{"id":3552,"date":"2019-09-22T15:36:33","date_gmt":"2019-09-22T07:36:33","guid":{"rendered":"https:\/\/progreso.com.sg\/?post_type=all_news&#038;p=3552"},"modified":"2021-04-21T14:02:37","modified_gmt":"2021-04-21T06:02:37","slug":"what-is-a-hsm-based-payment-server","status":"publish","type":"all_news","link":"https:\/\/www.progreso.com.sg\/newsite\/all_news\/what-is-a-hsm-based-payment-server\/","title":{"rendered":"Blog: What is a HSM (Hardware Security Module) based Payment Server"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"3552\" class=\"elementor elementor-3552\" data-elementor-settings=\"[]\">\n\t\t\t<div class=\"elementor-inner\">\n\t\t\t\t<div class=\"elementor-section-wrap\">\n\t\t\t\t\t\t\t<section class=\"elementor-element elementor-element-8727065 elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-top-section\" data-id=\"8727065\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-be589e7 elementor-column elementor-col-100 elementor-top-column\" data-id=\"be589e7\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-0537a7e elementor-widget elementor-widget-text-editor\" data-id=\"0537a7e\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p class=\"p2\">The Banking and financial services industry is challenged &#8211; for example by\u00a0\u00a0<a href=\"https:\/\/content.hsm.utimaco.com\/blog\/tag\/psd2\" target=\"_blank\" rel=\"noopener\">PSD2<\/a>. On top of this, they need to manage Identity and access management, cryptographic key management, use blockchains, go to the cloud and stay compliant.\u00a0<\/p><p class=\"p2\">Technology, for example for payment HSMsis continually evolving. New challenges appear and must be responded to. Because payment systems are unique, hardware vendors often find themselves at odds with trying to keep up with market developments. The need to implement modifications to existing hardware security modules (<a href=\"https:\/\/content.hsm.utimaco.com\/blog\/tag\/hsm\" target=\"_blank\" rel=\"noopener\">HSMs<\/a>) while staying within PCI compliance have become an ever present and inescapable reality for the payment industry, banks and financial services companies.<\/p><p class=\"p2\">This article explains what a payment HSM-is, the need for it to be within PCI compliance under PCI Hardware Security Module (<a href=\"https:\/\/content.hsm.utimaco.com\/blog\/tag\/hsm\" target=\"_blank\" rel=\"noopener\">HSM<\/a>) and the importance of being PCI-HSM-certified and ask if the distinction between this a General purpose HSMs is still timely.\u00a0<\/p><h2 class=\"p1\">What is a Payment HSM?<\/h2><p class=\"p2\">The payment industry, banks and financial services companies rely on specialized payment HSM-to securely a number of functions:..<\/p><ul class=\"ul1\"><li class=\"li2\">Verifying user-entered PIN against reference PIN held by card issuer<\/li><li class=\"li2\">Verifying debit\/credit card transactions by conducting host processing duties for EMV-based transactions or checking CSVs<\/li><li class=\"li2\">Supporting a crypto-API with an EMV<\/li><li class=\"li2\">Re-encrypting a PIN block to be sent another authorization host<\/li><li class=\"li2\">Performing secure key management<\/li><li class=\"li2\">Supporting POS ATM network management protocol<\/li><li class=\"li2\">Supporting host-host key\/data exchange API standards<\/li><li class=\"li2\">Generation and printing of \u201cPIN mailer\u201d<\/li><li class=\"li2\">Generating PVV and CVV data for magnetic stripe cards<\/li><li class=\"li2\">Generating a card keyset and supporting the smart card personalization process<\/li><\/ul><h2 class=\"p1\">Why Hardware Security Modules?\u00a0 Advantages<\/h2><p class=\"p2\">A\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Hardware_security_module#Card_payment_system_HSMs_(bank_HSMs)\"><span class=\"s2\">hardware security module<\/span><\/a>\u00a0(<a href=\"https:\/\/content.hsm.utimaco.com\/blog\/tag\/hsm\" target=\"_blank\" rel=\"noopener\">HSM<\/a>) is a piece of computer hardware that can be added to a computer or network server. It is typically made in the hardware form of an external device that can be connected via cable or as a card that can be installed inside a computer or service. As a norm, these devices do not feature a standard API.<\/p><p class=\"p2\">An\u00a0<a href=\"https:\/\/content.hsm.utimaco.com\/blog\/tag\/hsm\" target=\"_blank\" rel=\"noopener\">HSM<\/a>\u2019s function is to protect and manage digital keys for strong authentication with specialized functions that are required for processing transactions and general-purpose functions. It is used primarily to support transaction authorizations and payment card personalization by performing such activities as mentioned in previous para.<\/p><p class=\"p2\">HSMs are normally kept within secure environments. Additional external physical security precautions and protections are required to prevent unauthorized access that would jeopardize the nature of the HSM\u2019s secure functions.<\/p><h2 class=\"p1\">The PCI Security Standard<\/h2><p class=\"p2\">Financial institutions composed a decade ago, a security standard to provide a set of best practices helping to keep customers data secure. The standard is not a theoretical work, it is proven by practice &#8211; every line of it. If you perform all procedures required by that standard, you can reach a relatively good level of security. Indeed, it does not mean, you don&#8217;t have to think\u2026you still always need to keep your mind on security!<\/p><p class=\"p2\">Nowadays, security requirements that are dictated by PCI are high. All security-related devices and tools and software must meet these requirements. HSM-based payment servers are required to meet the security requirements for PCI compliance as set by the Payment Card Industry Security Standards Council. The\u00a0<a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/PCI%20HSM%20Security%20Requirements%20v1.0%20final.pdf\"><span class=\"s2\">PCI Hardware Security Module (HSM)<\/span><\/a>\u00a0was developed from existing ISO, ANSI and Federal standards along with generally accepted and known best practices that are recognized by the financial industry as applicable to multi-chip devices that have robust security and assurance features, this including standards for:<\/p><ul class=\"ul1\"><li class=\"li2\">Physical security<\/li><li class=\"li2\">Logical security<\/li><li class=\"li2\">Device security during manufacturing<\/li><li class=\"li2\">Device security between manufacturer and initial key loading<\/li><\/ul><h2 class=\"p1\">Why is PCI-HSM Certification Critical?<\/h2><p class=\"p2\">If we have some standards, we must also have some tools and practices to ensure that the devices or software meet requirements. Those practices and tools need to be applied to any vendor productions. Those tools and practices are a part of process named \u201cthe certification.\u201d The certification process is a long procedure, and includes the following steps:<\/p><ol class=\"ol1\"><li class=\"li2\">A device (in our case &#8211; I HSM) that is built to detailed specifications<\/li><li class=\"li2\">A device should pass all tests\u00a0<\/li><li class=\"li2\">A device should be able to resist any possible attacks (in case of an EMV payment card &#8211; more than 80 types of attack)<\/li><\/ol><p class=\"p2\">This is a really hard work. In fact, the independent laboratory doing these tests develops a significant part of the user\u2019s security. But after completion, the final user can be sure that he is buying a really good product that meets a high degree of security requirements.<\/p><p class=\"p2\">Processing card payments requires an extreme level of security to prevent breaches that jeopardize both customers\u2019 personal information and the security of the payees\u2019 information systems. The\u00a0<a href=\"https:\/\/content.hsm.utimaco.com\/blog\/pci-dss-physical-security-requirements-for-hsms\" target=\"_blank\" rel=\"noopener\">PCI-HSM<\/a>\u00a0was the first document to address this issue back in April 2009, as it defined a set of payment industry-specific logical and physical security standards for HSMs. The PCI HSM specification was updated further in May 2012.<\/p><p class=\"p2\">In addition to this, there has been a lot of M&amp;A activity in the payment HSM market. Old technology platforms are being phased out, new ones introduced.\u00a0<\/p><p class=\"p2\">Banks, Insurance providers, service provider to either and Fintechs to stay up to date, flexible and deal with the complexity of running legacy systems while saving costs &#8211; an almost impossible task.\u00a0<\/p><p class=\"p2\">On top of this, they need to manage Identity and access management, cryptographic\u00a0<a href=\"https:\/\/hsm.utimaco.com\/products-hardware-security-modules\/key-management\/\" target=\"_blank\" rel=\"noopener\">key management<\/a>, use blockchains, go to the cloud and stay compliant.\u00a0<\/p><h3 class=\"p2\">General Purpose HSMs\u00a0<\/h3><p class=\"p2\">Currently, most General Purpose HSMs adhere to the\u00a0<a href=\"https:\/\/hsm.utimaco.com\/solutions\/compliance\/certifications\/fips-140-2\/\">FIPS 140-2<\/a>\u00a0security certification scheme developed by NIST to provide security assurance throughout the payments infrastructure.<\/p><h3 class=\"p1\">Formally Defined Security Levels<\/h3><p class=\"p2\">Years ago, NIST created a formal definition of security assurance levels. Those levels are not fully adequate to current security landscape but are very well defined and practically proven.\u00a0<\/p><h3>FIPS Levels 1-4<\/h3><p class=\"p2\"><a href=\"https:\/\/content.hsm.utimaco.com\/blog\/tag\/fips-140-2\" target=\"_blank\" rel=\"noopener\">NIST\u2019s\u00a0FIPS 140-2<\/a>\u00a0advocates for the highest level to be applied to the payment card industry, banks and financial services companies to ensure secure transactions. There are four levels in this security scheme, including:<\/p><ul class=\"ul1\"><li class=\"li2\"><strong>Level 1.<\/strong>\u00a0It is the lowest security that can be applied to a cryptographic module. The only basis for this level\u2019s security is that it uses a cryptographic function.<\/li><li class=\"li2\"><strong>Level 2.<\/strong>\u00a0Modules under this level have tamper evidence as an additional security feature. The cryptographic device allows authorized operators to open the seals and access the keys after successfully authenticating.<\/li><li class=\"li2\"><strong>Level 3.<\/strong>\u00a0This security level is measured through tamper detection and response, enhanced protection for private key pairs and identity-based authentication.\u00a0<\/li><li class=\"li2\"><strong>Level 4.<\/strong>\u00a0This is the highest level security and the one that applies to HSM-based devices for payments. In order to be certified as a Level 4 device, the model must be tamper-resistant and provide environmental failure protection for such conditions as voltage or temperature.<\/li><\/ul><h3 class=\"p1\">The Future of Payment vs general Purpose HSMs &#8211; or both?\u00a0<\/h3><p class=\"p2\">From a Bank, financial service provider or software provider in the industry, an ideal\u00a0<a href=\"https:\/\/content.hsm.utimaco.com\/blog\/tag\/hsm\" target=\"_blank\" rel=\"noopener\">HSM<\/a>\u00a0would be able to do both: payment and General Purpose functionality.\u00a0<\/p><p class=\"p2\">What would it take to make this possible ?\u00a0<\/p><h2 class=\"p1\">Conclusion<\/h2><p class=\"p2\">For now, the need for PCI-HSM certification is critical to remain PCI compliant with\u00a0<a href=\"https:\/\/hsm.utimaco.com\/products-hardware-security-modules\/payment-hsm\/\" target=\"_blank\" rel=\"noopener\">HSM-based payment systems<\/a>\u00a0and keep up with market developments. Certification of\u00a0<a href=\"https:\/\/hsm.utimaco.com\/products-hardware-security-modules\/payment-hsm\/\" target=\"_blank\" rel=\"noopener\">Payment HSMs<\/a>\u00a0provides the ability to maintain the integrity of credit and debit card transactions for the payment card industry, banks and financial services companies. As the payment processing industry continues to evolve in response to growing security concerns,\u00a0<a href=\"https:\/\/hsm.utimaco.com\/products-hardware-security-modules\/payment-hsm\/\" target=\"_blank\" rel=\"noopener\">HSM-based payment servers<\/a>\u00a0and payment servers will need to continue to evolve to address those concerns.<\/p><p>\u00a0<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>The Banking and financial services industry is challenged &#8211; for example by&nbsp;&nbsp;PSD2. On top of this, they need to manage Identity and access management, cryptographic key management, use blockchains, go to the cloud and stay compliant.&nbsp; Technology, for example for payment HSMsis continually evolving. New challenges appear and must be responded to. Because payment systems [&hellip;]<\/p>\n","protected":false},"featured_media":0,"template":"","meta":[],"_links":{"self":[{"href":"https:\/\/www.progreso.com.sg\/newsite\/wp-json\/wp\/v2\/all_news\/3552"}],"collection":[{"href":"https:\/\/www.progreso.com.sg\/newsite\/wp-json\/wp\/v2\/all_news"}],"about":[{"href":"https:\/\/www.progreso.com.sg\/newsite\/wp-json\/wp\/v2\/types\/all_news"}],"version-history":[{"count":7,"href":"https:\/\/www.progreso.com.sg\/newsite\/wp-json\/wp\/v2\/all_news\/3552\/revisions"}],"predecessor-version":[{"id":4340,"href":"https:\/\/www.progreso.com.sg\/newsite\/wp-json\/wp\/v2\/all_news\/3552\/revisions\/4340"}],"wp:attachment":[{"href":"https:\/\/www.progreso.com.sg\/newsite\/wp-json\/wp\/v2\/media?parent=3552"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}