Single Payment HSM, What’s the Harm?
John Cragg, CEO at MYHSM, the global provider of Payment HSM as a Service, explores why utilising a single Payment Hardware Security Module is bad practice and could expose numerous issues and vulnerabilities to organisations operating within the payments industry.
Undoubtably, Fintechs over the last decade have demonstrated their dominance and have introduced innovation and disruption within the payments landscape. However, Fintech start-ups continue to deal with ongoing challenges, especially when entering the market. Some of these challenges include securing significant investment and understanding and complying with the regulatory hurdles. In particular, it can be a complex, daunting, and costly task to acquire and operate certified payment HSMs.
As a result, Fintech start-ups have to work with stretched budgets and in many cases try to reduce expenditure wherever possible. Unfortunately, when it comes to Payment HSMs they tend to cut corners.
Let’s look at why should this be avoided at all costs, and how MYHSM Services can remove the complexity and initial investment for start-ups whilst ensuring PCI security standards are adhered to:
False Economy
Initially, operating one Payment HSM may seem like an attractive option from a cost saving perspective, but in reality, this may have harmful consequences. Having just a single Payment HSM means a single point of failure in this mission critical infrastructure. In the event of an outage, there is no backup and no opportunity to spread the load across additional HSMs to ensure resilience. As a result, customers will be unable to make transactions, causing a hugely negative impact on the customer experience and potentially resulting in losing customers. It’s a competitive world, so a secure and seamless customer experience is vital!
PCI Compliance
Payment HSMs are a fundamental component in securing payment processing and card issuing systems. Their use is mandated by PCI (Payment Card Industry Security Standards Council), and they must be certified to a set of security standards to protect cardholder data and transactions.
For Fintech start-ups, writing and adhering to strict processes and procedures is difficult, and to comply with the PCI Security Standards you should use different HSMs for testing and live production work. Therefore, strictly speaking if you are operating with only one Payment HSM and you are testing or developing new payment applications or software on the same unit as the live production work, you are breaking PCI regulations and security best practice.
Security Updates
Maintaining Payment HSMs is expensive – every 8 years the hardware will need to be replaced to retain vendor support and include the latest security standards and operational efficiencies. This alone is a burden and to add to this, throughout the 8-year cycle additional code and firmware updates will also need to be applied. With just one HSM it is impossible to take the HSM offline to run the updates which means the organisation could be operating an infrastructure containing vulnerabilities and bugs.
How MYHSM can help…
Owning and operating just a single Payment HSM makes no sense. At a minimum, you need separate units for live operations, test/development work and standby. Thankfully, there is light at the end of the tunnel. MYHSM provides a unique and compelling offering which provides numerous benefits.
Firstly, when you subscribe to the MYHSM Service you have access to a group of HSMs, housed in multiple, secure data centres which provide 99.999% availability to protect you against unplanned outages.
The MYHSM Service is PCI DSS and PCI PIN approved, so Fintech start-ups no longer have to worry about the PCI approvals required if they buy their own hardware, nor do they have to deal with the process of renewing the approvals every 12 months!
Moreover, MYHSM provides subscription services based on usage levels, which can be set up in days rather than months. This includes a Test Service which provides users with global, remote access to develop and test their payment application using Thales payShield HSM for a fraction of the price of purchasing their own HSMs. Once testing is complete, the migration to the Live Service is seamless, and the Test Service can still run in parallel for any further test and development requirements, following PCI standards.
MYHSM provides Fintechs with a much quicker route to market which removes the complexity and cost associated with Payment HSMs. Now there is no need to cut corners or sacrifice the standard of one of the most important security elements in the payments ecosystem.
Find out more about MYHSM Services here.