The Payment Card Industry Hardware Security Module (PCI HSM) v1.0 specification was published in April 2009 and is the first document from the Payment Card Industry Security Standards Council (PCI SSC) to define a set of logical and physical security standards for HSMs specific to the needs of the payments industry. In May 2012 an updated version (v2.0) of the PCI HSM specification was issued. Currently most payment systems rely on the FIPS 140-2 security certification scheme run by NIST to provide confidence in the security of the HSMs deployed throughout the payments infrastructure.
PCI HSM has a clear objective to define a complete set of requirements relating to the secure deployment of HSMs. The HSMs in question are intended to support a wide range of payment transaction processing, card issuing and cardholder authentication techniques. PCI SSC states that PCI HSM is intended to cover the following processes in the payments value chain:
- PIN processing
- 3-D Secure
- Card verification
- Card production and personalization
- ATM interchange
- Cash card reloading
- Data integrity
- Chip card transaction processing
A PCI-certified HSM will typically be supplied together with a security policy and configuration instructions to ensure that the PCI HSM is used in a manner consistent with the requirements of the standard. The PCI HSM standard derives many of its requirements from existing ISO, ANSI, federal standards and security best practices in use by the payments industry.
It should be noted that the role of PCI SSC in terms of PCI HSM is to publish and maintain the security standard and to run a certification scheme in association with independent test laboratories. This enables the vendor community to submit HSMs for approval under the PCI HSM standard. PCI SSC does not mandate the use of PCI HSM devices since this is the role of the card schemes. As of April 2016, the card schemes have not yet published any mandates regarding the deployment of PCI HSM compliant devices.
Thales eSecurity products validated to the PCI HSM specification
The payShield 9000 was one of the first HSMs in the industry to successfully be validated against v1.0 of the PCI HSM standard. Details can be found here.