Read more articles on PCI HSM Security Requirements (2018 – today) by Asim Mehmood, Martin Schmidt, Utimaco and more
• PIN Transaction Security (PTS) Hardware Security Module (HSM) –
  Summary of Requirements Changes from Version 2.0 to 3.0 (2016), by the Payment Card Industry (PCI)
• Payment Card Industry (PCI) Hardware Security Module (HSM) Security Requirements, Version 1.0 (April 2009), by the Payment Card Industry (PCI)