payShield Trusted Management Device | Thales

payShield Trusted Management Device

payShield TMD offers secure, flexible and efficient key management for payment HSMs. It is a compact, intuitive, self-contained secure cryptographic device (SCD) that enables you to perform symmetric key management tasks including securely forming keys from separate components or splitting existing keys retrospectively into new components. payShield TMD generates and shares keys in a manner that is compliant with relevant security standards, including X9 TR-31, ANSI X9.24-1 and PCI PIN Security.

Unlike traditional approaches, these critical key management tasks can be carried out without any physical connection to a production HSM, providing greater operational flexibility without compromising security. For example, a single payShield TMD can form keys for multiple payment HSMs distributed across multiple data centers, enabling large payment processors to create and distribute thousands of Key Encrypting Keys (KEKs) or Zone Master Keys (ZMKs) in a timely and secure manner while eliminating data entry errors.

Each payShield TMD shares one or more Master ZMKs (MZMKs) with the HSMs to facilitate secure exchange of key material. payShield TMD does not require access to the Local Master Keys (LMKs) used by the production HSMs. Keys exchanged between a payShield TMD and an HSM are encrypted under the appropriate MZMK.

Top 10 reasons for using the payShield Trusted Management Device

payshield

Benefits
Specifications
Accessories

Simplify key management

Leverage our unique QR code method for key import and export to streamline the process and eliminate data entry errors common in legacy approaches.

Minimize time required

Perform all sensitive key management tasks in a secure remote location 24x7. No need to book data center slots or have physical access to production HSMs.

Share keys securely

Take advantage of our standard-based management approach for keys and components when sharing keys with HSMs from multiple vendors.

Key management functionality

Generate key components
Form keys from components
Split existing keys into components
Key sharing methods – QR codes, smart cards, USB tokens and paper components
Compatible with HSMs that support TR-31 / X9.143 key management (e.g. Thales payShield 10K and payShield 9000)

Physical and logical security

Tamper-responsive physical design – sensitive key data erased immediately in the event of an attack
Secure touch screen – sensitive key information encrypted at the point of capture
Dual control login via smart card for administrators and operators
Up to 20 independent Master ZMKs (MZMKs) per payShield TMD
MZMK cryptographic key strength – DES (double / triple length) and AES (128, 192 and 256 bits)
Comprehensive audit log

Device physical characteristics

7” touch screen display
Integral smart card reader
Integral camera and thermal printer
Dimensions : 72 x 114 x 231 mm (H x W x D)
Power : 5V/2A switching power adapter, Li-Ion battery
Operating temperature : 0 to 50C

Security certifications and compliances

PCI HSM v3 certified Key Loading Device (KLD)
PCI PIN Security audit
TR-39 audit

Smart cards

Dedicated payShield TMD smart cards for use by administrators, operators and auditors
payShield HSM smart cards for secure storage of MZMK components

Related Resources

Related Products

Desempenha um papel fundamental na proteção de pagamentos presenciais e digitais à distância.

payShield Manager

Enables security teams to remotely manage HSMs, yielding cost savings and operational efficiency.

payShield Monitor

Provides instantaneous 24x7 visibility of all your payment HSMs from a centralized location.

Looking for partners? Looking for resources?