Overview of Cloud Hardware Security Module for Payment Applications

A hardware security module (HSM) is a tamper-resistant physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, and provides strong authentication and other cryptographic functions. HSM has mature technology, with high availability, scalability, and usability. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or a network server.

For payment applications, the functionality of HSMs can be classified into three categories – acquiring, issuing, and Point-to-point encryption (P2PE).

For acquiring, which is carried out between merchants and banks, the functions of the HSM are:

• Personal Identification Number (PIN) translation, verification, and validation
• Card Verification Value (CVV) generation and validation as per card brands (Visa, Mastercard, AMEX, Discover, and so on)
• EMV – Authorization Request Cryptogram (ARQC) Validation and Authorization Response Cryptogram (ARPC) generation
• Message Authentication Code (MAC) and Cipher-based message authentication code (CMAC) generation and verification
• Network Key Exchange and key management using key derivation methods – DUKPT, ISO 800-108
• Data encryption for Mobile payment acceptance – Google Pay, Apple Pay, Samsung Pay

On the issuing side, where the focus is on issuing cards and tokens, the HSM functionality includes:

• PIN generation
• Online and mobile PIN translation and management
• EMV key generation and derivation for card personalization
• Generating data (PVV, CVV) for a magnetic stripe card
• Mobile payment token issuance for Google Pay, Apple Pay, and Samsung Pay
• Verify that a user-entered PIN matches the reference PIN known to the card issuer
• Card, cardholder, and cryptogram validation during chip payment transaction processing
• Payment credential issuance for payment cards, wearables used for payments, and mobile applications
• Tokenization of EMV payment transaction data

For P2PE that is Point-to-Point Encryption, to transmit cardholder data securely from the point of sale to the merchant host, HSM is used for:

• Point-to-point key management lifecycle
• Sharing keys securely with third parties to facilitate secure communication
• Cardholder data decryption
• Cardholder data translation to processor-specific data formats

Cloud HSM is a cloud-hosted Hardware Security Module (HSM) service that allows to host encryption keys and perform cryptographic operations in a cluster of Federal Information Processing Standard (FIPS) 140-2 Level 3 certified hardware. Cloud hardware security modules (HSMs) deliver the same functionality as on-premises HSMs with the benefit of a cloud service deployment. It removes the need to host and maintain on-premises appliances.

Cloud HSMs allow organizations to:

• Align crypto security requirements with the organization’s cloud strategy
• Support finance and procurement preference to shift from a capital expenditure to an operational expenditure model
• Meet high assurance security and compliance mandates for FIPS 140-2 and Common Criteria Evaluation Assurance Level (EAL)4+

Payment HSMs are certified across stringent security and compliance requirements established by the Payment Card Industry Security Standards Council (PCI SSC) including PCI Data Security Standards (PCI DSS), PCI 3DS, PCI PIN, FIPS 40-2 Level 3, and PCI HSM v3.

Payment Applications, whether running on-premises or in a cloud services environment, can connect securely to cloud payment HSMs that is they can operate in a hybrid model or full cloud model respectively.

The benefits of hosting HSM in the cloud ensure complete flexibility, customizability, and reduced cost – as well as maintain a high standard of hardware security and encryption capabilities.

A few cons when using a cloud HSM include network latency, immaturity for the cloud, hard to ensure physical security.

Are Cloud HSMs as secure as on-premises HSMs?

Security in the cloud is different than on-premises but it is not lesser. The threat model and residual risks are different. With on-premises the risks are perhaps easier to identify – physical attacks, theft, disruption to utilities, network security considerations, firewall, malware, Distributed-Denial-of-Service (DDOS), and so on.

With cloud service providers, security is required for server farms and network infrastructure. To date, most successful attacks in the public cloud are due to customer misconfiguration, mistakes, and mismanagement not due to the service providers providing the cloud HSM.

Companies providing Cloud HSM offer it as a “Managed HSM” or “HSM as a Service”. This allows users to generate encryption keys, use them, and store them securely without having to worry about time-consuming things like evaluation, setup, maintenance, and updating their own HSM. Experienced experts take care of it.

Azure, Thales, Securosys, and Google are a few companies that provide Cloud HSM as a Service. Full responsibility for the configuration and maintenance of the HSM lies upon these companies. When the HSM is no longer required and the device is returned, customer data is erased to ensure privacy and security.

Most companies offer single-tenant HSMs, and full remote management capabilities and administrative control are provided entirely to the payment solution provider.

Infrastructure as a Service provider also offers to host, and cloud HSMs based either on their own HSM technology or a third-party vendor’s HSM solution such as Entrust/nCipher, Thales, and Utimaco. When using cloud HSMs which are provided by public cloud providers, operational burdens are significantly reduced. Networking infrastructure is simpler, onboarding is fast, establishing multi-cloud and multi-region high availability is immediate, and operational tasks like invoicing and payments can be built on top of the organization’s existing public cloud account management structure.

A comparison of Cloud-based HSM provided by a Cloud Service Provider and On-Premises HSM from the perspective of an organization that wants to implement HSM is tabularized below:

How Cloud HSMs can be connected to payment applications?

Cloud HSMs offer REST API or a wide range of API software/ libraries that are installed on the application server to ensure communication with the HSM and provide automatic failover and load balancing. APIs like REST, JCE/JCA, PKCS#11, and Microsoft CNG are supported by Cloud HSM providers for connecting to payment applications.

In moving payment systems to the public cloud, Payment HSM configuration and support in the public cloud is one of the most significant hurdles. Connecting to cloud HSM from existing on-premises payment applications also needs proper planning, implementation, and proper integration.

Cigniti’s certified cloud professionals can provide you the consultancy and advisory services to set up the cloud HSM as per the need of your application. The Security CoE team can ensure the proper functionality of the setup through their Infra and Network tests and Security assurance.

Need help? Talk to our certified cloud professionals to learn more about cloud migration or cloud HSM setup.