Skip to main content

What is the role of payment HSMs?

Payment HSM utilization is typically split into two main categories: payment acquiring, and card and mobile issuing. Point-to-point encryption is an important part of payment acquiring.

Payment Acquiring

Payment acquiring is how merchants and banks process transactions, either through traditional card-based transactions or mobile payments.

PIN (translation and verification)
  • 3DES and AES PIN blocks
  • All PIN validation methods (ISO 8583, Visa, and many others)
CVV generation and validation
  • All card brands (Visa, MasterCard, Amex, Discover, and others)
  • All variations (CVV, CVV2, CVC, CVC2, Dynamic CVV, etc.)
EMV validation
  • ARQC validation and ARPC generation
  • All current and past key derivation methods
Message Authentication Code (MAC) generation and verification
  •  ISO 9797 Part 3 (financial MAC)
  • CMAC
Key management
  • Network key exchange
  • Key derivation methods (DUKPT, ISO 800-108)
Mobile payment acceptance
  • Google Pay, Apple Pay, and Samsung Pay token acceptance
Card and Mobile Issuing

Card and mobile issuing refers to how banks issue payment cards and provisioning mobile payment tokens.

PIN (PIN & offset generation)
  • IBM 3624, Visa, Diebold
Online & mobile PIN management
  • Supports translating PIN from RSA to symmetric PIN block
  • Asymmetric cryptography for mobile app integration
EMV key generation & derivation
  • Supports card personalization and data preparation
  • All current and past key derivation methods
Mobile payment token issuance
  • Google Pay, Apple Pay, and Samsung Pay token issuance

Due to PCI regulatory requirements, acquiring and issuing processes are typically carried out in separate HSMs. This restriction does not apply to organizations beyond the scope of PCI, however.

Point-to-Point Encryption (P2PE)

P2PE is a compliance standard developed by the PCI Security Standards Council. The P2PE standard is the framework by which organizations encrypt card data as soon as it is captured by a payment terminal. It is a function of payment acquiring. Doing so avoids sending card data “in the clear” through merchant networks, increasing data security in general.

Cardholder data decryption
  • Supports 3DES and AES P2PE
  • Supports multiple key derivation method, including DUKPT
  • Supports Format Preserving Encryption, including VAES and BPS
Cardholder data translation
  • Supports translating to processor-specific data formats
  • Supports multiple cipher translations
Point-to-Point Encryption key management
  • Full point-to-point key management lifecycle supported, including distribution to relevant entities
Securing the world's most sensitive data.
Request Demo ▸