Please find below a list of the relevant criteria for how to select an HSM. As the choice of Hardware Security Module is dependent on the specific application it is used for, I would like to make some general recommendations by providing a list of potential criteria to take into account, irrespective of what you intend to use it for.
Some technical factors:
Conclusion: Choose the API that is compatible with your use case and operating system. If you are using Microsoft OS, choose CNG. If you are using an application that supports PKCS#11, choose PKCS#11. Ask for guidance on integration or How-to Guides.
Form factor: Network-attached HSMs: For larger-scale deployments, particularly where multiple applications/servers/clients need to utilize HSM services.
Embedded HSM (PCIe card): This is a cheaper product compared to network-attached HSMs. It is worth noting that these types of solutions require greater processing power to run multiple applications simultaneously.
One final important factor to consider:
Cost: What about the cost per unit(s)? What about the cost for support and maintenance? What is included in the unit pricing? Do you pay per API, etc.?
Lead time. Be realistic! If you feel you need an HSM immediately, you are probably underestimating the complexity of an HSM. HSMs are not mass produced; a certain amount of time is required to manufacture HSMs to ensure quality.