Академический Документы
Профессиональный Документы
Культура Документы
2
A history lesson <
RG7000 (7,000)
We’ll be talking only
about payShield 9000
RG6000 (3,000)
3
Information Security Systems
Response
HSM
Host Computer
5
Command/Response API – Pro’s and Con’s <
Down sides:
Functionality limited to what we offer
Less of a problem for payment card systems
“Gaps” can be filled by Custom Software
Some customers like standard APIs - PKCS #11, CAPI
6
Reminder from last session - Card Payment Processing <
Authorisation
Issuer
Switch
PIN Block format C, Key C
PIN Block
Introduction to Thales Payment HSMs – March 2011
Format B,
Key B
Acquirer
Transaction
7
Examples of commands for transaction processing <
8
Introduction to Thales Payment HSMs – March 2011 Thales API supported by the major industry software <
9
Physical Host interfaces <
payShield 9000:
Dual Gigabit Ethernet ports (TCP/IP & UDP) (from v1.1)
Asynchronous
FICON (new IBM fibre optic) - in development
Introduction to Thales Payment HSMs – March 2011
HSM 8000:
Single 100Mbit Ethernet port (TCP/IP & UDP)
Asynchronous
ESCON (obsolete IBM fibre optic)
SNA/SDLC (obsolete IBM network)
10
Information Security Systems
Hardware
Base software package *
Optional Licences
Remote Management
Custom software
Introduction to Thales Payment HSMs – March 2011
Accessories
Cabinets, spare keys, rack-mount
kits
Professional services
Support
12
Layout of the payShield 9000 <
Cover detector 4 USB ports
microswitches 4 Ethernet ports
Secure Crypto
Smart card reader
Sub-system
(TSPP)
Erase Button
Left
Introduction to Thales Payment HSMs – March 2011
Keylock
LEDs
Main board
Dual Power
2 USB ports
Supply Units
Restart Button
Tamper Labels go here
Right Keylock
13
Local Master Keys - LMKs <
2 types:
Variant – older, less secure, used by nearly all customers
Key Block – new, more secure, little used – yet
Multiple LMKs
HSM can have up to 10 LMKs
Managed by different security teams
Allows multiple clients/applications on one HSM
Makes refreshing of LMKs easier
Unique to Thales payment HSMs
14
Hardware Options <
15
About performance … <
16
Software licenses – Base packages <
Each payShield 9000 must have one – and only one – Base Package
Packages
HSM9- HSM9- HSM9- HSM9-
PAC001 PAC010 PAC020 PAC030
Introduction to Thales Payment HSMs – March 2011
17
Software licenses – optional items <
Sales Order Code License Description
18
Custom software <
19
Local & Remote HSM Manager <
20
Remote HSM Manager <
Administrator smart
card readers – simulate
physical keys
Introduction to Thales Payment HSMs – March 2011
21
Remote HSM Manager <
Benefits:
Modern graphical user interface (GUI)
Fits in with organisation’s structure
Avoids time & cost of travel
Gets around restrictions on data centre access
Introduction to Thales Payment HSMs – March 2011
22
Introduction to Thales Payment HSMs – March 2011
23
Remote (and Local) HSM Manager GUI <
Main certifications <
payShield 9000:
FIPS 140-2 Level 3 (TSPP crypto module only)
PCI HSM (in progress)
APCA (in progress)
MEPS (Cartes Bancaires) (future)
Introduction to Thales Payment HSMs – March 2011
HSM 8000:
FIPS 140-2 Level 3 (SGSS crypto module only)
APCA
MEPS (Cartes Bancaires)
24
Information Security Systems
payShield 9000:
Brochure
Application Note
Datasheet
HSM 8000:
Introduction to Thales Payment HSMs – March 2011
Brochure
Application Note
Datasheet
26
Application Notes <
• Multiple LMKs
• Remote HSM Manager
• Remote Key Loading
• Support for EMV PIN Change
• Diagnostic Commands
• Multiple Authorised States
• Contactless Payments
• Message Encryption
27
Thales Payment HSMs <
bernard.foot@thales-esecurity.com
28