Although we do not give much thought to hardware security modules (HSMs), they are a critical element of security in an organisation’s IT infrastructure used for securing sensitive data.

All HSMs securely generate and store cryptographic keys and can be used to perform cryptographic functions (such as encryption, decryption, signing and authentication). Different HSMs provide different levels of functionality and are approved to different security standards, but they can be considered in two main groups: General Purpose (GP) HSMs and Payment HSMs, the latter can also be referred to as Financial Service HSMs or Transaction HSMs.

The term Payment HSM refers to an HSM with a set of enhanced security features which are required to comply with various payment industry standards including the ones listed below. Payment HSMs enforce management under dual-control and offer the payment specific cryptographic commands which are required to ensure sensitive information never exists outside of the HSM. GP HSMs offer more general cryptographic commands which can return sensitive information to the software application.

To illustrate, consider that a software application needs to receive an encrypted PIN from company A and forward it to company B. It will need to decrypt it using key A and re-encrypt it using key B. Using a GP HSM, the software application would send two commands to the HSM – “decrypt this data using key A” and then “encrypt this data using key B”, and the software would see the clear-text PIN in the middle. Using a Payment HSM, the software would send one command – “translate PIN block from key A to key B”, and the clear-text PIN would never leave the HSM. The PCI PIN security requirements mandate the second method.

Which PCI standards require a Payment HSM?

The Payment Card Industry Security Standards Council (PCI SSC) maintain a number of standards covering security in the payment industry. The ones in the list below mandate the use of HSMs which are certified to PCI PTS HSM or FIPS 140-2 Level 3 (or higher). In addition to this, the requirements within these standards mean that the HSMs must provide functionality, which is specific to the Payment industry, hence the term Payment HSM.

  • PIN Security
  • P2PE
  • 3DS (ACS & DS)
  • Card Production
  • TSP
  • SPoC
  • CPoC

General Purpose HSM use cases

 A General Purpose HSM is very flexible and can be used in any application that uses cryptographic keys which doesn’t require the additional controls imposed by a Payment HSM. Examples include management of the symmetric keys used for database encryption, and management and use of the asymmetric keys used for the creation of digital signatures and certificates to support PKI (Public Key Infrastructure) and crypto wallets.

A General Purpose HSM will support compliance with numerous security standards including:

  • PCI 3DS (3DS Server)
  • GDPR
  • eIDAS

How does a General Purpose HSM work?

Typically, data encryption/decryption is performed by the software application using a symmetric key it retrieves from the HSM at start-up; all of the data is not passed through the HSM itself. A GP HSM is typically optimised for asymmetric cryptography as this is very time consuming when performed in the software application.

For more information on GP HSMs visit Utimaco’s page here.

Payment HSM use cases

A Payment HSM provides the tighter security controls mandated by certain payment industry standards. In these use cases, the software application cannot have access to sensitive data and keys, so the HSM not only performs the basic cryptographic functions, it also understands the format of the input data and generates the correctly formatted output data. Some of the Payment HSM use cases include:

  • PIN generation, management, and validation
  • PIN block translation during the network switching of ATM and POS transactions
  • Card, user and cryptogram validation during payment transaction processing
  • Payment credential issuing for payment cards and mobile applications
  • Point-to-point encryption (P2PE) key management and secure data decryption
  • Sharing keys securely with third parties to facilitate secure communications
  • Electronic funds interchange (EFTPOS, ATM)
  • Cash-card reloading
  • EMV transaction processing
  • Key generation and injection

A Payment HSM is optimised for high-volume symmetric encryption of small data elements.

A side note on symmetric encryption

This process uses the same cryptographic key to encrypt and decrypt data. Both the sender and receiver will have the same copy of the key which needs to be kept secret and not shared with anyone else. This form of encryption differs slightly to asymmetric encryption, whereby a pair of keys are used to encrypt and decrypt data – one of which is a public key and the other which is a private key.

For the payments industry, symmetric encryption is specifically used for securing transactions because it is faster and more efficient to process in comparison to asymmetric encryption and is more effective for data in-transit.

It is also important to note, that within the financial services industry, asymmetric encryption is also used for digital certificates and signatures.

Deployment options

Payment HSMs might  be reffered to as the unseen and unsung heroes of the payments and financial services industry. Hopefully the explanation above helps clarify the critical tasks undertaken by a Payment HSM and how these differ to the tasks requiring the use of General Purpose HSMs. Regardless of what HSM model your organisation requires, users of HSMs have essentially two choices to consider:

Option 1:

To purchase the hardware and host the HSMs on premise in a company’s own, private data centre or via a co-located data centre and manage the hardware in-house.

Option 2:

To use a Cloud HSM service. The term “Cloud HSM” is a general term to indicate an HSM which is owned, hosted, and maintained by a service-provider, where the end user is then granted remote access to use the HSM.



Source: Blog post by MYHSM