The Payment Card Industry Security Standards Council (PCI SSC) is a joint initiative by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB) across the world. It was launched on September 7, 2006 to manage the evolution and security of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process. It is important to note that the acquirers and payment brands are responsible for enforcing the regulatory compliance, not the PCI council.
The PCI DSS is an overarching standard that applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational components that are included in or connected to the systems that touch cardholder data. If you accept or process payment cards in any shape or form, you must follow the standards defined in PCI DSS.
The PCI PTS is a set of security requirements that applies to the manufacturers who manufacture devices used for payment card financial transactions. The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it. Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC.
The PA-DSS is for software vendors and others who develop payment applications that store, process or transmit cardholder data and/or sensitive authentication data. Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC.
All Payment HSM vendors must comply to the standards defined in PCI PTS HSM to be able to design a compliant and secure Hardware security module and process payment transactions. A PCI PTS certified HSM is the key to allow its users achieve PCI DSS compliance.
The PCI PTS HSM standards are categorized in two sections, Physical and Logical Security. Some requirements that defines the physical security of the HSM are derived from requirements in Federal Information Processing Standard 140-2 (FIPS 140-2). The certification ensures an active tamper response mechanism to zeroize secret and private keys during a penetration and side-channel attack.
The PCI HSM standard covers the lifecycle of the HSM up to the point of its first delivery to the initial point of deployment facility. Subsequent stages of the HSM’s lifecycle continue to be of interest to PCI and are controlled by other PCI standards.
The PCI HSM security requirements are derived from existing ISO, ANSI, and NIST standards; and accepted/known good practice recognized by the financial payments industry. The requirements are classified in four different Evaluation Domains:
The Utimaco HSMs are designed on the basic principles defined by PCI Council, ISO, NIST and ANSI. This includes: