What is the difference between a General Purpose (GP) HSM and Payment HSM?
Although we do not give much thought to hardware security modules (HSMs), they are a critical element of security in an organisation’s IT infrastructure used for securing sensitive data. All HSMs securely generate and store cryptographic keys and can be used to perform cryptographic functions (such as encryption, decryption, signing and authentication). Different HSMs provide different levels of functionality and are approved to different security standards, but they can be considered in two main groups: General Purpose HSMs and Payment HSMs, the latter can also be referred to as Financial Service HSMs or Transaction HSMs.
The term Payment HSM refers to an HSM with a set of enhanced security features which are required to comply with various payment industry standards including the ones listed below. Payment HSMs enforce management under dual-control and offer the payment specific cryptographic commands which are required to ensure sensitive information never exists outside of the HSM. GP HSMs offer more general cryptographic commands which can return sensitive information to the software application.
To illustrate, consider that a software application needs to receive an encrypted PIN from company A and forward it to company B. It will need to decrypt it using key A and re-encrypt it using key B. Using a GP HSM, the software application would send two commands to the HSM – “decrypt this data using key A” and then “encrypt this data using key B”, and the software would see the clear-text PIN in the middle. Using a Payment HSM, the software would send one command – “translate PIN block from key A to key B”, and the clear-text PIN would never leave the HSM. The PCI PIN security requirements mandate the second method.
Which PCI standards require a Payment HSM?
The Payment Card Industry Security Standards Council (PCI SSC) maintain a number of standards covering security in the payment industry. The ones in the list below mandate the use of HSMs which are certified to PCI PTS HSM or FIPS 140-2 Level 3 (or higher). In addition to this, the requirements within these standards mean that the HSMs must provide functionality, which is specific to the Payment industry, hence the term Payment HSM.
- PIN Security
- 3DS (ACS & DS)
- Card Production
General Purpose HSM use cases
A General Purpose HSM is very flexible and can be used in any application that uses cryptographic keys which doesn’t require the additional controls imposed by a Payment HSM. Examples include management of the symmetric keys used for database encryption, and management and use of the asymmetric keys used for the creation of digital signatures and certificates to support PKI (Public Key Infrastructure) and crypto wallets.
A General Purpose HSM will support compliance with numerous security standards including:
- PCI DSS
- PCI 3DS (3DS Server)
- FISMA, FedRAMP, and FICAM
How does a General Purpose HSM work?
Typically, data encryption/decryption is performed by the software application using a symmetric key it retrieves from the HSM at start-up; all of the data is not passed through the HSM itself. A GP HSM is typically optimised for asymmetric cryptography as this is very time consuming when performed in the software application.
For more information on GP HSMs visit Utimaco’s page here.
Payment HSM use cases
A Payment HSM provides the tighter security controls mandated by certain payment industry standards. In these use cases, the software application cannot have access to sensitive data and keys, so the HSM not only performs the basic cryptographic functions, it also understands the format of the input data and generates the correctly formatted output data. Some of the Payment HSM use cases include:
- PIN generation, management, and validation
- PIN block translation during the network switching of ATM and POS transactions
- Card, user and cryptogram validation during payment transaction processing
- Payment credential issuing for payment cards and mobile applications
- Point-to-point encryption (P2PE) key management and secure data decryption
- Sharing keys securely with third parties to facilitate secure communications
- Electronic funds interchange (EFTPOS, ATM)
- Cash-card reloading
- EMV transaction processing
- Key generation and injection
A Payment HSM is optimised for high-volume symmetric encryption of small data elements.
A side note on symmetric encryption
This process uses the same cryptographic key to encrypt and decrypt data. Both the sender and receiver will have the same copy of the key which needs to be kept secret and not shared with anyone else. This form of encryption differs slightly to asymmetric encryption, whereby a pair of keys are used to encrypt and decrypt data – one of which is a public key and the other which is a private key.
For the payments industry, symmetric encryption is specifically used for securing transactions because it is faster and more efficient to process in comparison to asymmetric encryption and is more effective for data in-transit.
It is also important to note, that within the financial services industry, asymmetric encryption is also used for digital certificates and signatures.
At MYHSM we like to refer to Payment HSMs as the unseen and unsung heroes of the payments and financial services industry. Hopefully the explanation above helps clarify the critical tasks undertaken by a Payment HSM and how these differ to the tasks requiring the use of General Purpose HSMs. Regardless of what HSM model your organisation requires, users of HSMs have essentially two choices to consider:
To purchase the hardware and host the HSMs on premise in a company’s own, private data centre or via a co-located data centre and manage the hardware in-house.
To use a Cloud HSM service. The term “Cloud HSM” is a general term to indicate an HSM which is owned, hosted, and maintained by a service-provider, where the end user is then granted remote access to use the HSM.
Cloud HSM options remove the need to buy, host, monitor and maintain the HSM and related network equipment, and deliver benefits such as scalability, elasticity, and cost efficiencies. The main public cloud service providers all offer a variety of options for GP HSM use cases but to date there is no cloud deployment alternative for Payment HSMs due to the strict PCI PIN requirements which involve dual controls and key ceremonies.
MYHSM to the rescue…
MYHSM is the first, global provider of Payment HSMs as a service offering secure and highly available host connections to the Atalla AT1000 and Thales payShield 10K. Providing a suite of PCI PIN and PCI DSS certified and fully managed services, the whole payment ecosystem can connect securely and remotely to a group of Payment HSMs which are compatible with all major payment applications. To find out more about the MYHSM services visit our service page here.
Blog post by Andrew Hodges – CTO at MYHSM by Utimaco