Financial Cloud HSMs
Financial cloud hardware security modules (HSM) are used to support a range of financial services critical to payment processing and acquiring, card and mobile issuance, and Point-to-Point Encryption (P2PE).
With VirtuCrypt, Futurex’s enterprise-grade financial cloud HSM service, organizations can create an end-to-end hardened security environment, supplement existing on-premises HSM ecosystems, and gain peace of mind that their core cryptographic infrastructure is secure, scalable, compliant, and highly available.
What is a Financial Cloud Hardware Security Module (HSM)?
VirtuCrypt financial cloud HSMs are cloud-hosted Futurex HSMs, all validated under FIPS 140-2 Level 3 and PCI HSM standards, that can perform cryptographic operations for transaction processing and acquiring, card and mobile issuing, and Point-to-Point Encryption (P2PE). Through VirtuCrypt, financial organizations can utilize cloud-based Futurex HSMs while reaping the benefits of hosting in the cloud – complete flexibility, customization, reduced cost – as well as maintain the high standard of hardware security and encryption capabilities.
Native Integration with Public Clouds
As more businesses grow globally connected, the demand for cloud computing has increased. According to Gartner, the market for public cloud services is expected to reach $266.4 billion in 2020, growing 17 percent from the previous year. The threats against data security are growing as well, and users need protection without sacrificing cost and efficiency. An increasingly popular choice for public cloud usage is direct integration with other services and applications housed outside the public cloud itself. Integrating on-premises hardware with cloud-based applications or connecting Software-as-a-Service (SaaS) solutions to separate cloud applications, has allowed for sharing and unifying data and improving connectivity and visibility.
VirtuCrypt financial cloud HSMs offer native integration with public clouds such as Amazon Web Services, with the following features:
- VirtuCrypt Access Points: use a single set of cloud HSMs across multiple regions within a single public cloud provider
- Connect applications spanning multiple public clouds to a single VirtuCrypt cloud HSM estate
- CryptoTunnels: turnkey connection security between on-premises apps, cloud-hosted applications, and cloud HSMs
- Public cloud integration allows account management, invoicing, and billing to be handled from a single interface
Financial Services & Cloud HSMs
Financial businesses can utilize VirtuCrypt financial cloud HSMs throughout the payment processing ecosystem. With an elastic nature like the cloud, VirtuCrypt can be variably configured & quickly integrated into critical financial acquiring, issuing, and P2PE processes.
- PIN Translation & Verification
- EMV Validation
- Message Authentication Code (MAC) Generation & Verification
- Financial Key Management & Derivation
- CVV Generation & Validation
- Mobile Payment Acceptance
- PIN & Offset Generation
- Mobile & Web PIN Management
- EMV Key Generation & Derivation
- Mobile Payment Token Issuance
Point-to-Point Encryption (P2PE)
- Cardholder Data Decryption (FPE & DUKPT)
- Cardholder Data Translation
- P2PE Key Management
Key Management Methods
When financial cloud HSMs are provisioned, securely loading encryption keys is a critical step to building a secure system. There are several methods in which administrators can securely load major keys into financial cloud HSMs including Bring Your Own Key (BYOK), key agent services, and HSM-generated keys.
Bring Your Own Key (BYOK)
Organizations requiring self-management of encryption keys to protect their most sensitive data can use the Bring Your Own Key (BYOK) methodology to confidently manage their keys in VirtuCrypt financial cloud HSMs. The Excrypt Touch is Futurex’s FIPS 140-2 Level 3 and PCI HSM validated tablet that allows organizations to securely manage their own encryption keys from anywhere in the world. With the Excrypt Touch, administrators can securely establish a remote TLS connection with mutual authentication and load clear master keys to VirtuCrypt financial cloud HSMs.
Transferring keys to VirtuCrypt financial cloud HSMs with the Excrypt Touch uses double encipherment for key components. Double encipherment adds additional security by requiring the components to be encrypted by two separate keys.
Key Agent Service
For organizations requiring key management assistance, Futurex’s CTGA-accredited key agent team can compliantly load keys into VirtuCrypt financial cloud HSMs. With this service, VirtuCrypt handles the compliant handling, loading, and storing of key components, but the ownership of the keys remains with the customer throughout this process. This method is most commonly used by financial services customers.
Administrators can randomly generate major keys using the random number generator of their cloud HSMs, although this method of key management is very rarely used in financial environments. This is due to key exchange requirements between various stakeholders in the transaction processing workflow. Without sharing keys, these entities would not be able to communicate with each other.
VirtuCrypt Cloud Services Overview
VirtuCrypt, Futurex’s cloud hardware security module and key management platform, is an award-winning provider of enterprise-class cloud security services. VirtuCrypt provides cloud-based access to Futurex’s Hardened Enterprise Security Platform, a unique and innovative set of solutions for encryption, key management, tokenization, PKI & certificate authority, data protection, remote key loading for POS/ATM/IoT, and much more.
VirtuCrypt financial cloud HSMs are offered in several different models. Organizations can choose a model depending on what functionalities, level of throughput and redundancy they want, and whether they desire high availability.
A financial HSM can be customized to include whatever functionality is desired by your organization. VirtuCrypt’s financial cloud HSM service can be used with one of two different profiles: transaction acquiring, or card and mobile issuing.
Financial cloud HSMs offer three different levels of throughput.
Level One provides 250 transactions per second
Level Two provides 600 transactions per second
Level Three provides 1,000 transactions per second
Throughput is measured using 3DES PIN block translations. A higher throughput will allow for increased efficiency, but the desired level will depend on the size and needs of an organization. If additional throughput is desired, more HSMs can be added.
In addition to throughput, organizations can choose from different redundancy options. Having a single HSM at one site offers no redundancy. With site redundancy, two HSMs are active at one site, which increases the dependability of the system. A step up from that is full redundancy. With four HSMs at two different sites, the system is completely protected against hardware failures and data loss due to a lack of backup.
High availability goes beyond redundancy and can only be achieved through eliminating single points of failure, having reliable crossover or failover points, and reacting to failures in real-time. Configure your infrastructure to be highly available by configuring & automating redundant cloud HSMs with SLA-backed uptime.
- Whitepaper: Service Overview - Financial Cloud HSMs
- Whitepaper: Integrating Public Clouds with Financial Cloud HSMs
Ready to See More?
The Technology Powering the Cloud
Compliantly and securely load keys and perform device configuration from anywhere in the world
- Easily manage your worldwide data encryption presence from a single location
- Capable of configuring multiple devices
- Eliminates the manual process of transferring key components
- Provides detailed audit records
- FIPS 140-2 Level 3-compliant
Excrypt SSP Enterprise v.2
Protect your sensitive data and transactions with industry-leading security and speed:
- Meets or exceeds industry compliance standards
- Virtual HSMs allow for multiple independent data processing environments within a single physical platform
- Increases the overall speed and functionality of your HSM network
Guardian Series 3
Empower your administrators with centralized management, redundancy, device status monitoring, and more
- Central management for Futurex devices
- Comprehensive load distribution and automated failover
- User-defined grouping for devices
- Intuitive visual and logical user interface
- Customized notifications, alerts, and status reports