Frequently Asked Questions
GP HSMs can be used in any application that uses cryptographic keys e.g. management of the symmetric keys used for database encryption, and management and use of the asymmetric keys used for the creation of digital signatures and certificates to support PKI (Public Key Infrastructure) and crypto wallets.
Payment HSMs have an enhanced set of security features to comply with various payment industry standards. Payment HSMs enforce management under dual-control and offer the payment specific cryptographic commands which are required to ensure sensitive information never exists outside of the HSM.
For a more detailed explanation read our blog here.
There are two main reasons.
Firstly, it is good security practice. It is quite feasible to build the functionality of a Payment HSM into the payment application software. However, this would be a poor approach from the point of view of security because rogue software developers and IT staff or external hackers could compromise the software to capture sensitive data. By using a HSM, secrets such as PINs and keys are never available in the clear except fleetingly within the secure, impenetrable boundary of a HSM.
The second reason is a consequence of the first. Because of the sound security reasons for using an HSM, PCI mandate the use of Payment HSMs in payment applications. As all payment applications have to be approved by PCI, these applications must use HSMs.
We currently offer Utimaco Atalla AT1000 and Thales payShield HSMs.
Currently MYHSM has Cyxtera and Equinix data centres located in the East and West Coast of America, the UK, Amsterdam, and Singapore, with data centres in Australia and Brazil coming soon. All data centres follow our physical and operational blueprint and are approved against PCI DSS and PCI PIN as part of our solution.
MYHSM does not transmit, process, or store cardholder data. Data is sent by the customer directly to their allocated Payment HSM via a mutually authenticated TLS connection. This encrypted channel cannot be decrypted by MYHSM en-route, and no data is stored in the HSM, so the MYHSM service avoids any concerns around data residency and data sovereignty. Currently MYHSM has customers operating in over 30 countries using our services from our four data centre locations.
One reason is that PCI security requirements preclude use of the same HSM for both production work and development/testing work. So, a separate service is required for organisations moving their whole HSM capability to MYHSM.
Because of the way we have structured the Testing Service, the monthly cost is significantly lower than for the fully managed production service and the minimum contract period is short. This means that the MYHSM Testing Service is a very attractive option for organisations that need a short-term supplementary development and testing environment, want to try out their applications with the types of HSM supported by MYHSM, or want to validate their payment applications in the MYHSM service.
Shared services provides HSM units which are shared between multiple users, with segregation between users being assured by customers having their own unique LMK. For the Live Shared production service, the user’s monthly fee provides them with various levels of monthly performance – currently up to 120,000,000 (PIN Block translations) per month.
The security settings applied are designed by MYHSM to meet the requirements of most users and current best practice, as well as meeting PCI requirements.
As a result, the Shared service will satisfy the demands of most users, and because the equipment is shared the costs are optimised.
On the other hand, the Dedicated services are available for users for whom the Shared service performance is insufficient or not appropriate – for example, because they have very high transaction volumes, or they have specific requirements in terms of security settings, or their security policies preclude the use of shared HSMs.
Connection to the Shared Test service can be made in as little as 3 – 4 working days once a signed agreement is in place. Migration to the Shared Live service can be completed in 10 working days.
Our data centres and their MYHSM installations are approved under PCI DSS.
In addition, MYHSM have achieved PCI PIN approval for the MYHSM implementation. The Payment HSMs we use are approved to the PCI PTS HSM security standard (as well as to FIPS 140-2).
You can find MYHSM on Visa’s Global Registry list as a valued service provider for demonstrating compliance with Visa’s PIN security programme and the Payment Card Industry Data Security Standard (PCI DSS) here.
No – The MYHSM service fits in well with an organisation’s strategy of using the cloud.
However, it is also appropriate to organisations retaining on-premise IT infrastructure. Because the application hosts communicate with HSMs using IP, it is relatively straightforward to switch from local HSMs to remote HSMs. These organisations would then benefit from not having to worry about the capital, operational, and approval costs of the HSMs, and could focus their resources on their core applications.
I have an HSM which will soon be end of life, am I able to migrate from a physical hardware to the MYHSM service?
Yes – Where you sent commands to your own local payShield or Atalla HSM, you can send the same commands to an HSM in the MYHSM service. The difference is that you don’t have to buy and host multiple HSMs in different geographic location for resilience. MYHSM will do that for you as well as managing and monitoring them in a PCI PIN and DSS compliant manner.
As a fully managed service, MYHSM will manage the MFK (LMK) on behalf of the customer and the top-level key exchange process is also performed by MYHSM in a PCI PIN compliant manner and can be managed via the secure online customer portal.
When using the MYHSM service, the operational costs and support contracts become the responsibility of MYHSM and are covered by the standard subscription cost of the service reducing the total cost and converting capex to opex.
As part of the MYHSM service, users have access to a dedicated customer portal where they can:
- Add multiple users and allocate permission levels
- View full documentation and videos on the service, its PCI compliance and the HSMs used
- See details of the specific HSMs to which they have been allocated
- Download full information on how to connect to the service including example code
- Request services including source IP whitelisting, TLS Certificate setup and key exchange
- Monitor the status of each HSM in the service
- View interactive graphs which can detail data usage to the hour
- See live information showing all active TCP/IP connections from each whitelisted IP address
- Securely exchange files with MYHSM such as certificates, certificate signing requests and MFK (LMK) encrypted keys
The MYHSM shared service is a subscription-based model and works on the amount of data consumed each month. If a customer exceeds their data plan, MYHSM will notify them and seamlessly move them up to the next data tier. MYHSM will invoice according to the data plan and usage. To find out more about our data plans please visit our pricing page.
If my payment solution is deployed in the cloud and I use the MYHSM service, how can we ensure PCI PIN compliance?
The MYHSM service is PCI PIN certified and significantly reduces the scope and responsibility for the customer to achieve its overall PCI PIN Security Requirements certification. Using the service does not remove the customer from the PCI PIN scope, however working with MYHSM the customer can expect:
- Simplified audits – MYHSM will provide their PCI PIN AOC and all other relevant documentation which defines the responsibility split between MYHSM and the customer. This will dramatically reduce the scope and complexity of the customer’s PCI PIN audit.
- Dedicated experts – outsourcing your HSM security to MYHSM’s team of specialised, highly skilled HSM, security and network experts that work with HSMs every day can enhance the overall security.
- Reduced pressure on resources – The manual processes for configuring an HSM, establishing a security team, writing the policies and procedures required for certification and audits are all time consuming. MYHSM shoulders this burden so the time to market of the payment solution can be substantially reduced.
The MYHSM Shared Live Service offers access to a group of three Payments HSMs in two geographically separate data centres delivering 99.999% availability. In the event of an outage the customers applications can automatically spread the load across the remaining HSMs in the group.