VirtuCrypt Cloud Payment HSM

Cloud payment HSMs handle all common encryption tasks and form the basis of an organization’s enterprise data  security ecosystem. With VirtuCrypt, they can be quickly configured and integrated into existing infrastructure. This  makes them great all-in-one solutions for enterprises of any size.

The features and capabilities of next-generation cloud payment HSMs include:

Core-to-Cloud Architecture and Automation

A big advantage of the Futurex cloud payment HSM is the level of automation it affords. Instant provisioning within the VirtuCrypt Intelligence Portal (VIP) simplifies migration to the cloud. You can then access your device on the VIP dashboard once it’s been provisioned by VirtuCrypt engineers. Another aspect of this automated process is rapid migration from on-premises HSMs to cloud HSMs. This feature allows certain users to shift their infrastructure to the cloud quickly and easily, instead of having to undergo an exhaustive migration process. VirtuCrypt also provides a cloud HSM Software Development Kit (SDK) that lets you integrate cloud cryptographic processing and key management into your organization’s applications and services, whether they are on-premises or in the cloud.

Cloud Payment HSM Management and Snapshot Technology

The Futurex cloud payment HSM can take cloud HSM snapshots. These can be used for backups, migration to new systems, and streamlining new deployments. Cloud HSM snapshots allow for easy management because users can save instances of a cloud HSM. They can also enable and disable cloud HSMs with the click of a button for both testing and production environments. Users can store cloud payment HSM snapshots on the VirtuCrypt cloud HSM backup service and re-provision them on-demand. With these snapshots, users can build HSM templates that make establishing new environments simple while preventing errors. Cloud HSM major keys can be randomly generated, cloned from existing cloud HSMs, compliantly loaded using VirtuCrypt’s key agent services, and fully customer-loaded and controlled from anywhere in the world.

Crypto Infrastructure Intelligence and Orchestration

Futurex’s cloud HSMs simplify monitoring for true HSM orchestration. HSM orchestration allows cloud HSMs to be provisioned or modified based on user-defined scenarios. The VIP allows for centralized log management, auditfriendly reporting, and integrated monitoring and alerting. The ability to natively integrate with third-party applications and cloud monitoring tools gives users more flexibility.

VirtuCrypt is Futurex’s award-winning cloud hardware security module (HSM) and key management platform. VirtuCrypt provides cloud-based access to Futurex’s cryptographic solution suite: encryption, key management, tokenization, PKI & certificate authority, data protection, remote key loading for POS/ATM/IoT, and much more.

Advanced Cloud Encryption & Key Management, Powered by Futurex HSMs

VirtuCrypt’s advanced encryption and key management applications set it apart from other cloud security platforms. VirtuCrypt is powered by FIPS 140-2 Level 3 and PCI HSM validated hardware. Futurex cloud payment HSMs also support a wide range of cryptographic interfaces, such as PKCS #11, Java JCA/JCE, and Microsoft CNG. This, along with the expertise of Futurex’s Solutions Architect team, form a comprehensive platform unmatched by any other cloud services provider.

You can manage VirtuCrypt services and applications in the VirtuCrypt Intelligence Portal (VIP) management interface. VirtuCrypt instances are located in high-security data centers across six continents. VirtuCrypt provides flexible and powerful data security options on a global scale, all with the convenience of the cloud.

The primary use cases for cloud payment HSMs are transaction acquiring and card and mobile issuance, including functions such as point-to-point encryption (P2PE) and database encryption. However, their use cases and deployment models continually evolve to keep pace with modern security needs. Below are examples of how VirtuCrypt cloud payment HSMs may be deployed:

• Full VirtuCrypt cloud: payment application hosted in public cloud with VirtuCrypt cloud HSMs
• Hybrid: on-premises Futurex HSMs and on-premises payment application, with VirtuCrypt cloud payment HSMs for scalability and disaster recovery
• Full public cloud integration: application workloads running in public clouds such as AWS, Microsoft Azure, or Google Cloud, with native integration to VirtuCrypt cloud HSMs

Payment HSM utilization is typically split into two main categories: payment acquiring, and card and mobile issuing. Point-to-point encryption is an important part of payment acquiring.

Payment Acquiring

Payment acquiring is how merchants and banks process transactions, either through traditional card-based transactions or mobile payments.

PIN (translation and verification)

• 3DES and AES PIN blocks
• All PIN validation methods (ISO 8583, Visa, and many others)

CVV generation and validation

• All card brands (Visa, MasterCard, Amex, Discover, and others)
• All variations (CVV, CVV2, CVC, CVC2, Dynamic CVV, etc.)

EMV validation

• ARQC validation and ARPC generation
• All current and past key derivation methods

Message Authentication Code (MAC) generation and verification

•  ISO 9797 Part 3 (financial MAC)
• CMAC

Key management

• Network key exchange
• Key derivation methods (DUKPT, ISO 800-108)

Mobile payment acceptance

• Google Pay, Apple Pay, and Samsung Pay token acceptance

Card and Mobile Issuing

Card and mobile issuing refers to how banks issue payment cards and provisioning mobile payment tokens.

PIN (PIN & offset generation)

• IBM 3624, Visa, Diebold

Online & mobile PIN management

• Supports translating PIN from RSA to symmetric PIN block
• Asymmetric cryptography for mobile app integration

EMV key generation & derivation

• Supports card personalization and data preparation
• All current and past key derivation methods

Mobile payment token issuance

• Google Pay, Apple Pay, and Samsung Pay token issuance

Due to PCI regulatory requirements, acquiring and issuing processes are typically carried out in separate HSMs. This restriction does not apply to organizations beyond the scope of PCI, however.

Point-to-Point Encryption (P2PE)

P2PE is a compliance standard developed by the PCI Security Standards Council. The P2PE standard is the framework by which organizations encrypt card data as soon as it is captured by a payment terminal. It is a function of payment acquiring. Doing so avoids sending card data “in the clear” through merchant networks, increasing data security in general.

Cardholder data decryption

• Supports 3DES and AES P2PE
• Supports multiple key derivation method, including DUKPT
• Supports Format Preserving Encryption, including VAES and BPS

Cardholder data translation

• Supports translating to processor-specific data formats
• Supports multiple cipher translations

Point-to-Point Encryption key management

• Full point-to-point key management lifecycle supported, including distribution to relevant entities

The data security architecture of the financial sector is in the process of transitioning away from on-premises infrastructure to cloud-hosted infrastructure. Initially, payment applications and payment HSMs were managed onpremises at an organization’s own data centers. Over time, many organizations migrated to the cloud in order to increase scalability and reduce internal IT operating costs.

As organizations moved to partial cloud environments, payment applications were moved to the cloud while HSMs were maintained on-premises. This hybrid approach allowed for flexibility and redundancy for the payment application. But there was still the burden of managing HSMs on-premises. This included staff training, compliance audits, and higher up-front capital expenditure.

After fully realizing the benefits of the cloud, many payment services providers found that moving HSMs to the cloud provided more opportunities to lower their total cost of ownership (TCO) while raising efficiency. Today, many organizations host their payment applications with a public cloud provider and their HSMs with a cloud HSM service, such as Futurex’s VirtuCrypt cloud payment HSM service. These organizations reap the benefits of hosting in the cloud – flexibility, customizability, reduced cost – and maintain the high standard of hardware-backed security. Organizations self-manage the connection between their payment applications and their cloud HSMs.

When using cloud HSMs that are natively integrated with public cloud providers, operational burdens are significantly reduced. Networking infrastructure is simplified, onboarding is faster, and high availability (multi-cloud and multiregion) is easier to attain. As an added bonus, operational tasks like invoicing and payments are built on top of the organization’s existing public cloud account management structure.

PIN Translation & Verification

Organizations can configure VirtuCrypt cloud payment HSMs to translate and validate PIN blocks. The cloud payment HSMs execute the translation commands needed to prepare PIN blocks for each transaction zone. These commands include:

• TPIN: Translate PIN blocks from one key to another
• TPIN IBM: Translate the incoming PIN block encrypted via the IBM 4736 ATM algorithm
• TPIN DUKPT: Allows the incoming DUKPT encrypted PIN block to be translated under an outgoing key

Like PIN translation, VirtuCrypt cloud payment HSMs support a variety of PIN verification methods including Visa, NCR, Diebold, ICM 3624, and IBM 4736 and can be configured to operate with offline & online PIN solutions.

EMV Validation

EMV (originally Europay, Mastercard, and Visa) has become the standard when issuing payment cards. As such, financial organizations must continue to expand their capabilities to effectively manage EMV validation & response. Organizations can offload EMV authorization request (ARQC) validation & response generation (ARPC) to cloud payment HSMs to quickly receive validation of EMV card transactions prior to approving funds for a purchase.

MAC Generation & Verification

You can eliminate the complexity and risk of key management by centralizing authorization processes into VirtuCrypt. Ensure strong data integrity and authenticity by generating and verifying message authentication code (MAC) in cloud HSMs specifically configured for the payments industry.

Our cloud payment HSMs can be configured to:

• Generate standard, DUKPT, or hashed messaging code
• Generate ISO Variant 3, or HMAC and PBKDF2 obfuscated value
• Verify standard MAC and MAC using DUKPT
• Generate & verify cipher-based MAC (CMAC)

Key Management & Derivation

Proper encryption key management for network keys is vital to any payment processing environment. VirtuCrypt’s next-generation cloud payment HSMs support a range of features used for these purposes:

• Network key exchange under a common Key Exchange Key (KEK)
• Key translation between a range of formats
• Key derivation for a variety of methods including DUKPT & ISO 800-108 recommended methods (Counter, Feedback, and Double-Pipeline Iteration)
• Mastercard On Behalf Key Management (OBKM)

CVV Generation & Validation

Organizations can securely validate card security codes (CVC, CVV, CVC2, CSC) from major payment providers including Visa, MasterCard, Discover and American Express with next-gen cloud payment HSMs. Administrators can appropriately configure cloud HSMs to generate and verify specific types of verification codes through API commands.

• Card Identification Number (CID)
• Card Security Code (CSC)
• Card Validation Code (CVC & CVC2)
• Card Verification Data (CVD)
• Card Verification Value (CVV)

VirtuCrypt cloud payment HSMs can also be configured to validate CVVs with set validation conditions. Configurable conditions include output length, card verification key referencing, compatibility modes, and other functions.

Mobile Payments Acceptance

VirtuCrypt cloud payment HSMs support Google Pay, Apple Pay, and Samsung Pay.

The services related to mobile payments include:

• Decrypting Apple Pay, Google Pay, Samsung Pay tokens
• Generating Host Card Emulation (HCE) mobile cryptograms, magstripe verification values, and mobile keys
• Verifying HCE mobile cryptograms and magstripe verification values

PIN (PIN and Offset Generation)

VirtuCrypt next-generation cloud payment HSMs can generate PIN and PIN offset values during payment card issuance. All major PIN generation algorithms are supported. Offsets can be generated from clear PINs or encrypted PIN blocks. Cloud HSMs can be configured to generate new offsets without changing the customer PIN, encrypting clear PINs, and generating offsets of a clear PIN.

Mobile and Web PIN Management

The demand for new methods of accountholder authentication and PIN management has increased. This increase in demand coincides with a growing number of devices and access points to payment systems and ecommerce. Just as solutions have been introduced into the market for software-based PIN entry, so have techniques for cloud-based PIN issuance and management.

When performing a PIN change through an issuer’s website or mobile app, the new PIN is encrypted using the web browser or app’s RSA public key. It is then sent to the VirtuCrypt service instance. Within its FIPS 140-2 Level 3 and PCI HSM compliant boundary, the HSM translates that PIN into an encrypted symmetric PIN block and provides it in a response stored in the issuer’s PIN database for future use.

EMV Key Generation and Derivation

Cloud payment HSMs act as the primary security devices when issuing EMV ICC chip payment cards. By integrating with data preparation and personalization systems, cloud HSMs play a critical role during issuance of the physical EMV credit, debit & prepaid cards by generating the required keys and other potential EMV requirements including:

• EMV ICC certificate and issuer CSR
• Generating dCVC3, CVC IV, and Data Authentication Code (DAC)
• Key derivation from Vendor Master Key
• Generating & verifying MAC
• Establish authority between issuer and payment scheme
• Derive Application Cryptogram (AC) card key from the AC master key & account number
• Validating EMV cryptograms

Payment Card Issuance & Replacement

Issuing prepaid EMV and debit cards presents unique operational challenges. Unlike typical prepaid debit or storedvalue cards, EMV cards contain an Integrated Circuit Card (ICC) chip and are secured using a Public Key Infrastructure (PKI).

During payment card issuance, the ICC chip is loaded with encrypted data in addition to the magnetic stripe for backward compatibility. The sensitive payment card data is first prepared by the data preparation system which extracts clear sensitive data from issuing institution customer databases. The data preparation system then encrypts sensitive data using three types of keys: Data Transport Key (DTK) for customer data, Key Transport Key (KTK) for encryption keys, and PIN Transport keys (PTK) to encrypt PINs. Each key is derived from the dedicated master key generated by a cloud HSM. Cloud HSMs also provides the necessary encryption keys to the personalization machine that receives, decrypts, and imprints the data from the data preparation system during the card printing process.

Mobile Payment Token Issuance

For issuers allowing customers to make payments via digital wallets (such as Apple Pay, Google Pay, and Samsung Pay), an efficient payment tokenization solution is needed to avoid unnecessary transmission of payment card and PAN data. Digital wallet payment processing utilizes a specific kind of token, payment token, which differs from the acquisition and issuer tokens in that original PAN data is not exposed. Payment tokens are issued via a Token Service Provider (TSP) to registered token requestors (merchants holding payment card credentials) to be utilized as “proxy” or “surrogate” PAN data.

VirtuCrypt next-generation cloud payment HSMs can be integrated as independent Token Service Provider (TSP) or can be configured to allow payment networks or payment processors to become a TSP. In addition to mobile payment token issuance, VirtuCrypt tokenization and P2PE can be used in conjunction with other encryption technologies allowing organizations to potentially eliminate all clear-text PAN data from their networks.

Point-to-Point Encryption, also known as P2PE, is a security standard according to which cardholder data is encrypted at the point of interaction (POI) or point of sale (POS). The encrypted data is sent to the transaction processor, where it is decrypted within the confines of an HSM, and then is sent to the card issuer for validation. To meet your organization’s specific needs, VirtuCrypt can be configured to create a secure P2PE environment through remote key loading and advanced encryption & translation techniques that support DUKPT derived keys and both 3DES and AES encryption.

Cardholder Data Decryption (Using FPE and DUKPT)

After cardholder data is encrypted at a Point-of-Sales (POS) or ATM terminal, data is securely transmitted and decrypted utilizing related keys generated/housed by a cloud HSM (Excrypt Plus) under a secure TLS management platform (Guardian Series 3).

Decryption Using Format-Preserving Encryption

Format-preserving encryption (FPE) allows organizations to encrypt data in the same format as the original data, hence the name “format preserving.” For example, a PAN is typically between 8 and 19 numeric digits, and when using format-preserving encryption, the encrypted PAN data will have the same number of digits. Format-preserving encryption is utilized by organizations with strict database schemas that require field values to share the same length and format.

Example:
Encrypted PAN#: 9356030022219797
Decrypted PAN#: 4012888888881881

Decryption Using DUKPT

Derived Unique Key Per Transaction (DUKPT) safeguards data, such as Personal Identification Numbers (PIN) or cardholder Primary Account Numbers (PAN), by providing unique encryption keys for every transaction. Each key cannot lead back to the original key upon which it was based. Each transaction key is erased after use.

Essentially, one Base Derivation Key (BDK) is used to initiate the DUKPT process. The BDK itself is never exposed, but instead is used to create another key, called an initial key. This initial key is injected into the new point of sale (POS) device along with a Key Serial Number (KSN) containing identifying information for the host application. The initial key is used to create a pool of encryption keys, and during each transaction, one of the keys is selected from the pool to encrypt information. After the data is sent to the device, the current key is used to create additional future keys, and then it is erased, removing any information about a previous transaction.

To decrypt data that was encrypted using the Triple DES (3DES) algorithm under a key derived from a DUKPT BDK, a cloud HSM must perform the key derivation process to generate the key needed to decipher the PAN data. Transmitted along with the encrypted PAN data is the Key Serial Number (KSN) which consists of a Device ID and device transaction counter. From the KSN, the receiver then generates the Initial Key and from that generates the Future Key that was used by the device and then the actual key that was used to encrypt the data. With this key, the receiver will be able to decrypt the data.

DUKPT Advantages

Derived keys keep information safe. The process cannot be reversed to lead back to the BDK, and if one of the keys were compromised in a POS device, it would immediately be replaced by a new key in the next transaction. Through derivation, DUKPT forms a self-recycling system that promotes security, efficiency, and ease of implementation.

Cardholder Data Translation

When transmitting sensitive cardholder data between multiple payment institutions (zones), it is best practice to orchestrate a secure process that does not expose clear data to any institution that is not the issuing bank or financial institution. In addition to the handling of sensitive cardholder data, each zone must securely pass the PIN Encryption Key (PEK) between zones for use by the issuing bank.

To accomplish this task, the data block must be translated and encrypted between each zone through sharing of zone keys or Traffic Encryption Keys (TEK). Traffic Encryption Keys (TEKs) encrypt the data transferred between each zone and must be derived from the original master key or in the case of DUKPT the Base Derived Key (BDK). The TEKs must also be changed out frequently requiring a proper key management solution.

VirtuCrypt next-generation cloud payment HSMs can support the secure translation of sensitive cardholder data reducing PCI DSS compliance scope through the following PAN Translation Methods:

• DUKPT-to-DUKPT: data encrypted using DUKPT derived key translated to another DUKPT derived key
• DUKPT-to-Symmetric or Symmetric-to-DUKPT: data encrypted using DUKPT derived key translated to symmetric key, or vice-versa
• DUKPT-to-RSA with track data: translate and parse data from a key derived using DUKPT to an RSA public key with specific track data

Point-to-Point Encryption Key Management

To meet PCI compliance standards, a cost-effective key management stra