John Cragg, MYHSM: Where is the payment HSM Going?

John Cragg, CEO at global provider of payment hardware-security module-as-a-Service MYHSM, breaks down what Payment HSMs are, why they are important, potential drawbacks, and what the future holds for them.

Why are we using Payment HSMs?

There’s two basic answers to this question: (1) they make good security sense, and (2) we’ve got to.

The idea of any HSM (Hardware Security Module) is to provide security to a system by providing cryptographic capabilities.

Actually, cryptography software these days is a commodity, with commercial off-the shelf software available for any computer platform.

But, the point of an HSM is that cryptographic activity is performed in a secure hardware and software environment such that nobody – even if they have the most intimate access to the IT systems – can get at the data being protected or the cryptographic keys being used.

But even if that argument doesn’t carry the day, if we are operating in the payments environment we have no choice – PCI (the Payment Card Industry Security Standards Council) mandate the use of HSMs to protect the cardholder from fraud.

The Cinderella of HSMs?

If you divide the HSM world into Payment HSMs and “general purpose” or GP HSMs, HSMs used for payments sometimes seem to be the Cinderella: there are far fewer of them around, their performance may seem less impressive, and they may not support the latest cryptographic technology.

So what’s the point of them?

Well, there are fewer of them because they fulfil the needs of a specific ecosystem – and they do that far better than GP HSMs and make life a lot easier for the user: what GP HSM can do a PIN Block translation, for example, with a single command thereby avoiding exposure of the PIN between decryption and re-encryption? 

If we’re looking at performance, what is important is the right performance: fast bulk encryption using asymmetric encryption algorithms is irrelevant to the payments world – a good Payments HSM needs to focus on fast symmetric encryption of transactions. 

As for being behind the technological curve, the payments ecosystem is driven by standards enabling thousands of organisations to exchange transactions.

Standards always move slowly, and take time to adopt the latest technology – and there is no point in Payment HSMs implementing technology which its users don’t yet need.

So, no – Payment HSMs are not the Cinderella: more like the Merlin.

So, we love them – right?

Not exactly. We love what Payment HSMs do to protect our payments data and get us through the various PCI audits. But we’re not so keen on the devices themselves.

Firstly, they’re expensive– and, like chocolates, you can never have just one: you need separate units for live operations, development/test and backup. And they need to be replaced every seven years or so to retain vendor support and security updates.

As the 2017 MarketsAndMarkets global forecast for the HSM market says “the cost associated with the hardware security modules acts as a restraint for the growth of the market”.

That’s looking at it from the vendors’ point of view – for the user, you can translate this to “Payment HSMs are a pain in the financial neck”.

The cost of the devices and vendor support is just the start of the pain. Skilled resource is needed to design, implement, operate, and maintain them – and to achieve and retain PCI compliance. And then you need space in a secure data centre to house them.

And, of course, buying and owning equipment is so 2010. We now have the dash to the Cloud, as companies look to save resources and improve balance sheets through reduced Capex by re-architecting their IT capabilities as Cloud-based subscription services.

The vendors of payments technologies may have thought that their customers would resist this trend because of security concerns, but it’s happening.

Where does this leave Payment HSMs?

In some ways, it leaves them behind. Today’s Payment HSMs were not designed for multi-tenant Cloud deployment, and they are nearly all owned and operated by their users. But this can’t go on.

There are already GP HSMs available as Cloud-based services, but putting Payment HSMs into the Cloud presents additional hurdles – not least that of compliance.

Some companies will continue to be more comfortable in owning and operating their own Payment HSMs.

Some of these will be tempted to take advantage of the cloud and put their own HSMs into third-party data centres – but are likely to find that the costs of doing this in a secure and compliant way outstrip the benefits of such a hybrid (i.e. of still owning their HSMs but hosting them in someone else’s data centre) approach.

But what about other payments organisations who want to avoid the capital investment in owning Payment HSMs, or who do not have enough skilled resources to operate them and maintain PCI compliance, or who need to focus their efforts on developing their services and products? Are they between a rock and a hard place?

That’s where Payment HSM as a Service comes in. It has taken time to get there because there were a lot of hurdles to overcome, but now it is a reality with the first users already deploying this new approach to Payment HSMs.

We at MYHSM are one of the very few global players in this area – and we have the backing of Thales, the vendor of the Payment HSMs we have chosen to use, because they recognise that this is their future too.

Ultimately, where are Payment HSMs going? Into the Cloud.