PCI HSM Compliance Certification

Thales eSecurity offers HSMs that are certified under the PCI HSM standard, enabling customers to streamline card standard compliance and auditing efforts

Global Map

Regulation

Active Now

PCI HSM

The PCI HSM specification defines a set of logical and physical security compliance standards for HSMs specifically for the payments industry. Compliance certification depends on meeting those standards.

The payShield 9000 HSM from Thales eSecurity was one of the first HSMs to be successfully validated against the PCI HSM standard, including fundamental requirements for payment processes, including:

  • PIN processing;
  • Card verification;
  • Key generation.
Purpose

HSMs play a critical role in securing payment transactions, so it is essential that the HSMs themselves are kept secure throughout their lifecycle—from manufacturing and shipment, through to operation and decommissioning. The PCI HSM compliance certification standard provides HSM vendors with a strict set of security requirements, and a rigorous process for having platforms assessed against these requirements.

Scope

PCI HSM compliance certification is increasingly becoming a fundamental requirement for various payment processes, including PIN processing, card verification, card production, ATM interchange, cash-card reloading and key generation. The payShield 9000 HSM has feature-rich software that has been certified to the PCI HSM standard, addressing all of these processes and many more.

Hardware

To be PCI HSM compliant, a platform must address the following physical security requirements:

  • Tamper-detection and response mechanisms
  • Resilience to abnormal environmental and operating conditions
  • Protection of sensitive data within the device
  • Preventing disclosure of sensitive information by external monitoring techniques
  • Protection of cryptographic keys inside the device, even if the security boundary is breached
Software and Settings

HSM software, configuration and management must address the following logical security requirements:

  • Resilience against unexpected command sequences or operating modes
  • Secure firmware management
  • Strong authentication prior to running sensitive services
  • Secure key management and key separation to prevent misuse and eliminate cleartext exposure of sensitive data and PINs
  • Secure audit trail
Supply Chain

The HSM vendor is required to provide evidence to the PCI HSM evaluation team that effective processes are in place to ensure that the HSM is secured at all times, from the time of manufacture to packaging and shipment to the end user.

Other key data protection and security regulations

GDPR

GDPR Thumbnail

Regulation

Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organisation that processes the personal data of EU citizens - regardless of where the organisation is headquartered.

Learn More

PCI DSS

GDPR Thumbnail

Mandate

Active Now

Any organisation that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Learn More

Data Breach Notification Laws

eIDAS

Regulation

Active now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbour” clause.

Learn More
Contact a Compliance Specialist Contact Us
Are you fit for GDPR Take our readiness assessment now
Read the Compliance and Regulations Solutions Handbook Read the eBook
Assista nosso vídeo demonstrativo interativo Explore
Agende uma demonstração ao vivo Agendar
Entre em contato com um especialista Entre em contato