VirtuCrypt Cloud Payment HSM
On-demand financial issuing and acquiring
The payments industry uses cloud payment HSMs to secure transactions, protect account data, and authenticate payment devices. Futurex offers its solution suite of payment HSMs over the Futurex VirtuCrypt cloud to meet these needs. A cloud payment HSM gives you the same security and functionality as an on-premises HSM but is more cost-effective and quicker to deploy.
You can configure our extensive financial payments HSMs to fit your organization’s needs. Rather than a template to which you must conform, it’s a blank canvas on which you can design your ideal infrastructure.
Deploy cloud-based Futurex hardware security modules (HSMs) using our VirtuCrypt cloud service. We base our cloud payment HSMs on physical hosts. They offer the same financial issuing and financial acquiring functionality but with the added flexibility and cost-effectiveness of the cloud.
Using the VirtuCrypt cloud, you can deploy a complete cryptographic infrastructure or deploy specific functions to address individual use cases. Do it all with the market-leading Futurex FIPS 140-2 Level 3 and PCI HSM-validated technology.
Direct integration with other services and applications housed outside the public cloud itself is an increasingly popular choice for public cloud usage. Cloud Payment HSMs offer direct integration with public clouds, so you can provision services rapidly through the public cloud marketplace.
Choose service models based on functionality, throughput, and redundancy. Through the VirtuCrypt cloud, you gain unlimited options for customization.
Futurex VirtuCrypt Cloud HSMs comply with all industry standards, such as PCI HSM, HIPPA, SSAE 16, TIA-942. They are certified under FIPS 140-2 Level 3.
Enable a single cloud HSM estate to connect with multiple applications through multiple public cloud regions simultaneously using the VirtuCrypt Intelligence Portal (VIP).
Easily create multiple instances of cloud HSMs to ensure high availability and disaster recovery. You can also automate cloud HSMs as a failover mechanism.
You can do development and proof-of-concept testing without ever stepping inside a data center, ending challenges associated with managing evaluation hardware.
The VirtuCrypt Intelligence Portal (VIP) provides customers with control and visibility of their cloud in the field or corporate office. VirtuCrypt CryptoTunnels ensure secure communication between applications and HSMs.
VirtuCrypt services undergo annual audits to ensure that all compliance and certification requirements are met and maintained. Industry and regulatory compliance includes maintaining VISA Approved Service Provider status, TR-39, FIPS 140-2 Level 3, PCI Data Security Standard (PCI DSS), PCI Point-to-Point Encryption (PCI P2PE), and PCI PIN Transaction Security (PCI PIN) requirements.
VirtuCrypt cloud HSM and key management services are powered by a complete suite of Futurex hardware security modules, key management servers, and other technologies regionally distributed across highly secured data centers. All Futurex HSMs within our VirtuCrypt services are FIPS 140-2 Level 3-validated secure cryptographic devices and comply with Payment Card Industry (PCI) and ASC X9.24 Part 1 and 2 requirements.
VirtuCrypt facilities comply with the following regulatory requirements regarding security:
Cloud payment HSMs handle all common encryption tasks and form the basis of an organization’s enterprise data security ecosystem. With VirtuCrypt, they can be quickly configured and integrated into existing infrastructure. This makes them great all-in-one solutions for enterprises of any size.
The features and capabilities of next-generation cloud payment HSMs include:
A big advantage of the Futurex cloud payment HSM is the level of automation it affords. Instant provisioning within the VirtuCrypt Intelligence Portal (VIP) simplifies migration to the cloud. You can then access your device on the VIP dashboard once it’s been provisioned by VirtuCrypt engineers. Another aspect of this automated process is rapid migration from on-premises HSMs to cloud HSMs. This feature allows certain users to shift their infrastructure to the cloud quickly and easily, instead of having to undergo an exhaustive migration process. VirtuCrypt also provides a cloud HSM Software Development Kit (SDK) that lets you integrate cloud cryptographic processing and key management into your organization’s applications and services, whether they are on-premises or in the cloud.
The Futurex cloud payment HSM can take cloud HSM snapshots. These can be used for backups, migration to new systems, and streamlining new deployments. Cloud HSM snapshots allow for easy management because users can save instances of a cloud HSM. They can also enable and disable cloud HSMs with the click of a button for both testing and production environments. Users can store cloud payment HSM snapshots on the VirtuCrypt cloud HSM backup service and re-provision them on-demand. With these snapshots, users can build HSM templates that make establishing new environments simple while preventing errors. Cloud HSM major keys can be randomly generated, cloned from existing cloud HSMs, compliantly loaded using VirtuCrypt’s key agent services, and fully customer-loaded and controlled from anywhere in the world.
Futurex’s cloud HSMs simplify monitoring for true HSM orchestration. HSM orchestration allows cloud HSMs to be provisioned or modified based on user-defined scenarios. The VIP allows for centralized log management, auditfriendly reporting, and integrated monitoring and alerting. The ability to natively integrate with third-party applications and cloud monitoring tools gives users more flexibility.
VirtuCrypt is Futurex’s award-winning cloud hardware security module (HSM) and key management platform. VirtuCrypt provides cloud-based access to Futurex’s cryptographic solution suite: encryption, key management, tokenization, PKI & certificate authority, data protection, remote key loading for POS/ATM/IoT, and much more.
VirtuCrypt’s advanced encryption and key management applications set it apart from other cloud security platforms. VirtuCrypt is powered by FIPS 140-2 Level 3 and PCI HSM validated hardware. Futurex cloud payment HSMs also support a wide range of cryptographic interfaces, such as PKCS #11, Java JCA/JCE, and Microsoft CNG. This, along with the expertise of Futurex’s Solutions Architect team, form a comprehensive platform unmatched by any other cloud services provider.
You can manage VirtuCrypt services and applications in the VirtuCrypt Intelligence Portal (VIP) management interface. VirtuCrypt instances are located in high-security data centers across six continents. VirtuCrypt provides flexible and powerful data security options on a global scale, all with the convenience of the cloud.
The primary use cases for cloud payment HSMs are transaction acquiring and card and mobile issuance, including functions such as point-to-point encryption (P2PE) and database encryption. However, their use cases and deployment models continually evolve to keep pace with modern security needs. Below are examples of how VirtuCrypt cloud payment HSMs may be deployed:
Payment HSM utilization is typically split into two main categories: payment acquiring, and card and mobile issuing. Point-to-point encryption is an important part of payment acquiring.
Payment acquiring is how merchants and banks process transactions, either through traditional card-based transactions or mobile payments.
Card and mobile issuing refers to how banks issue payment cards and provisioning mobile payment tokens.
Due to PCI regulatory requirements, acquiring and issuing processes are typically carried out in separate HSMs. This restriction does not apply to organizations beyond the scope of PCI, however.
P2PE is a compliance standard developed by the PCI Security Standards Council. The P2PE standard is the framework by which organizations encrypt card data as soon as it is captured by a payment terminal. It is a function of payment acquiring. Doing so avoids sending card data “in the clear” through merchant networks, increasing data security in general.
The data security architecture of the financial sector is in the process of transitioning away from on-premises infrastructure to cloud-hosted infrastructure. Initially, payment applications and payment HSMs were managed onpremises at an organization’s own data centers. Over time, many organizations migrated to the cloud in order to increase scalability and reduce internal IT operating costs.
As organizations moved to partial cloud environments, payment applications were moved to the cloud while HSMs were maintained on-premises. This hybrid approach allowed for flexibility and redundancy for the payment application. But there was still the burden of managing HSMs on-premises. This included staff training, compliance audits, and higher up-front capital expenditure.
After fully realizing the benefits of the cloud, many payment services providers found that moving HSMs to the cloud provided more opportunities to lower their total cost of ownership (TCO) while raising efficiency. Today, many organizations host their payment applications with a public cloud provider and their HSMs with a cloud HSM service, such as Futurex’s VirtuCrypt cloud payment HSM service. These organizations reap the benefits of hosting in the cloud – flexibility, customizability, reduced cost – and maintain the high standard of hardware-backed security. Organizations self-manage the connection between their payment applications and their cloud HSMs.
When using cloud HSMs that are natively integrated with public cloud providers, operational burdens are significantly reduced. Networking infrastructure is simplified, onboarding is faster, and high availability (multi-cloud and multiregion) is easier to attain. As an added bonus, operational tasks like invoicing and payments are built on top of the organization’s existing public cloud account management structure.
Organizations can configure VirtuCrypt cloud payment HSMs to translate and validate PIN blocks. The cloud payment HSMs execute the translation commands needed to prepare PIN blocks for each transaction zone. These commands include:
Like PIN translation, VirtuCrypt cloud payment HSMs support a variety of PIN verification methods including Visa, NCR, Diebold, ICM 3624, and IBM 4736 and can be configured to operate with offline & online PIN solutions.
EMV (originally Europay, Mastercard, and Visa) has become the standard when issuing payment cards. As such, financial organizations must continue to expand their capabilities to effectively manage EMV validation & response. Organizations can offload EMV authorization request (ARQC) validation & response generation (ARPC) to cloud payment HSMs to quickly receive validation of EMV card transactions prior to approving funds for a purchase.
You can eliminate the complexity and risk of key management by centralizing authorization processes into VirtuCrypt. Ensure strong data integrity and authenticity by generating and verifying message authentication code (MAC) in cloud HSMs specifically configured for the payments industry.
Our cloud payment HSMs can be configured to:
Proper encryption key management for network keys is vital to any payment processing environment. VirtuCrypt’s next-generation cloud payment HSMs support a range of features used for these purposes:
Organizations can securely validate card security codes (CVC, CVV, CVC2, CSC) from major payment providers including Visa, MasterCard, Discover and American Express with next-gen cloud payment HSMs. Administrators can appropriately configure cloud HSMs to generate and verify specific types of verification codes through API commands.
VirtuCrypt cloud payment HSMs can also be configured to validate CVVs with set validation conditions. Configurable conditions include output length, card verification key referencing, compatibility modes, and other functions.
VirtuCrypt cloud payment HSMs support Google Pay, Apple Pay, and Samsung Pay.
The services related to mobile payments include:
VirtuCrypt next-generation cloud payment HSMs can generate PIN and PIN offset values during payment card issuance. All major PIN generation algorithms are supported. Offsets can be generated from clear PINs or encrypted PIN blocks. Cloud HSMs can be configured to generate new offsets without changing the customer PIN, encrypting clear PINs, and generating offsets of a clear PIN.
The demand for new methods of accountholder authentication and PIN management has increased. This increase in demand coincides with a growing number of devices and access points to payment systems and ecommerce. Just as solutions have been introduced into the market for software-based PIN entry, so have techniques for cloud-based PIN issuance and management.
When performing a PIN change through an issuer’s website or mobile app, the new PIN is encrypted using the web browser or app’s RSA public key. It is then sent to the VirtuCrypt service instance. Within its FIPS 140-2 Level 3 and PCI HSM compliant boundary, the HSM translates that PIN into an encrypted symmetric PIN block and provides it in a response stored in the issuer’s PIN database for future use.
Cloud payment HSMs act as the primary security devices when issuing EMV ICC chip payment cards. By integrating with data preparation and personalization systems, cloud HSMs play a critical role during issuance of the physical EMV credit, debit & prepaid cards by generating the required keys and other potential EMV requirements including:
Issuing prepaid EMV and debit cards presents unique operational challenges. Unlike typical prepaid debit or storedvalue cards, EMV cards contain an Integrated Circuit Card (ICC) chip and are secured using a Public Key Infrastructure (PKI).
During payment card issuance, the ICC chip is loaded with encrypted data in addition to the magnetic stripe for backward compatibility. The sensitive payment card data is first prepared by the data preparation system which extracts clear sensitive data from issuing institution customer databases. The data preparation system then encrypts sensitive data using three types of keys: Data Transport Key (DTK) for customer data, Key Transport Key (KTK) for encryption keys, and PIN Transport keys (PTK) to encrypt PINs. Each key is derived from the dedicated master key generated by a cloud HSM. Cloud HSMs also provides the necessary encryption keys to the personalization machine that receives, decrypts, and imprints the data from the data preparation system during the card printing process.
For issuers allowing customers to make payments via digital wallets (such as Apple Pay, Google Pay, and Samsung Pay), an efficient payment tokenization solution is needed to avoid unnecessary transmission of payment card and PAN data. Digital wallet payment processing utilizes a specific kind of token, payment token, which differs from the acquisition and issuer tokens in that original PAN data is not exposed. Payment tokens are issued via a Token Service Provider (TSP) to registered token requestors (merchants holding payment card credentials) to be utilized as “proxy” or “surrogate” PAN data.
VirtuCrypt next-generation cloud payment HSMs can be integrated as independent Token Service Provider (TSP) or can be configured to allow payment networks or payment processors to become a TSP. In addition to mobile payment token issuance, VirtuCrypt tokenization and P2PE can be used in conjunction with other encryption technologies allowing organizations to potentially eliminate all clear-text PAN data from their networks.
Point-to-Point Encryption, also known as P2PE, is a security standard according to which cardholder data is encrypted at the point of interaction (POI) or point of sale (POS). The encrypted data is sent to the transaction processor, where it is decrypted within the confines of an HSM, and then is sent to the card issuer for validation. To meet your organization’s specific needs, VirtuCrypt can be configured to create a secure P2PE environment through remote key loading and advanced encryption & translation techniques that support DUKPT derived keys and both 3DES and AES encryption.
After cardholder data is encrypted at a Point-of-Sales (POS) or ATM terminal, data is securely transmitted and decrypted utilizing related keys generated/housed by a cloud HSM (Excrypt Plus) under a secure TLS management platform (Guardian Series 3).
Format-preserving encryption (FPE) allows organizations to encrypt data in the same format as the original data, hence the name “format preserving.” For example, a PAN is typically between 8 and 19 numeric digits, and when using format-preserving encryption, the encrypted PAN data will have the same number of digits. Format-preserving encryption is utilized by organizations with strict database schemas that require field values to share the same length and format.
Encrypted PAN#: 9356030022219797
Decrypted PAN#: 4012888888881881
Derived Unique Key Per Transaction (DUKPT) safeguards data, such as Personal Identification Numbers (PIN) or cardholder Primary Account Numbers (PAN), by providing unique encryption keys for every transaction. Each key cannot lead back to the original key upon which it was based. Each transaction key is erased after use.
Essentially, one Base Derivation Key (BDK) is used to initiate the DUKPT process. The BDK itself is never exposed, but instead is used to create another key, called an initial key. This initial key is injected into the new point of sale (POS) device along with a Key Serial Number (KSN) containing identifying information for the host application. The initial key is used to create a pool of encryption keys, and during each transaction, one of the keys is selected from the pool to encrypt information. After the data is sent to the device, the current key is used to create additional future keys, and then it is erased, removing any information about a previous transaction.
To decrypt data that was encrypted using the Triple DES (3DES) algorithm under a key derived from a DUKPT BDK, a cloud HSM must perform the key derivation process to generate the key needed to decipher the PAN data. Transmitted along with the encrypted PAN data is the Key Serial Number (KSN) which consists of a Device ID and device transaction counter. From the KSN, the receiver then generates the Initial Key and from that generates the Future Key that was used by the device and then the actual key that was used to encrypt the data. With this key, the receiver will be able to decrypt the data.
Derived keys keep information safe. The process cannot be reversed to lead back to the BDK, and if one of the keys were compromised in a POS device, it would immediately be replaced by a new key in the next transaction. Through derivation, DUKPT forms a self-recycling system that promotes security, efficiency, and ease of implementation.
When transmitting sensitive cardholder data between multiple payment institutions (zones), it is best practice to orchestrate a secure process that does not expose clear data to any institution that is not the issuing bank or financial institution. In addition to the handling of sensitive cardholder data, each zone must securely pass the PIN Encryption Key (PEK) between zones for use by the issuing bank.
To accomplish this task, the data block must be translated and encrypted between each zone through sharing of zone keys or Traffic Encryption Keys (TEK). Traffic Encryption Keys (TEKs) encrypt the data transferred between each zone and must be derived from the original master key or in the case of DUKPT the Base Derived Key (BDK). The TEKs must also be changed out frequently requiring a proper key management solution.
VirtuCrypt next-generation cloud payment HSMs can support the secure translation of sensitive cardholder data reducing PCI DSS compliance scope through the following PAN Translation Methods:
To meet PCI compliance standards, a cost-effective key management stra