Is Your HSM Strategy Optimal?

Lance Homer

The growth of digital services provided by banks, card issuers, as well as an increasing number of fintech startups who are redefining payment methods and convenience is accompanied by an ever-greater vigilance regarding payment security. Hardly a week goes by without a news item mentioning a data breach that disrupts commerce, damages a business’s reputation and makes consumers less trusting of digital commerce.

Secure cryptographic processes for enrollment, provisioning and tokenization of payment card credentials and payments are essential. Organizations like the PCI Security Standards Council and SWIFT have established protocols to promote secure, consistent processing. Governments, too, are paying attention to payment security. The EU has implemented a second Payment Services Directive (PSD2) to strengthen customer authentication and encourage a level playing field among payment services providers.

Encryption Key Management is the Foundation

The foundation for payment security is encryption and it’s vital to so many areas of the payment industry. This includes protecting personally identifiable information (PII), generating PINs, and stripe and EMV chip cards, payment credentials, point-to-point encryption (P2PE), payment card and mobile validation and key sharing with financial ecosystem partners.

For years, businesses have depended upon hardware security modules (HSM) to manage the lifecycle of encryption keys to provide security throughout the payment process. With the adoption of cloud computing, the expansion of payment services (especially mobile) to new geographies and the interconnectivity of payment partner ecosystems, many businesses are reevaluating their HSM strategy.

Reevaluate Your HSM Strategy

Although HSMs provide a proven level of encryption key management, in the evolving IT environment that is defined by cloud services and highly-connected payment ecosystem, they present some serious limitations, all of which are remedied by new, cloud-based encryption key management and tokenization services that offer a superior HSM strategy.

HSM Procurement and Implementation

HSMs have a protracted procurement and implementation cycle, that depending on the size of the enterprise, may take months. Those delays are an impediment to any payment provider wanting to quickly introduce new services or expand to new locations.

HSM Latency Issues

A payment provider could continue to house HSMs in their corporate data center, but inherent latency issues warn against this approach. Secure, high-volume payments need distributed encryption services located at the edge, where customers, businesses and transactions take place.

HSM Devices from Cloud Providers

Cloud providers offer HSMs in their data centers, but they may not be the brand that an end-user accustomed to deploying. And in many cases, complex services depend on multiple cloud providers to host applications and data, as well as deliver services to various geographies. By depending upon cloud providers for HSM devices a payment services company’s security team would need to manage several different HSM devices and user interfaces. When data security resources are in short supply, companies are looking for centralized, consistent methods to deploy and manage critical data security resources.

The Optimal HSM Strategy:

Providers can address all the limitations of HSM device deployment and management with an HSM as a Service strategy. On-demand deployment where and when needed, support for multicloud environments, centralized management and HSM-grade security provide an optimal HSM strategy.

HSM as a service can be deployed on demand and located on-premises, in colocation data centers connected to your cloud provider, or at the edge in data centers located close to the markets served. On-demand implementation and horizontal and geographic scalability allow new payment services to rapidly be deployed and easily accommodate growth as demand for managing keys increases. Location flexibility ensures minimum latency to optimize payment transaction performance.

HSM as a service gives services that rely on multiple cloud providers a single, centralized solution for managing the entire encryption key lifecycle, regardless of which cloud environment data is hosted in or where cryptographic functions associated with payments are executed. Data security teams benefit from a single, consistent web-based UI with enterprise level access controls and single sign-on support to simplify encryption key management.

HSM as a service provides secure key management using Intel SGX technology. Encryption keys, as well as other secrets, are held in an encrypted database when not in use. When in use, encryption keys remain inside a secure Intel SGX enclave. Key material is never available in plaintext to any software component and never exposed in plaintext on the system memory bus or other physical interfaces outside the Intel processor package.

In comparison to having a cloud service provider manage encryption keys via HSMs in their data centers, HSM as a service can provide a higher level of data security by maintaining encryption keys and secrets in a separate entity from the data they are encrypting. With HSM as a service, the payment services provider, not the cloud service provider controls the encryption keys. In the event of an attack on data hosted by a cloud provider, without direct access to encryption keys, confidential financial information remains undecipherable cybertext.

SmartKey is HSM as a Service

HSM as a service via SmartKey from Equinix is reshaping the world of encryption key management and tokenization critical to secure payment processes. SmartKey enables payment providers to meet the cryptographic needs for applications, data and services, whether they are delivered via public, private or hybrid cloud. SmartKey provides the on-demand elasticity of modern cloud software and the hardware-based security of an HSM appliance.

SmartKey capabilities can be further enhanced when SmartKey is hosted on Platform Equinix, the largest global platform of interconnected data centers and business ecosystems. Equinix Cloud Exchange Fabric (ECX) running on Platform Equinix supports direct, secure and dynamic software-defined interconnections across globally distributed infrastructure and digital ecosystems.

Lance Homer
Lance Homer Global Head of Strategy for Electronic Payments