Cloud Payment HSMs

Please Fill Out Form

to Request Document

Required Fields*

Cloud payment hardware security modules (HSM) are used to support a range of financial services critical to payment processing and acquiring, card and mobile issuance, and Point-to-Point Encryption (P2PE).

With VirtuCrypt, Futurex’s enterprise-grade cloud payment HSM service, organizations can create an end-to-end hardened security environment, supplement existing on-premises HSM ecosystems, and gain peace of mind that their core cryptographic infrastructure is secure, scalable, compliant, and highly available. 

What is a Cloud Payment Hardware Security Module (HSM)?

VirtuCrypt cloud payment HSMs are cloud-hosted Futurex HSMs, all validated under FIPS 140-2 Level 3 and PCI HSM standards, that can perform cryptographic operations for transaction processing and acquiring, card and mobile issuing, and Point-to-Point Encryption (P2PE). Through VirtuCrypt, financial organizations can utilize cloud-based Futurex HSMs while reaping the benefits of hosting in the cloud – complete flexibility, customization, reduced cost – as well as maintain the high standard of hardware security and encryption capabilities.


Native Integration with Public Clouds

As more businesses grow globally connected, the demand for cloud computing has increased. According to Gartner, the market for public cloud services is expected to reach $266.4 billion in 2020, growing 17 percent from the previous year. The threats against data security are growing as well, and users need protection without sacrificing cost and efficiency. An increasingly popular choice for public cloud usage is direct integration with other services and applications housed outside the public cloud itself. Integrating on-premises hardware with cloud-based applications or connecting Software-as-a-Service (SaaS) solutions to separate cloud applications, has allowed for sharing and unifying data and improving connectivity and visibility.

See it on AWS Marketplace!


VirtuCrypt cloud payment HSMs offer native integration with public clouds such as Amazon Web Services, with the following features:

  • VirtuCrypt Access Points: use a single set of cloud HSMs across multiple regions within a single public cloud provider
  • Connect applications spanning multiple public clouds to a single VirtuCrypt cloud HSM estate
  • CryptoTunnels: turnkey connection security between on-premises apps, cloud-hosted applications, and cloud HSMs
  • Public cloud integration allows account management, invoicing, and billing to be handled from a single interface

Financial Services & Cloud HSMs

Financial businesses can utilize VirtuCrypt cloud payment HSMs throughout the payment processing ecosystem. With an elastic nature like the cloud, VirtuCrypt can be variably configured & quickly integrated into critical financial acquiring, issuing, and P2PE processes.

Financial Acquiring

  • PIN Translation & Verification
  • EMV Validation
  • Message Authentication Code (MAC) Generation & Verification
  • Financial Key Management & Derivation
  • CVV Generation & Validation
  • Mobile Payment Acceptance

Financial Issuing

  • PIN & Offset Generation
  • Mobile & Web PIN Management
  • EMV Key Generation & Derivation
  • Mobile Payment Token Issuance

Point-to-Point Encryption (P2PE)

  • Cardholder Data Decryption (FPE & DUKPT)
  • Cardholder Data Translation
  • P2PE Key Management

Key Management Methods

When cloud payment HSMs are provisioned, securely loading encryption keys is a critical step to building a secure system. There are several methods in which administrators can securely load major keys into cloud payment HSMs including Bring Your Own Key (BYOK), key agent services, and HSM-generated keys.

Bring Your Own Key (BYOK)

Organizations requiring self-management of encryption keys to protect their most sensitive data can use the Bring Your Own Key (BYOK) methodology to confidently manage their keys in VirtuCrypt cloud payment HSMs. The Excrypt Touch is Futurex’s FIPS 140-2 Level 3 and PCI HSM validated tablet that allows organizations to securely manage their own encryption keys from anywhere in the world. With the Excrypt Touch, administrators can securely establish a remote TLS connection with mutual authentication and load clear master keys to VirtuCrypt cloud payment HSMs.

Transferring keys to VirtuCrypt cloud payment HSMs with the Excrypt Touch uses double encipherment for key components. Double encipherment adds additional security by requiring the components to be encrypted by two separate keys.

Key Agent Service

For organizations requiring key management assistance, Futurex’s CTGA-accredited key agent team can compliantly load keys into VirtuCrypt cloud payment HSMs. With this service, VirtuCrypt handles the compliant handling, loading, and storing of key components, but the ownership of the keys remains with the customer throughout this process. This method is most commonly used by financial services customers.

HSM-Generated Keys

Administrators can randomly generate major keys using the random number generator of their cloud HSMs, although this method of key management is very rarely used in financial environments. This is due to key exchange requirements between various stakeholders in the transaction processing workflow. Without sharing keys, these entities would not be able to communicate with each other.

VirtuCrypt Cloud Services Overview

VirtuCrypt, Futurex’s cloud hardware security module and key management platform, is an award-winning provider of enterprise-class cloud security services. VirtuCrypt provides cloud-based access to Futurex’s Hardened Enterprise Security Platform, a unique and innovative set of solutions for encryption, key management, tokenization, PKI & certificate authority, data protection, remote key loading for POS/ATM/IoT, and much more.

Service Structure

VirtuCrypt cloud payment HSMs are offered in several different models. Organizations can choose a model depending on what functionalities, level of throughput and redundancy they want, and whether they desire high availability.


A financial HSM can be customized to include whatever functionality is desired by your organization. VirtuCrypt’s cloud payment HSM service can be used with one of two different profiles: transaction acquiring, or card and mobile issuing.


In addition to throughput, organizations can choose from different redundancy options. Having a single HSM at one site offers no redundancy. With site redundancy, two HSMs are active at one site, which increases the dependability of the system. A step up from that is full redundancy. With four HSMs at two different sites, the system is completely protected against hardware failures and data loss due to a lack of backup.

High Availability

High availability goes beyond redundancy and can only be achieved through eliminating single points of failure, having reliable crossover or failover points, and reacting to failures in real-time. Configure your infrastructure to be highly available by configuring & automating redundant cloud HSMs with SLA-backed uptime.

Download Resources

Ready to See More?

The Technology Powering the Cloud

Excrypt Touch

Excrypt Touch

Compliantly and securely load keys and perform device configuration from anywhere in the world

  • Easily manage your worldwide data encryption presence from a single location
  • Capable of configuring multiple devices
  • Eliminates the manual process of transferring key components
  • Provides detailed audit records
  • FIPS 140-2 Level 3-compliant 
Excrypt SSP Enterprise v.2

Excrypt SSP Enterprise v.2

Protect your sensitive data and transactions with industry-leading security and speed:

  • Meets or exceeds industry compliance standards
  • Virtual HSMs allow for multiple independent data processing environments within a single physical platform
  • Increases the overall speed and functionality of your HSM network
Guardian Series 3

Guardian Series 3

Empower your administrators with centralized management, redundancy, device status monitoring, and more

  • Central management for Futurex devices
  • Comprehensive load distribution and automated failover
  • User-defined grouping for devices
  • Intuitive visual and logical user interface
  • Customized notifications, alerts, and status reports