What is HSM?

(ref: wikipedia)

HSM stands for Hardware Security Module. It’s a tamper resistant and incredibly secure physical device which is used to generate/store cryptographic keys and perform cryptographic functions. It detects unauthorized access, trigger alarm and even can remove the cryptographic keys inside to protect the information.

There are general purpose and specialized HSMs.

Payment industry uses specialized HSM to protect cryptographic keys, sensitive data generation, and validation. Typically it undertakes following functions for payment card personalization and transaction authorization:

– Sharing keys securely
– Generate PVV, CVV for magnetic strip data
– Generate and print PIN mailer
– Encrypt/Decrypt/Re-Encrypt PIN block
– Verify card security codes
– Verify PIN
– Verify EMV (chip) data

It’s mandatory for industries like payments to use HSM which an expensive device. Hence there are many companies cropped up who offer HSM as a service.

Use of HSM for cryptographic functions in payment is de facto and also endorsed by PCI council as part of PCI DSS. PCI also provides security requirement for HSM (link).