Payment HSMs: The Future of Payment Security

Reading Time : 6 minutes

Keeping customer data is extremely important to instill a sense of safety into your customers, and to ensure no malicious actors can abuse their information. This is even more important in the payment industry. Institutions such as banks, ATM services, and other organizations that handle customer payment data must ensure that this customer payment data is kept safe and secure, especially if that data is stored in their databases.

Many different standards and regulations exist in the payment industry specifically to ensure organizations within this industry are following proper procedures to protect customer data. Standards like PCI-DSS (Payment Card Industry Data Security Standards), SOX (Sarbanes-Oxley Act), and GDPR (General Data Protection Regulation), along with the NIST’s (National Institute of Science and Technology) standards, exist to protect customer payment data and other sensitive customer data.

There are a number of different types of attacks that target the payment space, as this tends to be the type of information threat actors desire to steal from different businesses and organizations. Because of this, cybersecurity professionals and regulation authorities like the NIST have designed many different methods of thwarting these attacks as well.

Tools like code signing platforms, encryption, tokenization, and Public Key Infrastructure (PKI) allow organizations to follow specific regulations and best practices, as well as protect customer data to the best of their ability. Before we get into the specific method of using Payment Hardware Security Modules to protect your customer payment data, let us first take a look at some of the different types of attacks that occur in the payment industry.

Attacks focused on the Payment Space

There are many different types of cyber-attacks that occur across all industries, but let’s take a look at the ones that are focused on the payment industry:

• Man in the Middle Attacks

  Man in the Middle Attacks are common across all industries, it is not exclusive to just the payment industry. These attacks are stopped easily enough, but only with the right protection in place. The way a Man in the Middle attack occurs is exactly as the name suggests.

  When the source of a file sends a file or a document to its destination, the threat actor intercepts the data in transit and steals it before it can get to the destination. This is a huge issue if the data is in plaintext form when being sent to the destination.

  Plaintext refers to data that can be seen without any need to detokenize, decrypt, or unmask the data in question. Basically, anything that is not encrypted, tokenized, or otherwise obfuscated is considered plaintext.

  Man in the Middle attacks are much easier to get away from, however, if a method like encryption is utilized. If data is encrypted before it is sent in transit, then a Man in the Middle attack can occur, however, the attacker will not be able actually read or utilize the data unless they steal the encryption key as well.

• Stolen Credentials/Phishing Attacks

  Another common type of attack not just in the payment space are phishing attacks and attacks that steal credentials from users. I put these two together in one point because phishing attacks tend to focus on stealing credentials. Phishing attacks are attacks that you may see often in your email. A phishing attack involves sending out a falsified email with potentially a link to what looks like a trusted website.

  Usually, these types of attacks will send an email that looks like it is from a trusted bank saying that a cost has been incurred on your account and to click the link in the email to dispute it. Once you click on the link, it will likely lead you to a false website and have you put in your credentials for that bank.

  Once you enter the login details, nothing will happen that you can see, however, on the backend of the website, the threat actors are recording what you put in as your login details. Since you think this is the actual bank’s webpage, the attackers will use these credentials to log in to your bank account and steal all of your money.

  This is why your organization is likely so intent on ensuring you are trained in what a phishing attack looks like and that you are always alert that these attacks can occur on your work or personal email.

• Vulnerability Exploitation

  As I mentioned before, software based storage of encryption keys is a possibility, however, it leaves your keys open to vulnerability exploits that can be used anywhere on your computer. A vulnerability exploit is how most threat actors infect or otherwise infiltrate a victim’s computer.

  Vulnerabilities can occur anywhere that software is in use. This means that if you store keys in software based storage on your computer, any vulnerabilities that exist in the Operating System, applications on your computer, or in any other type of software on your computer, can be exploited by attackers to be used to steal your encryption keys.

  The only ways to get past these issues are to use a Hardware Security Module as opposed to software based encryption key storage, or if you must use software based key storage ensure you are always updating your Operating System, applications, and other software on your computer with the latest patches provided by the verified developers of the software, OS, etc.

• Brute Forcing

  One other common type of attack that occurs everywhere, even outside of the payment space, is brute forcing attacks. Brute forcing attacks are very simple and common attacks that occur most often on websites, especially bank websites. A brute force attack is where an attacker gets an email from a victim, or uses an assumed email list, and attempts to login into a webpage as that user.

  Usually, the threat actor will send a phishing attempt to the user at first to confirm their email address, and then from there they will run a brute forcing script on the website. This script will use a dictionary of common passwords and attempt them all on the website using the collected emails from their phishing campaign.

  This is a slow method of attack, but it can be extremely successful in the long run, as many people will use weak or reused passwords. The best method of deflecting attacks such as this is by having your organization’s login page lock out the user after multiple failed attempts to log in.

  If this is in place, then the threat actor will be locked out after 3 failed attempts and you can alert the victim that their email has been compromised.

What are HSMs?

Hardware Security Modules, or HSMs, are devices that are used in tandem with encryption, as these devices protect encryption keys. Encryption is a process of hiding the details of important data, like payment card information, a customer’s address, or a customer’s social security number. Using encryption keys, customer data can be passed through an encryption algorithm which then obscures the data by changing it into a random series of letters and numbers.

This works very well in tandem with a database, as the database can have a plethora of sensitive customer data within it, and then encryption can be run across the database. As long as the people who are trusted and need to read the data have access to the encryption keys within the HSM, they are able to view the data in plaintext form and utilize it as they need.

Going along with this topic, there are two different types of encryption: symmetric and asymmetric encryption. Symmetric encryption involves the use of a single encryption key to obscure Personally Identifiable Information.

This is a much weaker form of encryption than asymmetric encryption and thus is used only in certain circumstances. Asymmetric encryption utilizes two encryption keys, a public key, and a private key. These keys are mathematically linked to each other, and both are required for encryption and decryption to occur.

The public key, as the name suggests, is publicly available for anyone to view. This key is used for the process of decryption. The private key is kept secret and only the keypair creator can access and use that key. The private key is used for the process of encryption of data. The reason these keys are linked is to ensure data isn’t stolen in transit and encrypted with another key pair.

Since the end user will have access to the public key of the key pair, they can receive encrypted data they need that was encrypted with the private key of the key pair and ensure that no change has occurred with the data in the process of it being delivered. This stops specific attacks like Man in the Middle attacks.

Hardware Security Modules, or HSMs, store these keys used for encryption more securely than software based storage would. With software based storage of encryption keys, vulnerabilities in the operating system, other applications on the computer, or even phishing attacks via email can allow a threat actor to access a computer storing the keys and make it even easier to steal the encryption keys.

First, an attacker would have to get past security at the front desk which requires the organization to call ahead to allow them in. Then they would have to get past all the security doors to the HSMs. The HSMs are racked in the data center and the attacker would need to remove the HSM from the data center, take it out past security, and then crack the encryption within the HSM.

The HSM itself zeroizes itself when it detects it is being tampered with or moved when it should not be. Zeroization of an HSM means that the keys will all be wiped from the HSM, and the users of the HSM are required to restore those keys from a backup HSM. As you can tell, it is extremely difficult to steal the keys off these Hardware Security Modules, which is why they are so highly recommended.  

Payment VS General Purpose HSMs 

The above description of HSMs is a generalized description of most HSMs, however, there are multiple types of HSMs. One of the types of HSMs is a Payment HSM. Payment HSMs, as opposed to the normal type of HSM (General Purpose HSMs), are required in many different types of payment organizations.

Banks especially will be required to use these types of Hardware Security Modules in place of General Purpose HSMs, as banks follow stringent guidelines and regulations in every country. There are many blanket regulations that cover all countries, but each country may have its own regulations as well. GDPR is specific to the EU, for example.  

In regards to the capabilities of the Payment HSM vs the General Purpose HSM, payment HSMs not only meet regulations like GDPR, but they also have specific abilities general purpose HSMs do not. Payment HSMs have dual control management and they also provide specific cryptographic commands which make sure that the sensitive information being handled does not go out of the HSM.

Additionally, payment HSMs have different uses than general purpose HSMs. General purpose HSMs encrypt and decrypt data and are mainly utilized with digital signatures. Payment HSMs are instead used to generate, manage, and validate PINs, recharge cards, and validate the card during payment operations. As you can tell, payment HSMs were designed with ATMs and payment systems in mind, as opposed to just general purpose usage.  

Other Methods of Protecting Payment Systems 

Hardware Security Modules are not the only way to defend payment systems and locations, there are multiple other methods to utilize as well: 

• Tokenization

  Tokenization is a method of obscuring data that can be done either vaulted or vaultless. A token is data having no meaning or relation to the original sensitive data. A token acts as a place holder for the plaintext, allowing data to be used in a database without revealing the information it protects. Tokens are unique to each value and are random strings of information.

  If vaultless tokenization is in use, then there is no mathematical relationship between the token and the sensitive data, thus the tokenization process is irreversible and undecipherable. If a vault is used, then the process of detokenization is possible. The payment industry uses tokenization over encryption methods due to the simplicity of implementing tokenization, and the cost-efficiency of tokenization compared to other sensitive data protection methods. Another reason tokenization is used in the payment industry is for meeting compliance standards.

• Hashing

  Hashing is similar in some ways to encryption and tokenization, as it obscures data, however it is not possible to dehash data once it has been hashed. The data is passed through a hashing function and a hash digest is then created.

  Once it is in a hash digest format, the data cannot be unhashed. In this case, you need the original data to know what the original data was before hashing. In this case, hashing is less likely to be used as tokenization, and encryption in the payment industry tends to be the standard.

• Physical Security

  Along with encryption, tokenization, and hashing, physical security is also vital. Any servers or computers with customer payment data must be kept extremely secure. This can include security personnel, locks on server racks, or physically locking keys, passwords, etc, for the computers in a safe.

Conclusion 

Protecting data at every point, especially in the payment industry, is vital to the safety of customer data. This is where Encryption Consulting comes in, as we specialize in the protection of Personally Identifiable Information (PII) through the use of tools such as encryption, tokenization, HSMs, etc.

At Encryption Consulting, we can assist your organization with implementing different tools so that all your private payment and PII data of customers can be properly protected. This includes assistance with designing a plan for how to protect your data, exploring your data storage methods to design the best possible plan, and implementing this plan within your organization.

At Encryption Consulting, we also specialize in the design and implementation of HSMs as well, allowing us to assist you with any implementation of HSMs necessary for your organization. We also work with Public Key Infrastructure implementations, and we have our own code signing platform, CodeSign Secure. With our assistance, you can assure yourself that your organization is safe and secure in the encryption space. To inquire about any of our products or services, visit our website www.encryptionconsulting.com.