Overview of Cloud Hardware Security Module for Payment Applications

A hardware security module (HSM) is a tamper-resistant physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, and provides strong authentication and other cryptographic functions. HSM has mature technology that is highly available, scalable, and usable. These modules traditionally come as a plug-in card or an external device that attaches directly to a computer or a network server.

For payment applications, HSMs’ functionality can be classified into three categories: acquiring, issuing, and Point-to-point encryption (P2PE).

For acquiring, which is carried out between merchants and banks, the functions of the Payment Hardware Security Module are:

• Personal Identification Number (PIN) translation, verification, and validation
• Card Verification Value (CVV) generation and validation as per card brands (Visa, Mastercard, AMEX, Discover, and so on)
• EMV – Authorization Request Cryptogram (ARQC) Validation and Authorization Response Cryptogram (ARPC) generation
• Message Authentication Code (MAC) and Cipher-based message authentication code (CMAC) generation and verification
• Network Key Exchange and key management using essential derivation methods – DUKPT, ISO 800-108
• Data encryption for Mobile payment acceptance – Google Pay, Apple Pay, Samsung Pay

On the issuing side, where the focus is on issuing cards and tokens, the Payment Hardware Security Modulefunctionality includes:

• PIN generation
• Online and mobile PIN translation and management
• EMV key generation and derivation for card personalization
• Generating data (PVV, CVV) for a magnetic stripe card
• Mobile payment token issuance for Google Pay, Apple Pay, and Samsung Pay
• Verify that a user-entered PIN matches the reference PIN known to the card issuer
• Card, cardholder, and cryptogram validation during chip payment transaction processing
• Payment credential issuance for payment cards, wearables used for payments, and mobile applications
• Tokenization of EMV payment transaction data

For P2PE, that is, Point-to-Point Encryption, to transmit cardholder data securely from the point of sale to the merchant host, the Payment Hardware Security Module is used for:

• Point-to-point essential management lifecycle
• Sharing keys securely with third parties to facilitate secure communication
• Cardholder data decryption
• Cardholder data translation to processor-specific data formats

Cloud HSM is a cloud-hosted hardware security module (HSM) service that allows hosting encryption keys and performing cryptographic operations in a Federal Information Processing Standard (FIPS) 140-2 Level 3 certified hardware cluster. Cloud hardware security modules (HSMs) deliver the same functionality as on-premises HSMs with the benefit of a cloud service deployment. It removes the need to host and maintain on-premises appliances.

Cloud HSMs allow organizations to:

• Align crypto security requirements with the organization’s cloud strategy
• Support finance and procurement preference to shift from a capital expenditure to an operational expenditure model
• Meet high assurance security and compliance mandates for FIPS 140-2 and Common Criteria Evaluation Assurance Level (EAL)4+

Payment HSMs are certified to meet stringent security and compliance requirements established by the Payment Card Industry Security Standards Council (PCI SSC), including PCI Data Security Standards (PCI DSS), PCI 3DS, PCI PIN, FIPS 40-2 Level 3, and PCI HSM v3.

Payment Applications, whether running on-premises or in a cloud services environment, can securely connect to cloud payment HSMs; that is, they can operate in a hybrid or full cloud model, respectively.

The benefits of hosting HSM in the cloud include complete flexibility, customizability, and reduced cost, as well as maintaining a high standard of hardware security and encryption capabilities.

A few cons of using a cloud HSM include network latency, the cloud’s immaturity, and the difficulty of ensuring physical security.

Are Cloud HSMs as secure as on-premises HSMs?

Security in the cloud is different from security on-premises, but it is not as bad. The threat model and residual risks are different. With on-premises, the risks are perhaps easier to identify—physical attacks, theft, disruption to utilities, network security considerations, firewall, malware, Distributed Denial-of-Service (DDOS), and so on.

With cloud service providers, security is required for server farms and network infrastructure. The most successful attacks in the public cloud have been due to customer misconfiguration, mistakes, and mismanagement, not due to the service providers providing the cloud HSM.

Companies providing Cloud HSM offer it as a “Managed HSM” or “HSM as a Service.” This allows users to generate encryption keys, use them, and store them securely without worrying about time-consuming things like evaluation, setup, maintenance, and updating their own HSM. Experienced experts take care of it.

Azure, Thales, Securosys, and Google are a few companies that provide Cloud HSM as a Service. These companies are fully responsible for configuring and maintaining the HSM. When the HSM is no longer required, and the device is returned, customer data is erased to ensure privacy and security.

Most companies offer single-tenant HSMs, and full remote management capabilities and administrative control are provided entirely to the payment solution provider.

Infrastructure as a Service provider also offers to host and cloud HSMs based either on their own HSM technology or a third-party vendor’s HSM solution, such as Entrust/nCipher, Thales, and Utimaco. When using cloud HSMs which are provided by public cloud providers, operational burdens are significantly reduced. Networking infrastructure is simpler, onboarding is fast, establishing multi-cloud and multi-region high availability is immediate, and operational tasks like invoicing and payments can be built on top of the organization’s existing public cloud account management structure.

A comparison of Cloud-based HSM provided by a Cloud Service Provider and On-Premises HSM from the perspective of an organization that wants to implement HSM is tabularized below:

How can Cloud HSMs be connected to payment applications?

Cloud HSMs offer REST API or a wide range of API software/ libraries installed on the application server to ensure communication with the HSM and provide automatic failover and load balancing. APIs like REST, JCE/JCA, PKCS#11, and Microsoft CNG are supported by Cloud HSM providers for connecting to payment applications.

One of the most significant hurdles in moving payment systems to the public cloud is payment HSM configuration and support in the public cloud. Connecting to cloud HSM from existing on-premises payment applications also needs proper planning, implementation, and integration.

Cigniti’s certified cloud professionals can provide you with consultancy and advisory services to set up the cloud HSM as per the needs of your application. The Security CoE team can ensure the proper functionality of the setup through their Infra and Network tests and Security assurance.

Need help? Talk to our certified cloud professionals to learn more about cloud migration or cloud HSM setup.