PCI PTS HSM compliance is mandated on banks, acquirers, processors and all other players involved in payment card systems. This article explores the origin, history, evaluation criteria, and the latest version updates of the PCI PTS HSM standard.
Introduction to PCI SSC
The Payment Card Industry Security Standards Council (PCI SSC) is an international governing body that was established in September 2006 on behalf of contributions from leading card issuers, including Mastercard, American Express, Visa, JCB International, and Discover Financial Services, etc. PCI SSC holds the mandate of developing the standards regarding information security. For example, the PCI DSS (Payment Card Industry Data Security Standard) developed by PCI SSC is a globally recognized information security standard for the prevention of credit card fraud and numerous additional security threats / vulnerabilities. Compliance with PCI standards is also enforced by the foundation members of PCI SSC.
The Need for PCI PTS HSM
Hardware Security Modules (HSMs) are the most critical components for the data confidentiality and/or integrity of digital business transactions. The security and credibility of the whole business solution is at stake if an HSM is compromised. Hence, to maintain trust in the overall system, it has to be ensured that HSMs and the key management lifecycle are secure.
A well-recognized certification for HSM security evaluation is FIPS 140-2 (which is what much of the PCI PTS HSM requirements are based on), but it only spans over the physical and logical security requirements of an HSM during use. PCI SSC devised the PCI PIN Transaction Security (PTS) HSM, which is a standard for the protection of HSMs during their entire lifecycle (manufacturing, delivery, usage, and decommissioning) as per the security needs of the financial payments industry, which should be accorded by the HSM vendors. PCI PTS HSM presents the operational and technical security requirements for the protection of cardholder data. It enlists all the security requirements against which an HSM will be evaluated to obtain PCI PTS HSM device accreditation/approval.
Evaluation Criteria of PCI PTS HSM v3
PCI PTS HSM v3 presents various security requirements as the minimum acceptable criteria for its validation / certification. All the specified requirements are derived from the relevant ANSI, ISO, and NIST (FIPS) standards that are already accepted as best practices by the financial payments industry and are referred to as DTR (Derived Test Requirements). These requirements have been defined by PCI using a risk-reduction methodology that identifies the associated benefit when measured against acceptable costs to design and manufacture HSM devices. The HSM name and model number are listed on the PCI website once it is approved as per the security requirements. These requirements have been categorized into four distinct groups and subgroups respectively.
- Core Requirements
- Physical Security Requirements
- Logical Security Requirements
- Policy and Procedures
- Key Loading Devices
- Remote Administration
- Logical Security
- Devices with Message Authentication Functionality
- Devices with Key Generation Functionality
- Devices with Digital Signature Functionality
- Device Management Security Requirements
- Device Security Requirements During Manufacturing
- Device Security Requirements During Manufacturer and Point of Initial Deployment
Version History
Version |
Description |
Release Date |
1.0 |
Initial Release |
April 2009 |
2.x |
RFC Version |
February 2012 |
2.0 |
Public Release |
May 2012 |
3.x |
RFC Version |
February 2016 |
3.0 |
Public Release |
June 2016 |
Changes in PCI PTS HSM from Version 2.0 to Version 3.0
PCI PTS HSM version 2.0 was released in May 2012 and was being actively used. With the advent of modern threats and vulnerabilities, PCI SSC felt the need to update the PCI PTS HSM by releasing the updated version 3.0 in June 2016. The following list highlights the major and notable changes found in the updated norm:
- The addition of approval classes for key-loading devices and for remote administration of HSM platforms.
- The validation of device management information submitted by the vendor.
- The HSM devices must support firmware updates and the firmware must authenticate applications loaded into the device including the updates and configuration changes.
- Updated guidance to stipulate that PRNG designs from NIST SP800-90A or ANSI X9.82 shall be used.
In Summary
PCI PTS HSM helps HSM vendors by providing guidance and direction for appropriate protection of HSMs throughout their life cycle and has to be complied by the HSM vendors. Along with the requirements from the manufacturing phase to initial deployment, most requirements of PCI PTS HSM certification are derived from FIPS 140-2.
The scope of PCI HSM certification compliance covers numerous payment processes, including PIN processing, card production/verification, ATM interchange, cash-card reloading and key generation. The evaluation criteria of PCI PTS HSM lists various security requirements which are divided into four evaluation modules named core requirements, key-loading devices, remote administration, and device management security requirements. These mentioned requirements are the minimum acceptable criteria to be PCI PTS HSM version 3.0 certified.
References
- Selected articles on PCI PTS HSM (2018-today), by Asim Mehmood, Terry Anton, and more
- PIN Transaction Security (PTS) Hardware Security Module (HSM) Summary of Requirements Changes from Version 2.0 to 3.0 (2016), by Payment Card Industry Security Standards Council PCI SSC
- Selected Articles on the Crypto Service Gateway (2013-today), by Ashig JA, Asim Mehmood, Rob Stubbs, Steve Marshall, and more
- Selected articles on HSMs (2013-today), by Ashiq JA, Peter Landrock, Peter Smirnoff, Rob Stubbs, Steve Marshall, Torben Pedersen and more
- Turning Cryptography into a Service Part 1 – Increasing Efficiency & Resilience (2018), Rob Stubbs