Hardware security module (HSM) monitoring has traditionally been a highly technical task relegated to execution level administrators and like IT professionals. Output from their work generally appears as raw numbers for a given unit, even when some enterprises have many appliances in their HSM estate. Some in the market are questioning if that is sufficient, begging the question - who really needs HSM monitoring?
HSMs have been an important component in payment card processing since the major card brands adopted card security codes in the late 1990s. Card security code (CSC) is the generic term the three digit numbers on the backs of Visa and MasterCard plastic, and the four digit version on the front of American Express cards. These values are used as additional assurance that someone attempting to use a payment card for an online transaction actually has the card in hand, and hasn't just ripped the number off of a trashed receipt or a statement stolen from a mail box. There are similar values encoded on the magnetic stripes of the cards, read when they are swiped through a point-of-sale reader.
Now, CSC is being supplanted by EMV, the card brands' standard for more sophisticated cryptographic values encoded into the integrated chips of smart cards. EMV is used broadly outside the US and the payment brands are pressuring card issuing banks and card accepting merchants in the US to support the standard starting in October, 2015.
All of these codes are cryptographically derived and, since they are used as authoritative tests that the cards presented are genuine, protecting the cryptographic calculation requires a high degree of integrity, and this is where HSMs come in. The HSMs certified by the card brands for use in payment processing, such as the Thales e-Security® payShield® 9000, both protect the cryptographic key(s) specific to a given card issuer's CSC or EMV calculations and is the secure cryptoprocessor for executing the calculations. The appliances play a similar role for personal identification number (PIN) management.
In practical operational terms, use of such HSMs is required for several critical payment card operations:
- Personalization of payment cards, when
- CSC values are calculated for printing & encoding on new and replacement magnetic stripe cards,
- EMV values derived for encoding into the integrated chips of smart cards
- Calculation of the PINs provided to cardholders to use with their cards
- Verification of
- The CSC values presented with point-of-sale and online authorization requests
- The EMV values presented with point-of-sale transactions
- The PINs presented with ATM & other authorization requests
The creation operations tend to be high volume batch operations, executed against strict production schedules imposed by both regulatory requirements and competitive pressure. The authorization and point-of-sale are largely real-time online transaction processing (OLTP), with expectations of sub-second response.
It seems obvious that HSM monitoring is needed by anyone whose work is affected if HSM processing is negatively impacted by appliance failure, network interruptions, capacity saturation, and similar conditions. With this understanding, predicting some who need HSM monitoring becomes plain:
- Payment card production managers and executives, responsible for card personalization and issuance
- Data center managers obligated to provide highly available ("four 9s" or greater) availability
- Executives responsible for the service level agreements supporting payment card authorizations
- Call center managers whose teams (and budgets) are impacted if authorization failures or delays, or card delivery delays, increase customer complaints
This list is likely just the tip of the iceberg -- what other roles in the payments market need HSM monitoring? What other markets beyond payments? Tell me what you think in the comments section below.
For more information about Prime Factors' HSM Surveyor hardware security monitoring and management application, and its ability to visualize HSM performance and capacity, click on the button below: