Understanding Hardware Security Modules (HSMs)

The increased number of data breaches, cyber-attacks and hacking have resulted in mandates for HSM manufacturers to comply with external and internal data security regulations and privacy regulations. It has also increased the importance of effective management of cryptographic keys.

Hardware Security Modules or HSMs is not a term that the general public is familiar with, but for the payments industry it serves as an integral part of their security to protect cryptographic keys and customer PINs. Brian Mabuya, Pre-Sales Consultant at CyberTech explains the process as follows: “when an end-user uses an ATM or transacts via a point-of-sale device, this device will speak to the core banking system on the back-end in order to verify the customer PIN on the bank’s HSM (Hardware Security Module). The PIN is not visible, it has been encrypted, thus protecting the customer’s details.”

Where EMV chip cards are concerned, the HSM (CyberTech utilises the Thales HSM) generates working keys (development keys) and public keys what will be needed by VISA, Mastercard or the bank you bank with. Once these keys have been generated, a card can be issued on a specific BIN, also known as the Bank Identity Number.

It is very important to remember that no financial institution or organisation operating within the financial space can transact without an HSM. Not only does an HSM ensure that the end-user’s data is secure, but it also protects the consumer and the bank from fraud etc. In a sense, the HSM can be seen as the glue in the transaction process in terms of security. 

In terms of performance, Mabuya says that you will get different levels of performance, “It all depends on the transaction level of your organisation. CyberTech is able to offer clients a HSM ranging from 25 CPS – 2 500 CPS (Commands per second). As an example, with a 25CPS the HSM is able to run 25 transactions per second.”

Security, safeguarding, encryption… These are essential components of any form of transacting and that is exactly what HSM is. It encrypts the keys on the transactions. In conjunction with this, the organisation or bank should have proper key management in place with the key “custodians” that load and generate these keys. Mabuya goes on to say, “Ideally the HSM should be placed in a secure data centre that can only be accessed on change control and only by the authorised personnel. The HSM can only communicate to a payment’s application the likes of CR2, Bankworld, Sparrow, Postillion etc. It is designed to understand or listen to host commands that are sent to it and it responds to a request that is sent by the application. It’s not just any server that can send those calls to the HSM, it uses a specific API that is recognised by the payments application.”

According to an article published on Cole reports, the writer voices his opinion on how the rising demand for data security within the cloud environment serves as a key opportunity for the global HSM market. He goes on to say, “today Cloud technology has become extremely popular and organisations both big and small are extensively adopting Cloud for storage, infrastructure, and virtual resources. The growing use of cloud is expected to drive the growth opportunities of the hardware security models market.”

Mabuya concludes by saying that CyberTech, in conjunction with Thales, is able to assist organisations in migrating from their current HSM to the Thales HSM.