There is an increasing focus in the payments world regarding certifications. After all, transaction processing systems require robust security techniques in their attempts to defeat the fraudsters. Payment card fraud is still a major issue as can be seen from detailed analysis provided by UK Finance (which covers the UK market) and by the Nilson Report which reported $28.65 billion card fraud losses globally. As a security solution provider to the payments market for nearly four decades, Thales has seen significant changes over the years regarding the certifications required for devices such as hardware security modules (HSMs). These devices underpin much of the core security infrastructure, ensuring cryptographic keys and secret data are protected at all times.
During this period, we have gone from a situation where very little third-party validation of security components took place to one where it is ubiquitous. The leading industry standards organizations, including PCI SSC and EMVCo, develop and maintain a comprehensive set of security specifications and associated certification programs that apply to a broad range of devices, including HSMs. Recently, the PCI Council published a draft of its next version (v4) of the PCI HSM security standard for review and feedback by the payment industry. As with the previous three versions over the past 13 years, the security team at Thales will be contributing its expertise. In particular, the new draft covers new/enhanced sections on cloud-based HSMs, key blocks and the use of the AES algorithm which are more stringent than the current PCI HSM v3 standard.
Key Loading Device certification from PCI
It was only a decade ago when most HSMs still were being configured and managed face-to-face inside data centers using a dumb terminal or console interface. Not any more. Thales has provided remote HSM management solutions to its global customer base for many years, and today over 60% of all Thales payShield HSMs are remotely managed (and this will likely rise further due to the pandemic). However, recently the PCI requirements for security around some of the remote processes have been strengthened considerably. Thales rose to the challenge in early 2020 and became the first payment HSM vendor to achieve PCI HSM v3 Key Loading Device (KLD) certification for its innovative payShield Trusted Management Device (TMD) that enables security teams to remotely manage symmetric keys and their components securely from production HSMs.
Another first for Thales in remote management certifications
In January 2021, Thales achieved another first by obtaining Remote Administration Platform (RAP) approval for the remote management interfaces and the graphical user interface (GUI) utilized by the payShield Manager solution that is used in conjunction with Thales payShield 10K HSMs.
RAP is a new optional component for PCI HSM certifications. Introduced with PCI HSM 3.0, it is only available to devices certified under the latest version of the standard. The most recent PTS PIN Security Requirements – Technical FAQs (which sets binding requirements on all payment ecosystem participants handling PINs) mandates that any interface of an HSM used for remote management of keying materials and sensitive configuration settings must comply with the security requirements for the PCI HSM RAP module. This can be achieved either by augmenting RAP on the existing PCI HSM certificate or pursuing an independent certification under the RAP device class (similar to how the payShield TMD device is certified under the KLD class). Thales chose the RAP augmentation approach to meet the RAP security requirements for payShield Manager and, therefore, is helping to solve a significant audit short fall for many HSM users.
This makes Thales the only payment HSM vendor able to meet today’s stringent requirements for both key component entry and remote management with solutions formally certified by PCI.
Just one more thing…
Another important aspect related to PCI PIN security requirements is the increasing use of mandates for key blocks. A staged approach is being implemented and it will not surprise you to know that Thales has been ready for quite a while!
PCI PIN Security Requirement 18-3 - Key Blocks outlines the implementation of the new standard in three phases:
- Phase 1 – Effective June 1, 2019, key blocks for internal connections and key storage within service provider environments are to be implemented. This includes all applications and databases that are connected to HSMs.
- Phase 2 – Effective by January 1, 2023, implementation of key blocks for external connections to associations and networks must be done.
- Phase 3 – Effective by January 1, 2025, implementation of key blocks to extend to all point-of-sale (POS), merchant hosts, and ATMs must be done.
payShield 10K HSMs already satisfy PCI PIN requirement 18-3 for key blocks, and we have been busy helping our end users and partners with compliance.