Ben Rafferty – Global Solutions Director
Talk to any C-level executive and you’d be hard-pressed to find one who isn’t concerned about the increasing frequency of cyber-attacks. This isn’t a surprise considering that fraudsters are becoming ever more sophisticated in their attempts to steal data. Thanks to this, keeping customers’ sensitive data safe is becoming more and more of a priority, with decision-makers realising that there is no such thing as having too many levels of security.
As such, organisations are turning to Hardware Security Modules (HSMs) to provide an additional level of protection and reduce the vulnerability of information stored within internal systems. Even tech giant Apple is a HSM convert, aligning their entire Apple Pay strategy to using HSMs to protect its iCloud Keychain function including credit and debit card security, and the storage of passwords and app policies. They even ship the iPhone 6 and above with tiny chip versions of the cloud protected HSMs.
If the term HSM has left you scratching your head though, let me outline the key facts. Basically, a HSM is a physical piece of hardware that:
- Secures many different elements of your IT estate by encrypting data at rest or during transmission between two or more parties; be they user to user, user to machine, or machine to machine.
- Separates the encryption process from existing applications and users by generating secure keys or encrypting messages, using complex mathematical algorithms.
- It’s tamperproof; unauthorised attempts to access its system as an effort to tamper with the cryptographic keys can result in different responses be it to log the access attempt, trigger alerts to the security team, or even wipe the device entirely!
- Offers digital signing services for a range of applications.
What HSMs mean for PCI
HSMs typically sit at the centre of an organisation’s secure infrastructure to form an integral line of defence against cyber-crime. In fact, the Payment Card Industry Data Security Standard (PCI DSS V3.1 3.5.2) acknowledges that using a HSM improves cyber security.
By using the technology, you can make it that much easier to address, manage and audit PCI DSS V3.1 controls 3.5.3 and 3.6.1 through 3.6.5. Once a HSM is implemented properly, many of these activities become ‘business as usual’ and will benefit your entire estate, not just the PCI DSS zones that are under scrutiny.
Getting your DUKPTs in a row
While there are other virtual encryption solutions on the market, they certainly don’t stack up against a HSM. This is because they are often left vulnerable as they rely on manual processes and systems to protect them, meaning that once a hacker has gained the original code-making tool, they can potentially crack the entire system. For a POS system in particular, HSMs are able to mitigate this risk by using a key management tool called a DUKPT (derived unique key per transaction). Using DUKPT as part of your HSM’s deployment means that every message can be encrypted individually, with distinct cryptographic codes applied to each package of information. As a result, if one transaction is compromised the others still remain secure.
Put the HSM at the centre of your security
If you’re serious about bringing your data security up to the highest standard, it would be considered best practice that any system that stores, transacts or monitors data is integrated with a HSM, or an equally secure technology. This should be applied across your entire organisation, to encompass, a transacting website, telephony and point-of-sale systems, and not just within e-commerce platforms.
At Semafone we are increasingly helping our clients link all their data to a HSM, regardless of which source it has been collected through. This removes any third party touchpoints and subsequent security processes, which helps reduce the burden of PCI compliance and improves return on investment for your organisation as you no longer have to regulate and secure a multi-layered and complex data environment.
Implementing a HSM also allows large organisations to dismantle the different security solutions around separate silos within the business. This means you can centralise your security frameworks and create a single point of audit, leaving your in-house development team free to focus on their core roles.
Ultimately, integrating all your payment data, as well as data within your telephony estate, with a HSM brings everything under one roof. This means you can rest a little easier knowing you have not only made PCI compliance easier, but have also bolstered information security organisation-wide.