Payment HSM Overview
Transaction Processing
and Card Issuance
Hermann Bauer
Business Development
General Purpose/PKI HSMs
XML PKCS#11 Microsoft CryptoAPI / CNG Java JCA/JCE OpenSSL
Customization Software Development Kit
International EFT/ Payment Processing (MKII)
Incl. Acquiring/Authorisation and Card Issuance
Incl. End-to-End Online Banking Security (OBM)
Australian Payment Processing (AMB/APCA) CAPS (US POS System) Hundreds of Customizations
ProtectServer line: Subset of Mark II Cmd Set as FM
Luna EFT
Luna SA, SP, IS
Payment/EFT Command Sets
General Purpose Cryptographic APIs
SafeNet HSM Product Line
Functionalities and Target Use
Protect Server Internal Express (PSIe) ProtectServer External (PSE)
Payment/EFT HSMs
Luna G5 and HSM Backup Device Luna PCI / PCI-X
Protect Server Internal Express (PSIe) ProtectServer External (PSE)
Luna EFT – Payment HSM
EFT/EMV (TP and CI) HSM
• SafeNet’s current dedicated Payment HSM
• Card Issuance and Transaction Processing Security Functionality
• Positioned against Thales 8000/9000 series
Features/Characteristics
• 1U rack-mount size/dimension
• Fast & high-assurance HSM card (common platform with Luna HSM line)
• RoHS compliant
• FIPS 140-2 level 3 certification (#1524)
• PCI-HSM approved
• APCA & Amex certification
• PIN/Key Mailer on Laser Printer
• USB ports for SW upgrades/key backups and PIN/Key Mailer Printing
Communications Interfaces
• Low Speed
• Async
• High Speed
• (Raw) Ethernet, TCP/IP over Ethernet
Performance Levels
• Low (60), Medium (140,280), High (1200, 1600)
• Visa PIN Verifies
Large Internal Key Store
HSM- and Host-stored Key Management
Different Command Sets
• Mark II, AMB, CAPS, Custom
In-field Upgradeable
• Performance, Connectivity, Command Sets
Integration with many Payment
products
Modern, up-to-date HSM architecture in 1U chassis
PCI-HSM and FIPS 140-2 level 3 certification
Flexible key management (HSM-stored key, host-stored keys or mix)
User-friendly & intuitive GUI-based administration and management
Large internal, configurable secure key storage (up to 9.999 slots per key type)
High performance throughput (up to 1600 tps)
In-field Upgradeability (functionalitly, performance, connectivity)
Combined Transaction Processing and Card Issuance/Personalisation support
Two NICs supporting fail-over and network redundancy (multi-pathing)
Smart Card based or Network-based Backup/Recovery of all (HSM-stored) Keys
Remote HSM administration
Multi-tenancy support (AES keys)
Device monitoring via SNMP v3
PCI-compliant auditing and logging
Comprehensive, Granular Load Sharing and Timeout/Error Handling (via host API)
No separate licenses, all included in standard package
Attractive pricing
Customization friendly
Great support and service
Luna EFT – Remote HSM Management
Remote HSM Management is provided in the form of a bootable image
The user authentication is done via SafeNet eToken 72K Pro
• is a portable two-factor USB authentication token with advanced smart card technology.
Console operations
• Key Processing operations
• Configuration operations
Mark II – Payments Functionality
• EMV Scripting
• Visa Functions
• MasterCard Functions
• American Express Functions
• CEPS functions (electronic purse)
• 3D Secure Support
• Contactless (PayPass & PayWave)
• AS2805.6.3 Support Functions
• TR-31 Key Block
• ZKA functions (Germany)
• Italian ABI and debit support (Italy)
• APACS Support (UK)
• Online Banking Module
• HSM status functions
• Administrative functions
• KM change functions
• Transfer functions
• EFT terminal functions (incl. DUKPT)
• Remote ATM Initialization
• Interchange Functions
• PIN Management Functions
• MAC Management (3DES, HMAC-SHA2, AES)
• Data Ciphering Functions (3DES, AES, SEED, FPE)
• PIN Issuing Functions (incl. PIN mailer)
• EMV Card Issuance (Data Prep & Perso, e.g. GP)
• EMV Transaction Processing (incl. CAP & DPA)
One of multiple Payment command sets for Luna EFT
International Payment Transaction Processing & Card Issuance functionality
Mark II functionality covers approx. 200 commands
ProtectServer Internal Express EFT
ProtectServer External EFT
•
Low-cost, low performance,
entry-level EFT HSM
•
Supported OS (all 32-bit and 64-bit)
•
Windows, Linux, Solaris, AIX
•
Performance Level
•
25 tps
•
Key Entry through host or PIN/Key
Entry Device
•
Admin utilities
•
Subset of Luna EFT Mark II facilities
Payment SW Vendors – HSM Integration
Payment Software Vendor Product Name Business Region Served
ACI Base24-eps + TSS Global ACI / EPS ASx EE ACI / S1 Postilion Global ACI / S2 Systems ON/2, OpeN/2 MEA ACI / Distra e-switch Global AJB Software RTS Americas
Arius Asoft EMEA
Banksoft BPS (Banksoft Pre-Personalisation System) EMEA BPC (Banking Production Centre) SmartVista Global Compass Plus Tranzware Online, Card Factory EMEA, APAC CR2 BankWorld EMEA CSFI u/SWITCHWARE Global CubeIQ AlphaPIN EMEA Distra e-switch APAC, EMEA FIS / EFunds / Oasis Technology Connex, IST/Switch Global HPS PowerCARD EMEA Interblocks iSuite iSwitch APAC, MEA Interpro Switch Americas i-Sprint USO, AccessMatrix UAS MEA
IWI Net+1 APAC
N&TS ACFS EMEA OMA Emirates EFT POS Application MEA
OpenWay Way4 EMV Issuance EMEA, APAC Opus / ECS Electra EFT Switch APAC, EMEA RS2 BankWorks EMEA
S2M SELECT EMEA
Silverlake SIBS APAC SmartSoft/CardTek Ocean EMEA Sparkassen IT Solution Payment Switch EMEA
Sungard CardPro Americas, APAC Tallyho Online Switch Module Americas, APAC
TAS CARD EMEA
TECS TECS Payment System EMEA TietoEnator TransMaster EMEA TPS Iris (Phoenix), Access, Sentinel EMEA TSYS CTL ONLINE, PRIME, NCRYPT Global Collis EMV Host Toolkit, PVT Global Barnes International CPT 3000 EMV PVT EMEA
Role of HSM in Card Issuance Environment
Bank
HSM Government
Issuer
Card ApplicationManagement System Data Preparation System
Card Manufacturer
OS + Card Application HSM HSMCard Production System
Personalisation System
Personalizer / Personalization Bureau
KEK KEK KMC KMC
Chip Manufacturer
OS + App encrypted file(s) 9Card Issuance Vendors – HSM Integration
Smart Card Vendors
Card Management, Perso and Data Prep
Software Vendors
Personalisation Equipment
Vendors
Gemalto
BellID / ACI
OpenWay
Datacard
G&D
Cryptomathic
TSYS CardTech
NBS
Oberthur
UbiQ
BPC
Mühlbauer
Safran Morpho (Sagem) Datacard / DCS
Compass Plus
Atlantic Zeiser / Böwe-CardTec
ST
CardTek/SmartSoft Banksoft
CIM
Nagra
CardHall/Pronit
Maurer Electronics
Trüb
AustriaCard
OTI
Data Preparation/Personalisation/Card Management Systems
Integration with/Supplier to all Major Smart Card, Card Mgmt, Data Preparation Personalisation SW
and Personalisation Equipment Vendors
via Luna EFT or PSIe or PSE