Frequently Asked Questions
What is the difference between a General Purpose (GP) HSM, Cloud HSM and Payment HSM?
As the term implies, a GP HSM is used to secure general data through encryption. It might be used to encrypt databases, to sign documents and certificates, and to support PKI infrastructures.
A Payment HSM is designed specifically for the card payments sector. It has specific facilities for processing data types such as PINs, PANs, CVVs, tokens, and key components. Its performance is optimised for high-volume symmetric encryption of small data elements. A Payment HSM also needs to undergo security approval by the Payment Card Industry Security Standards Council (e.g. PCI SSC). Payment HSMs can be used for some GP tasks, but they are not optimised for this. There have been attempts to enable GP HSMs to be used for payments, but these have not been successful.
The term “Cloud HSM” is a general term to indicate a HSM which is not located on the user’s premises but is accessed remotely in a data centre which is in the public Cloud, or in a private Cloud.
Why do I need a Payment HSM?
There are two main reasons.
Firstly, it is good security practice. It is quite feasible to build the functionality of a Payment HSM into the payment application software. However, this would be a poor approach from the point of view of security because rogue software developers and IT staff or external hackers could compromise the software to capture sensitive data. By using a HSM, secrets such as PINs and keys are never available in the clear except fleetingly within the secure, impenetrable boundary of a HSM.
The second reason is a consequence of the first. Because of the sound security reasons for using an HSM, PCI mandate the use of Payment HSMs in payment applications. As all payment applications have to be approved by PCI, these applications must use HSMs.
What types of HSM do you have available?
We currently offer Utimaco Atalla AT1000 and Thales payShield HSMs.
Does my payment application have to be in the cloud for me to use the MYHSM service?
The MYHSM service fits in well with an organisation’s strategy of using the cloud.
However, it is also appropriate to organisations retaining on-premise IT infrastructure. Because the application hosts communicate with HSMs using IP, it is relatively straightforward to switch from local HSMs to remote HSMs. These organisations would then benefit from not having to worry about the capital, operational, and approval costs of the HSMs, and could focus their resources on their core applications.
What PCI approvals do you have?
Our data centres and their MYHSM installations are approved under PCI DSS.
In addition, MYHSM have achieved PCI PIN approval for the MYHSM implementation.
The Payment HSMs we use are approved to the PCI PTS HSM security standard (as well as to FIPS 140-2).
Why do you have a separate Testing Service?
One reason is that PCI security requirements preclude use of the same HSM for both production work and development/testing work. So, a separate service is required for organisations moving their whole HSM capability to MYHSM.
Because of the way we have structured the Testing Service, the monthly cost is significantly lower than for the fully managed production service and the minimum contract period is short. This means that the MYHSM Testing Service is a very attractive option for organisations that need a short-term supplementary development and testing environment, want to try out their applications with the types of HSM supported by MYHSM, or want to validate their payment applications in the MYHSM service.
Why do you have Shared and Dedicated Services?
Shared services provides HSM units which are shared between multiple users, with segregation between users being assured by customers having their own unique LMK. For the Live Shared production service, the user’s monthly fee provides them with various levels of monthly performance – currently up to 40 million (PIN Block translations) per month.
The security settings applied are designed by MYHSM to meet the requirements of most users and current best practice, as well as meeting PCI requirements.
As a result, the Shared service will satisfy the demands of most users, and because the equipment is shared the costs are optimised.
On the other hand, the Dedicated services are available for users for whom the Shared service performance is insufficient or not appropriate – for example, because they have very high transaction volumes, or they have specific requirements in terms of security settings, or their security policies preclude the use of shared HSMs.