Migration to MYHSM
Moving from the status quo of operating and managing Payment HSMs in-house, to outsourcing the whole ecosystem to a fully managed service is a brand new concept that some payment companies are understandably cautious about.
Just a few years ago the idea that traditional banks would move their mission-critical payment systems to the cloud was questionable, now confidence in the cloud has increased and companies want to get rid of their physical infrastructure and focus on their core business. As a result, the cloud is now quickly becoming the de facto choice for payment systems deployment around the world, with Microsoft Azure and Amazon Web Services leading the way.
The remaining piece of the puzzle for migrating to the cloud however is the Payment HSM; the public cloud cannot support them. This gap is filled by MYHSM which offers a proven and fully PCI PIN compliant solution. Yet to take advantage of this new alternative requires a change in mindset, and accepting the idea of sharing responsibility for your top level encryption keys with the MYHSM security officers under a fool-proof, secure and approved set of processes together with an Attestation of Compliance (AoC) as evidence for your own PCI auditors.
When migrating to MYHSM your existing Master File Key (MFK) are never shared, instead MYHSM creates a new unique MFK for your company during a monitored Key Ceremony at its certified Secure Operating Centre. All keys that are currently encrypted under your existing MFK will be migrated to this new MFK under a Zone Master Key (ZMK). The ZMK having been shared using multiple components managed efficiently via a workflow on the MYHSM portal.
Below we have outlined some factors for consideration when migrating to MYHSM.
THALES PAYSHIELD 9000 END-OF-LIFE
The Thales payShield 9000 family of HSMs are in the process of being officially withdrawn, they are used by thousands of payment companies around the world but are no longer available for purchase and their support will cease on 31st December 2022. It is being replaced by the payShield 10K which users must migrate to by then to maintain their PCI compliance. Thales payShield customers have two options;
- Purchase the new payShield 10K’s at significant CAPEX to replace their current on-premise payShield 9000’s and continue to pay for the dedicated ecosystem that supports them.
- Adopt a new model that enables them to focus on their core business by migrating to the MYHSM Service at a much lower OPEX cost without compromising on functionality, availability or compliance.
KEY VARIANTS TO KEY BLOCKS
The 2019 PCI HSM Key Block mandate obliges payment organisations to ensure that their encrypted symmetric keys are managed in structures called Key Blocks to maintain PCI compliance, replacing the earlier legacy “Key Variants” method that was used to limit key usages.
This migration mandate requires detailed planning and access to skilled personnel with a solid understating of this specialised area.
MYHSM only supports Key Blocks in its Live Service, and provides access to its industry experts to assist with the migration process, thereby offering a convenient and low-risk path for achieving and maintaining compliance. Current users of legacy key variants such as Muira customers can also take advantage of the MYHSM expertise by leveraging their custom code that specifically addresses this issue.
CUSTOM FIRMWARE SUPPORT
MYHSM offers two main types of service, namely Shared and Dedicated. The former allows multiple MYHSM customers to share the same physical HSMs with shared security settings and providing the advantage of lower costs. The latter offers a group of HSMs that are dedicated to the exclusive use of that customer and which can thus support custom HSM firmware and/or settings, and/or very high transaction volumes.
MYHSM Shared Service HSMs are configured to the payments-specific PCI HSM standard rather than the more general FIPS140-2 Level 3 standard. It certifies the chain of custody, physical build, software and configuration of the HSM, so providing a more stringent and secure certification.
PCI HSM configuration is optional for the Dedicated Service, as it may not be compatible with card issuance and custom applications.
Customers using the Shared Service will have access to a group of 3 x fully licensed PayShield 10K’s, each capable of 2,500 crypto commands per second. Monthly fees are based on actual data usage and customers are billed according to the corresponding data plan that they fall under.
Customers using the Shared Service can expect to be able to process monthly volumes of up to 40m PIN translations per month as an example, and any customer that looks likely to breach this will be advised to migrate to a Dedicated Service that is sized appropriately. The HSMs in a Dedicated Service are licensed according to their peak crypto Commands per Second (CPS), these licenses are field upgradeable and service availability will not be compromised during license upgrades when using the recommended minimum of 3 x HSMs or more.
The MYHSM Shared Service uses groups of 3 x HSMs that are deployed across 2 x physically separate datacentres in active-active mode and with an SLA of 99.999% availability.
By contrast the MYHSM Dedicated Service uses a recommended minimum of 3 x HSMs across 2 x physically separate datacentres also in active-active mode, however it is the customer’s choice as to how small or large the HSM group is. Naturally 2 x HSMs in a dedicated group will have a lower availability SLA, and a single HSM will not have any guaranteed availability at all.
A Dedicated Service can however have as many HSMs in its group as a customer requires, and can operate as an HSM ‘farm’ for larger customers serving multiple lines of business, enabling them to rationalise large numbers of on-premise HSM estates to a much smaller number of devices with MYHSM to optimise usage and further reduce costs.
Get in touch
with our experts