The Banking and financial services industry is challenged – for example by PSD2. On top of this, they need to manage Identity and access management, cryptographic key management, use blockchains, go to the cloud and stay compliant.
Technology, for example for payment HSMsis continually evolving. New challenges appear and must be responded to. Because payment systems are unique, hardware vendors often find themselves at odds with trying to keep up with market developments. The need to implement modifications to existing hardware security modules (HSMs) while staying within PCI compliance have become an ever present and inescapable reality for the payment industry, banks and financial services companies.
This article explains what a payment HSM-is, the need for it to be within PCI compliance under PCI Hardware Security Module (HSM) and the importance of being PCI-HSM-certified and ask if the distinction between this a General purpose HSMs is still timely
The payment industry, banks and financial services companies rely on specialized payment HSM-to securely a number of functions:..
A hardware security module (HSM) is a piece of computer hardware that can be added to a computer or network server. It is typically made in the hardware form of an external device that can be connected via cable or as a card that can be installed inside a computer or service. As a norm, these devices do not feature a standard API.
An HSM’s function is to protect and manage digital keys for strong authentication with specialized functions that are required for processing transactions and general-purpose functions. It is used primarily to support transaction authorizations and payment card personalization by performing such activities as mentioned in previous para.
HSMs are normally kept within secure environments. Additional external physical security precautions and protections are required to prevent unauthorized access that would jeopardize the nature of the HSM’s secure functions.
Financial institutions composed a decade ago, a security standard to provide a set of best practices helping to keep customers data secure. The standard is not a theoretical work, it is proven by practice – every line of it. If you perform all procedures required by that standard, you can reach a relatively good level of security. Indeed, it does not mean, you don’t have to think…you still always need to keep your mind on security!
Nowadays, security requirements that are dictated by PCI are high. All security-related devices and tools and software must meet these requirements. HSM-based payment servers are required to meet the security requirements for PCI compliance as set by the Payment Card Industry Security Standards Council. The PCI Hardware Security Module (HSM) was developed from existing ISO, ANSI and Federal standards along with generally accepted and known best practices that are recognized by the financial industry as applicable to multi-chip devices that have robust security and assurance features, this including standards for:
If we have some standards, we must also have some tools and practices to ensure that the devices or software meet requirements. Those practices and tools need to be applied to any vendor productions. Those tools and practices are a part of process named “the certification.” The certification process is a long procedure, and includes the following steps:
This is a really hard work. In fact, the independent laboratory doing these tests develops a significant part of the user’s security. But after completion, the final user can be sure that he is buying a really good product that meets a high degree of security requirements.
Processing card payments requires an extreme level of security to prevent breaches that jeopardize both customers’ personal information and the security of the payees’ information systems. The PCI-HSM was the first document to address this issue back in April 2009, as it defined a set of payment industry-specific logical and physical security standards for HSMs. The PCI HSM specification was updated further in May 2012.
In addition to this, there has been a lot of M&A activity in the payment HSM market. Old technology platforms are being phased out, new ones introduced.
Banks, Insurance providers, service provider to either and Fintechs to stay up to date, flexible and deal with the complexity of running legacy systems while saving costs – an almost impossible task.
On top of this, they need to manage Identity and access management, cryptographic key management, use blockchains, go to the cloud and stay compliant.
Currently, most General Purpose HSMs adhere to the FIPS 140-2 security certification scheme developed by NIST to provide security assurance throughout the payments infrastructure.
Years ago, NIST created a formal definition of security assurance levels. Those levels are not fully adequate to current security landscape but are very well defined and practically proven.
NIST’s FIPS 140-2 advocates for the highest level to be applied to the payment card industry, banks and financial services companies to ensure secure transactions. There are four levels in this security scheme, including:
From a Bank, financial service provider or software provider in the industry, an ideal HSM would be able to do both: payment and General Purpose functionality.
What would it take to make this possible ?
For now, the need for PCI-HSM certification is critical to remain PCI compliant with HSM-based payment systems and keep up with market developments. Certification of Payment HSMs provides the ability to maintain the integrity of credit and debit card transactions for the payment card industry, banks and financial services companies. As the payment processing industry continues to evolve in response to growing security concerns, HSM-based payment servers and payment servers will need to continue to evolve to address those concerns.