PCI SSC updates its device security standard for HSMs

The PCI SSC published the latest version of its device security standard for Hardware Security Modules (HSMs). HSMs are secure cryptographic devices that are used for cryptographic-key management and the protection of sensitive data used in payment card processing.

The PCI PIN Transaction Security (PTS) Hardware Security Module (HSM) Modular Security Requirements Version 4.0 ensures that HSM devices provide the strongest protection for critical data elements used in card verification, PIN processing, chip transaction processing, payment card personalization, secure cryptographic key loading, remote HSM administration and other payment authentication activities. Organizations can use PTS Validated HSM devices in conjunction with other PCI Standards to support their efforts to protect payment data throughout their systems and networks.

Supporting industry shift to utilization of cloud-based devices

PCI PTS HSM Security Requirements v4.0 includes the addition of a new evaluation module and approval class for evaluating cloud-based HSMs that are used as part of an HSM-as-a-service offering. These updates support the use of remote management methods and multi-tenant cloud-based devices, and reflect direct feedback received from the payment industry through two request for comment periods.

“The security of cryptographic devices is a critical part of protecting payment data,” says Emma Sutcliffe, SVP, Standards Officer at PCI SSC. “The latest evolution of the PCI PTS HSM Security Requirements reflects the payment industry’s need for flexible payment security solutions.”

Vendors can begin using PCI PTS HSM Requirements v4.0 now for payment device evaluations. Version 3.0 of the Requirements will retire in December 2022 for new device evaluations. Refer to the PCI PTS Device Testing and Approval Program Guide for detailed information regarding the transition period.