Momentum is building as financial institutions move some or all their payment applications to the cloud. This entails a migration from the legacy on-premises applications and hardware security modules (HSM) to a cloud-based infrastructure that is not generally under their direct control. Often it means a subscription service rather than perpetual ownership of physical equipment and software. Corporate initiatives for efficiency and a scaled-down physical presence are the drivers for this. Conversely, with cloud-native organizations, the adoption of cloud-first without any on-premises presence is their fundamental business model. End-users of a cloud-based payment infrastructure expect reduced IT complexity, streamlined security compliance, and flexibility to scale their solution seamlessly as their business grows.
Shared responsibility and trust—what potential loss of control in some areas is acceptable?
Latency—how can an efficient, high-performance link between the application and HSM be achieved?
Performing everything remotely—what existing processes and procedures may need to be adapted?
Security certifications and audit compliance—how will current stringent requirements be fulfilled?
Introducing the Microsoft Azure Payment HSM
The Azure Payment HSM is a “BareMetal” service delivered using Thales payShield 10K payment HSMs to provide cryptographic key operations for real-time, critical payment transactions in the Azure cloud. Azure Payment HSM is designed specifically to help a service provider and an individual financial institution accelerate their payment system’s digital transformation strategy and adopt the public cloud. It meets stringent security, audit compliance, low latency, and high-performance requirements by the Payment Card Industry (PCI).
HSMs are provisioned and connected directly to users’ virtual network, and HSMs are under users’ sole administration control. HSMs can be easily provisioned as a pair of devices and configured for high availability. Users of the service utilize Thales payShield Manager for secure remote access to the HSMs as part of their Azure subscription. Multiple subscription options are available to satisfy a broad range of performance and multiple application requirements that can be upgraded quickly in line with end-user business growth. Azure Payment HSM offers the highest performance level 2,500 CPS.
Enhanced security and compliance
End-users of the service can leverage Microsoft security and compliance investments to increase their security posture. Microsoft maintains PCI DSS and PCI 3DS compliant Azure data centers, including those which house Azure Payment HSM solutions. The Azure Payment HSM can be deployed as part of a validated PCI P2PE and PCI PIN component or solution, helping to simplify ongoing security audit compliance. Thales payShield 10K HSMs deployed in the security infrastructure are certified to FIPS 140-2 Level 3 and PCI HSM v3.
Manage your Payment HSM in Azure
The Azure Payment HSM service offers complete administrative control of the HSMs to the customer. This includes exclusive access to the HSMs. The customer could be a payment service provider acting on behalf of multiple financial institutions or a financial institution that wishes to directly access the Azure Payment HSM. Once the HSM is allocated to a customer, Microsoft has no access to customer data. Likewise, when the HSM is no longer required, customer data is zeroized and erased as soon as the HSM is released to Microsoft to maintain complete privacy and security. The customer is responsible for deploying and configuring HSMs for high availability, backup and disaster recovery requirements, and to achieve the same performance available on their on-premises HSMs.
The Azure Payment HSM solution offers native access to a payment HSM in Azure for ‘lift and shift’ with low latency. The solution offers high-performance transactions for mission-critical payment applications. Thales payShield customers can utilize their existing remote management solutions (payShield Manager and payShield TMD together) to work with the Azure Payment HSM service. Customers new to payShield can source the hardware accessories from Thales or one of its partners before deploying their Payment HSM.
Typical use cases
Card and mobile payment authorization
PIN and EMV cryptogram validation
Payment credential issuing:
Mobile secure elements
Host card emulation (HCE) applications
Securing keys and authentication data:
POS, mPOS, and SPOC key management
Remote key loading (for ATM, POS, and mPOS devices)
PIN generation and printing
Sensitive data protection:
Suitable for both existing and new payment HSM users
The solution provides clear benefits for both payment HSM users with a legacy on-premises HSM footprint, and those new payment ecosystem entrants with no legacy infrastructure to support and who may choose a cloud-native approach from the outset.
Benefits for existing on-premises HSM users:
Requires no modifications to payment applications or HSM software to migrate existing applications to the Azure solution.
Enables more flexibility and efficiency in HSM utilization.
Simplifies HSM sharing between multiple teams geographically dispersed.
Reduces physical HSM footprint in their legacy data centers.
Improves cash flow for new projects.
Benefits for new payment participants:
Azure Payment HSM
Azure Payment HSM documentation
Thales payShield 10K
Thales payShield Manager
Thales payShield Trusted Management Device