As the term implies, a GP HSM is used to secure general data through encryption. It might be used to encrypt databases, to sign documents and certificates, and to support PKI infrastructures.
A Payment HSM is designed specifically for the card payments sector. It has specific facilities for processing data types such as PINs, PANs, CVVs, tokens, and key components. Its performance is optimised for high-volume symmetric encryption of small data elements. A Payment HSM also needs to undergo security approval by the Payment Card Industry Security Standards Council (e.g. PCI SSC). Payment HSMs can be used for some GP tasks, but they are not optimised for this. There have been attempts to enable GP HSMs to be used for payments, but these have not been successful.
The term “Cloud HSM” is a general term to indicate a HSM which is not located on the user’s premises but is accessed remotely in a data centre which is in the public Cloud, or in a private Cloud.
Firstly, it is good security practice. It is quite feasible to build the functionality of a Payment HSM into the payment application software. However, this would be a poor approach from the point of view of security because rogue software developers and IT staff or external hackers could compromise the software to capture sensitive data. By using a HSM, secrets such as PINs and keys are never available in the clear except fleetingly within the secure, impenetrable boundary of a HSM.
The second reason is a consequence of the first. Because of the sound security reasons for using an HSM, PCI mandate the use of Payment HSMs in payment applications. As all payment applications have to be approved by PCI, these applications must use HSMs.
Currently MYHSM has Cyxtera and Equinix data centres located in the East and West Coast of America, the UK, Amsterdam, and Singapore, with data centres in Australia and Brazil coming soon. All data centres follow our physical and operational blueprint and are approved against PCI DSS and PCI PIN as part of our solution.
MYHSM does not transmit, process, or store cardholder data. Data is sent by the customer directly to their allocated Payment HSM via a mutually authenticated TLS connection. This encrypted channel cannot be decrypted by MYHSM en-route, and no data is stored in the HSM, so the MYHSM service avoids any concerns around data residency and data sovereignty. Currently MYHSM has customers operating in over 30 countries using our services from our four data centre locations.
One reason is that PCI security requirements preclude use of the same HSM for both production work and development/testing work. So, a separate service is required for organisations moving their whole HSM capability to MYHSM.
Because of the way we have structured the Testing Service, the monthly cost is significantly lower than for the fully managed production service and the minimum contract period is short. This means that the MYHSM Testing Service is a very attractive option for organisations that need a short-term supplementary development and testing environment, want to try out their applications with the types of HSM supported by MYHSM, or want to validate their payment applications in the MYHSM service.
Shared services provides HSM units which are shared between multiple users, with segregation between users being assured by customers having their own unique LMK. For the Live Shared production service, the user’s monthly fee provides them with various levels of monthly performance – currently up to 120,000,000 (PIN Block translations) per month.
The security settings applied are designed by MYHSM to meet the requirements of most users and current best practice, as well as meeting PCI requirements.
As a result, the Shared service will satisfy the demands of most users, and because the equipment is shared the costs are optimised.
On the other hand, the Dedicated services are available for users for whom the Shared service performance is insufficient or not appropriate – for example, because they have very high transaction volumes, or they have specific requirements in terms of security settings, or their security policies preclude the use of shared HSMs.
Our data centres and their MYHSM installations are approved under PCI DSS.
In addition, MYHSM have achieved PCI PIN approval for the MYHSM implementation. The Payment HSMs we use are approved to the PCI PTS HSM security standard (as well as to FIPS 140-2).
You can find MYHSM on Visa’s Global Registry list as a valued service provider for demonstrating compliance with Visa’s PIN security programme and the Payment Card Industry Data Security Standard (PCI DSS) here.
No – The MYHSM service fits in well with an organisation’s strategy of using the cloud.
However, it is also appropriate to organisations retaining on-premise IT infrastructure. Because the application hosts communicate with HSMs using IP, it is relatively straightforward to switch from local HSMs to remote HSMs. These organisations would then benefit from not having to worry about the capital, operational, and approval costs of the HSMs, and could focus their resources on their core applications.
Yes – Where you sent commands to your own local payShield or Atalla HSM, you can send the same commands to an HSM in the MYHSM service. The difference is that you don’t have to buy and host multiple HSMs in different geographic location for resilience. MYHSM will do that for you as well as managing and monitoring them in a PCI PIN and DSS compliant manner.
As a fully managed service, MYHSM will manage the MFK (LMK) on behalf of the customer and the top-level key exchange process is also performed by MYHSM in a PCI PIN compliant manner and can be managed via the secure online customer portal.
When using the MYHSM service, the operational costs and support contracts become the responsibility of MYHSM and are covered by the standard subscription cost of the service reducing the total cost and converting capex to opex.
The MYHSM shared service is a subscription-based model and works on the amount of data consumed each month. If a customer exceeds their data plan, MYHSM will notify them and seamlessly move them up to the next data tier. MYHSM will invoice according to the data plan and usage. To find out more about our data plans please visit our pricing page.
The MYHSM service is PCI PIN certified and significantly reduces the scope and responsibility for the customer to achieve its overall PCI PIN Security Requirements certification. Using the service does not remove the customer from the PCI PIN scope, however working with MYHSM the customer can expect:
Simplified audits – MYHSM will provide their PCI PIN AOC and all other relevant documentation which defines the responsibility split between MYHSM and the customer. This will dramatically reduce the scope and complexity of the customer’s PCI PIN audit.
Dedicated experts – outsourcing your HSM security to MYHSM’s team of specialised, highly skilled HSM, security and network experts that work with HSMs every day can enhance the overall security.
Reduced pressure on resources – The manual processes for configuring an HSM, establishing a security team, writing the policies and procedures required for certification and audits are all time consuming. MYHSM shoulders this burden so the time to market of the payment solution can be substantially reduced.
The MYHSM Shared Live Service offers access to a group of three Payments HSMs in two geographically separate data centres delivering 99.999% availability. In the event of an outage the customers applications can automatically spread the load across the remaining HSMs in the group.