TryTRY
BuyBUY
  • newsletter
  • contact
  • corporate
  • careers
Utimaco
TRYour free HSM simulator
BUYget a quote
  • home
  • solutions
  • products
  • services
  • blog
  • downloads
  • partners
  • company

Next event

24/Mar - 25/Mar | Webinar

The Path for Cloudifying Payment HSMs

Utimaco Portal

Here you will find everything you need as a partner and customerLogin required

  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research

Home / Blogs / Why blockchains need to be auditable for business adoption

Why blockchains need to be auditable for business adoption

November 09, 2020

Blockchain has become one of the biggest technological surges of this century. It has been, and still is, primarily used by individuals for unregulated financial transactions. However, if blockchain is going to live on and have a lasting impact, it will need to be adopted by businesses.

In this article we’ll be discussing why blockchains need to become auditable, and how this functionality will promote a wider development of this emerging technology.

As financial transactions are the most popular and intuitive use of blockchain, if businesses intend to use it for such it needs to be able to be audited to ensure the validity and integrity of transactions as well as compliance with regulations.

There are multiple functionalities and features of blockchain that make it capable of being audited, and there are also certain things that stand in the way. There are substantial standards that businesses must meet to in order to be within banking and PCI requirements that must be taken into account when considering blockchain adoption.

Blockchain features enabling auditing

Strictly speaking, blockchain transactions can be verified for auditing already.

Here are some features that enable this verification.

Visibility & distribution

All transactions on a blockchain are visible to the nodes in the network (although not necessarily the data in the transactions). Visibility makes it easy for auditors to view and verify transactions almost immediately. Distribution means that all nodes have a copy of the data, so there is no need for auditors to spend time reconciling databases.

Cryptography

Blockchain is based in cryptography, with hash functions linking blocks together and key signing validating transactions. It can also be used to verify files and data. A hash function cannot be decrypted, but encrypted data can be verified. For example, if an invoice was encrypted on a blockchain, to verify that that invoice was the same as in the company’s records, the recorded file could be hashed and that output code could be compared with the code existing on the chain. This keeps data secure but also useful to those entities with the proper knowledge and permission to verify it.

Immutability

One of the reasons that blockchain is so well suited for virtual currencies is that nothing in the ledger can be altered. If auditors trust the validators of the information on the chain, then there is no need to worry about transactions having been deleted or tampered with.

These are a few features common across blockchains that make them well suited and ready to be audited, however there are other factors that also come into play when auditing for regulation compliance.

Difficulties auditing blockchains

If this technology is going to be used for financial purposes it must be compliant with the Payment Card Industry Hardware Security Module (PCI HSM) and Data Security Standard (PCI DSS) requirements. The PCI HSM standards demand measures such as the inability to clean sensitive information from system characteristics (power consumption, electro-magnetic emissions, etc). All cryptographic keys must be used only for one function and random number generators must be unpredictable. Essentially these standards require the hardware in contact with customer card data to be sufficiently secure. The PCI DSS requirements cover 6 areas, some of which are building and maintaining a secure network and systems, protecting data, regularly monitoring and testing networks, and having an information security policy.

These terms of compliance are extensive, and one more thing to think about for companies attempting to integrate new technology like blockchain. Here are factors that make it less than easy for businesses to utilize blockchains and remain compliant.

Visibility & distribution

One of blockchain’s strengths is also a weakness. Because every transaction on the network is visible to all nodes on the network keeping data private has to be done via encryption. The PCI standards are very strict about controlling who has access to sensitive data and the security keeping that data safe, so in order for blockchain to be used in compliance with these standards there’s a lot of work to be done regulating network visibility and access.

Decentralization

While this is fundamental both architecturally and dogmatically to blockchain, it is a weakness when it comes to auditing. It’s easiest to verify and check for compliance when all the information being evaluated is centralized in one place, and that’s not how blockchains work. However, on most blockchains each node contains a complete copy of the ledger identical to that which any other node will have. To explore and verify transactions on large public blockchains there are websites where transfers, contracts, nodes, miners, decentralized applications, and anything else existing on the chain can be viewed. Presuming that these websites were trusted by auditors they could be a useful tool in the auditing process. Decentralized hardware (such as allowing any nodes with the correct hardware to mine on the network) could also be an issue, but if a business was using a proof-of-authority blockchain and had all the mining nodes centralized then the hardware that needs to be checked could all be in one location for easy audit access.

Lack of user authentication

The security in a system or process strongly relates to the confidence in the identity of the people logging into the system and conducting the transactions. In consequence the authentication of users is also an area that needs to be auditable and non-repudiable.

Lack of architecture standardization

Blockchains share characteristics and functionalities, but they come in all shapes and sizes and there is no standardization of how blockchains are constructed. This includes how blocks are validated, what type of hardware is needed for different roles in the network, and other things that are incredibly important for auditing and checking for regulation compliance. To allow for these checks there will need to be standards which can be tested across companies so that auditors don’t have to learn all the nuances of a new unique chain each time they audit a different company.

Lack of hardware standardization

As with architecture, the underlying hardware needed for different roles in a distributed network vary. The PCI HSM requirements are extensive, and in order for businesses using blockchain and be compliant there will need to be some industry wide standardization. Without it we will run into the same problems as with the lack of architecture standardization, auditors will have to adapt to and assess hardware on a per company basis.

Conclusion

While blockchain holds a lot of potential for businesses, particularly with finances, we’re still in the experimentation phase of this technology. Banking and PCI requirements are extensive and necessary to keep customer and company data safe, and if blockchain is going to become widely adopted it needs to enable and facilitate auditing to meet the requirements, not hinder it.

This series tries to shed light on important security related aspects of blockchains and discuss some of the currently emerging loopholes. The first article looks at expected developments in the blockchain technology during the next 10 years. In this 2nd article we argue why blockchains will need to be auditable for successful business adoption. The 3rd article discusses how the digital signature regulation eIDAS can help making blockchains auditable.

New call-to-action

Back to overview

Stay on top of our news
Don’t miss out on any Utimaco updates

Subscribe to Utimaco Newsletter

We will keep you posted with news from Utimaco and the industries we protect, as well as information on upcoming events and webinars.

Subscribe now

Partners

Skytech Computing Solutions Limited. - Utimaco Hardware Security Modules Partner Secure Source Distribution (M) Sdn Bhd - Utimaco Hardware Security Modules Partner MALKOM D.Malińska i Wspólnicy s.j. JJNet International Co., Limited - Utimaco Hardware Security Modules Partner EUROPEAN DYNAMICS SA. MTG - Utimaco Hardware Security Modules Partner Encryption Consulting LLC Throughwave (Thailand) Co.,Ltd - Utimaco Hardware Security Modules Partner AKEA S.A. - Utimaco Hardware Security Modules Partner Nexus - Utimaco Hardware Security Modules Partner Versasec Perceptus-sp.-z-o.-o. Real security d.o.o. Nexus - Utimaco Hardware Security Modules Partner Synergy Computers (Pvt.) Ltd. - Utimaco Hardware Security Modules Partner Softline Solutions GmbH Compumatica secure networks B.V. Fortiedge Pte Ltd. IQuantics Corp Cryptomathic GmbH Cogito Group Pty Ltd MIcrosec Primekey Solutions AB Astel (UK) Ltd. - Utimaco Hardware Security Modules Partner Safesoft Kft. Clearkey Consulting - Utimaco Hardware Security Modules Partner CertiSur S.A. Ascertia - Utimaco Hardware Security Modules Partner PKI Solutions Inc. Utimaco HSM - QuintessenceLabs CREA plus d.o.o. Telegrupp AS VAR Group SpA - Utimaco Hardware Security Modules Partner Nexus Technology GmbH SecureMetric Technology Sdn. Bhd. CewTec S.A. Rohde & Schwarz Cybersecurity GmbH Cryptomathic A/S PrimeKey Labs GmbH Abrantix AG ESYSCO Sp. z o.o. Utimaco HSM - PTESA_profesionales en transacciones electronicas Baas Control s.r.o. Microexpert Limited Cyber Armor Pte Ltd Fornetix - Utimaco Hardware Security Modules Partner cv cryptovision GmbH Altacom UAB Envoy Data Corporation - Utimaco Hardware Security Modules Partner Thomas-Krenn.AG E-Sign S.A. PETA (Thailand) Co., Ltd. CREAplus Italia S.r.l intarsys AG Utimaco HSM - InfoGuard Swiss Cyber Security Compumatica secure networks GmbH CEGA Security Komar Consulting Inc. - Utimaco Hardware Security Modules Partner Cryptomathic Inc. Macroseguridad
Find a partner

Share this page

EMEA

Utimaco IS GmbH
Germanusstraße 4
52080 Aachen
Germany
Phone: + 49 241 1696 200

Americas

Utimaco Inc.
900 E Hamilton Ave., Suite 400
Campbell, CA 95008
USA
Phone: +1 844 UTIMACO

APAC

Utimaco IS Pte Limited
80 Raffles Place,
#32-01, UOB Plaza
Singapore 048624
Phone: +65 6622 5347

Utimaco

  • support
  • corporate
  • careers
  • legal
  • terms & conditions
  • privacy
  • cookie-policy
© 2021
to top
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research