Why do I need a Payment HSM?

There are two main reasons.

Firstly, it is good security practice. It is quite feasible to build the functionality of a Payment HSM into the payment application software. However, this would be a poor approach from the point of view of security because rogue software developers and IT staff or external hackers could compromise the software to capture sensitive data. By using a HSM, secrets such as PINs and keys are never available in the clear except fleetingly within the secure, impenetrable boundary of a HSM.

The second reason is a consequence of the first. Because of the sound security reasons for using an HSM, PCI mandate the use of Payment HSMs in payment applications. As all payment applications have to be approved by PCI, these applications must use HSMs.

Share this entry: