01 Mar 2022

Industry stakeholders are leading the effort to develop standards to enhance global payment account data security

The number of credit card transactions processed by global card brands alone is projected to reach 800.41 billion in 2026, a 45% increase over the number of transactions processed in 2021. Convenience is a major reason consumers prefer credit cards, with purchase transactions approved almost instantaneously. But in the background there are a number of steps that occur to ensure these payments are being securely processed. Leading the charge for payment security is the Payment Card Industry (PCI) Security Standards Council, an organization that facilitates the security of payment account data globally through the development of standards and support of related services. 

The PCI Security Standards Council recently published PCI PIN Transaction Security (PTS) Hardware Security Module (HSM) Modular Security Requirements Version 4.0, the latest version of its device security standard for HSMs. This update has introduced several important changes to various sections of the existing standard. The most substantial change to this requirement is the addition of a new module, "Cloud-Based HSMs as a Service – Multi-tenant Usage Security Requirements." Cloud-based HSMs allow Solution Consumers to benefit from the security of HSMs without the responsibility of ownership and upkeep. An HSM Solution Consumer is an entity authorized to use an HSM solution. The aforementioned module encompasses three important sections: "Cloud Physical Security Requirements," "Cloud Logical Security Requirements," and "Cloud Provisioning/Management Security Requirements."

Cloud Physical Security Requirements

This section includes both the operating requirements for the cloud solution provider and the physical separation of sensitive data. The HSM virtualization system must either sufficiently protect the data against physical attack as a standalone device, or otherwise be installed in a controlled environment. Where multiple HSM Solution Consumers are using the same resource, clear-text secret and private keys must be processed in execution paths and memory areas separate from any other Solution Consumer. Similarly, where routing/switching is used between multiple HSM Solution Consumers and HSM processing elements, the cryptographic keys for these operations must be adequately protected.

Cloud Logical Security Requirements

Where the HSM is not in direct control of the Solution Consumer, it is very important to give control over certain elements exclusively to the HSM Solution Consumer. Some logical security requirements include the handling of client keys and other actions that require cryptographic verification. For example, any keys owned by the HSM Solution Consumer strictly cannot be imported or exported without their cryptographically authenticated approval. This functionality is important as it allows the Solution Consumer to maintain exclusive control over its sensitive data, even when not directly controlling the HSM. 

This section further details that any processing element storage areas must be fully cleaned of any sensitive data before another HSM Solution Consumer's data can be processed. This requirement ensures that sensitive data from multiple Solution Consumers is strictly isolated from each other during processing.

Cloud Provisioning/Management Security Requirements

In a multi-tenant system, it is important to ensure that one Solution Consumer's configuration changes do not affect another. First the new standard requires that the HSM solution must support independent secure channels for each HSM Solution Consumer. Next, the HSM processing element must establish a unique provisioning key for each HSM Solution Consumer. Additionally, it is required that any HSM configuration made by one Solution Consumer strictly cannot affect the compliance of any other Solution Consumer using the HSM solution. These processes ensure that only the intended Solution Consumer can access sensitive data and configuration options.

Although not the only changes made to the PCI Security Standards Council HSM standard, the new module "Cloud-Based HSMs as a Service – Multi-tenant Usage Security Requirements" is a critical new section of version 4.0. It defines the requirements for environmental security, physical/logical isolation of sensitive data, and provisioning requirements. This module will provide HSM Solution Consumers the ability to scale payment processing as the market continues to grow. This approach effectively manages costs and potentially outsources the burden of owning and operating HSM equipment in a dedicated managed environment. Ultimately, this update is an important step for the creation of new, innovative, and secure payment solutions.


Nick Thomas,
IT Security Specialist, Intertek EWA-Canada


Nick Thomas is an IT Security Specialist for Intertek EWA-Canada in Ottawa, Canada. During his time with EWA-Canada, Nick has developed IT security skills in both the payment assurance and high assurance fields. Familiar with both the PCI Security Standards Council and Australian Payment Network accreditation bodies, Nick currently performs payment product assessments.

You may be interested in...