Maintaining compliance with rapidly evolving and increasingly stringent regulations is a key challenge for any organization. This is especially true for organizations processing credit cards, such as retail and financial services organizations.
Many financial services organizations use general purpose hardware security modules (HSMs) in the process of protecting credit card information during collection and processing. When these organizations want to take advantage of a cloud-based HSM-as-a-Service solution (HSMaaS), they often encounter concerns around maintaining compliance with PCI DSS due to the extension of the in-scope environment. These concerns have made it difficult to consider the use of HSMaaS within payment processing environments.
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard, or PCI DSS, outlines strict requirements for securing payment card information while it is stored, processed, or transmitted. While PCI DSS requirements are not set by law, all businesses processing card data – whether they are physical stores, handle online transactions, or offer services via mail and phone – must comply with this standard if they wish to process credit card transactions.
PCI DSS contains 12 core requirements, each with multiple sub requirements that organizations are measured against to ensure they meet the requirements of the standard. Failure to meet the requirements to protect cardholder data may result in the organization being unable to accept or process credit and debit cards.
How HSMs Help Meet PCI DSS Requirements
HSMs simplify audits by automating secure key management and providing verifiable, tamper-proof procedures for key management and data protection that align with PCI DSS requirements, reducing manual checks.
Using HSMs while following a strict, documented process allows organizations to easily demonstrate to auditors how they meet PCI DSS requirements relating to the generation and use of keys as well as the encryption and decryption of sensitive data.
HSMs also help ensure PCI DSS compliance by providing secure cryptographic key management and use of approved random number generators, enforcing strict access controls, and offering tamper-resistant physical and logical security for sensitive operations.
Entrust nShield as a Service and PCI DSS
We are now able to provide external validation that our HSM-as-a-Service solution, Entrust nShield as a Service (nSaaS), meets the PCI DSS requirements for a third party service provider (TPSP). This indicates that nShield as a Service is certified to provide encryption and key management services related to data that is in-scope for PCI DSS.
Although Entrust nShield HSMs have long been used by financial services organizations, the move to cloud-based HSMs has added complexity to customers' PCI DSS audits. Achieving PCI DSS certification for nSaaS will confirm compliance with the high standards required by both our customers and their auditors, enabling them to confidently use cloud-based HSMs. This certification provides tangible benefits by simplifying recurring PCI DSS audits and offering assurance to organizations considering moving their HSM processes to the cloud.
HSM-as-a-Service Solutions for Financial Services Organizations
As discussed, many organizations in the financial services industry use general-purpose HSMs in the process of protecting credit card information during collection and processing. Now, these organizations can take advantage of a cloud HSM offering, eliminating the infrastructure maintenance responsibility. At the same time, they can be confident they’ll meet their internal and external security requirements.
Maintaining compliance with the necessary requirements is important when considering implementing an HSM-as-a-Service solution. However, it is not the only consideration. It’s important to also consider:
- Security: Make sure you understand how the HSM-as-a-Service offering works. Is it single tenancy or multi-tenancy?
- Control of keys: Can you demonstrate control of keys over their full lifecycle? Who has access to the keys, and who can use them?
- Sovereignty of keys: Will you be compliant with the regulations affecting your organization?
- The functionality of the HSM-as-a-Service solution: Does it do what you need it to do?
- Integrations: Is the solution compatible with the software provided by other vendors or developed in-house? Does the solution integrate with the other products and services used by your organization?
- Ease of comprehensive key management: Does the solution give your entire organization the ability to rotate, generate, discard, and easily access information required during an audit?
nShield as a Service is a subscription-based solution for generating, accessing, and protecting cryptographic key material, separately from sensitive data, using dedicated FIPS 140-2 Level 3 certified nShield Connect HSMs. The solution delivers the same functionality as on-premises HSMs and the benefits of a cloud service deployment, without the need to host and maintain the appliances. nSaaS is a fully dedicated HSMaaS, with no limits to the number of keys or the number of transactions. There are no hidden or variable costs.
Maintaining compliance with ever-changing regulations will only become more important. Entrust nShield as a Service helps make it easy to ensure you can realize the benefits of a cloud-based HSM while still using a solution that meets PCI DSS requirements.
To learn more about HSM-as-a-Service and how Entrust can help you save capital expenditures, maintain control of your critical keys, and strengthen your database security, visit the nShield as a Service product page.