Designed specifically for payments applications, payShield 9000 from Thales e-Security is a proven hardware security module (HSM) that performs tasks such as PIN protection and validation, transaction processing, payment card issuance, and key management. payShield 9000 is the most widely deployed payment HSM in the world, used in an estimated 80% of all payment card transactions. The payShield 9000 design benefits from over 25 years of Thales experience with payment system security, giving organizations confidence in a state-of-the-art solution that delivers an ideal combination of security and operational ease. The payShield 9000 device is deployed as an external peripheral for mainframes and servers running card issuing and payment processing software applications for the electronic payments industrydelivering high assurance protection for Automated Teller Machine (ATM) and Point of Sale (POS) credit and debit card transactions. The cryptographic functionality and management features of payShield 9000 meet or exceed the card application and security audit requirements of the major international card schemes, including American Express, Discover, JCB, MasterCard, UnionPay, and Visa. payShield 9000 is certified to FIPS 140-2 level 3 and is also available in configurations certified to the PCI HSM v1.0 specification as published by the PCI Security Standards Council.
payShield 9000 Features
PCI HSM security certification on selected configurations enables users to plan their migration to PCI compliant environments in advance of anticipated future card scheme mandates.
Multiple local master keys (LMKs) in a single HSM provide cryptographic isolation between different applications or tenants that share a common HSM. This is ideally suited to service bureaus who can establish complete key database separation between their multiple banking clients.
Optional Key Management Device (KMD) enables security staff to manage key components, reconstitute keys, and export application keys in a highly secure portable device without the need to make a physical connection to a production HSM.
Secure audit trail satisfies the requirements of the latest banking industry security audit standards and provides peace of mind that all security-sensitive operations being carried out on the HSM are recorded and available for review.
Optional Remote HSM Manager lowers operating costs and enables a security team from a central location to manage multiple HSMs in multiple data centers without the need for travel.
Utilization statistics enable users to monitor the commands being performed over any user-selected time period in order to assist with capacity planning and avoid performance bottlenecks.
High resilience features in the form of dual power supplies and dual Ethernet host ports provide maximum uptime and provide flexibility in data center maintenance and support.
Software-upgradeable and customizable functionality enables organizations to maximize the value of their initial hardware investment and to satisfy their specific requirements in a cost effective, secure, and timely manner.
payShield 9000 Specifications
Cryptographic algorithms supported
DES and Triple DES (key lengths 112 bit, 168 bit)
AES (key lengths 128 bit, 192 bit, 256 bit)
RSA (key lengths up to 2048 bit)
FIPS 140-2 level 3
PCI HSM V1 (selected configurations only)
Key Management Support:
Thales Key Block (compliant with ANSI X9.24; superset of X9 TR-31)
X9 TR-31 Key Block
RSA Public Key
DUKPT for PIN and data encryption
Master/Session Key Scheme
Racal Transaction Key Scheme
TCP/IP and UDP (10, 100, 1000 Base-T) dual ports for resilience
OpenWay: Way4, Way4 Data Preparation and Card Personalisation
Prime Factors: Bank Card Security System
Royal Gate: Paygate
RS2: Bankworks, Bankworks Issuing
Tieto: Payment Suite, Card Suite
TII Smart Solutions: TranServer
TPS: IRIS Enterprise Switch
TSYS: Prime, Prime Issuer
Wincor Nixdorf: ProcClassic/Enterprise
Base Software Packages
Each payShield 9000 is configured with one of a selection of base software packages that closely reflect the intended usage of the product. The range of packages currently supported includes functionality relevant to transaction processing, magnetic stripe card issuing, EMV card issuing, point-to-point encryption (P2PE), mobile point-of-sale (mPOS), and mobile payments.
Optional Software Licenses
In additional to the base software package, additional functions can be added through a series of optional licenses which can be purchased independently and installed at any time throughout the product lifecycle. The functionality supported by the various optional licenses includes secure host communications, user authentication, data protection, enhanced key management (including multiple LMK support), regional payment options, high performance RSA key generation, and PIN/key mailer printing.
payShield 9000 is available in a range of performance levels. As transaction volumes grow the customer has the option to deploy additional HSMs to meet the higher load requirements or if applicable purchase a performance upgrade for an existing HSM. The performance upgrade has the advantage of requiring just an upgraded software license to be applied with no physical hardware changes necessary.
Remote HSM Manager
As an alternative to the Local HSM Manager supplied as standard with payShield 9000 (which requires a direct physical connection to the HSM), Remote HSM Manager is a separate standalone system (running on a remote PC/laptop) which provides the ability to perform all administration tasks remote from the data center and without the need for the security team to be in the physical presence of the HSM.
Key Management Device
The Key Management Device (KMD) is a standalone handheld device that supports the forming of a key from its constituent components in a highly secure manner without the need to have a physical connection to a production HSM.
Security Resource Manager (SRM) for Tandem Host Systems
The Tandem SRM is a software application that runs on the Tandem host system and is the interface between the host payment application and the bank of HSMs. Its main purpose is to provide load balancing and resilience, enabling the host application to communicate through a simple interface to the SRM without having to manage the complexity of multiple HSMs they will appear as a logical single HSM resource.
Security Resource Manager (SRM) for IBM Host Systems
The IBM SRM is a software application that runs on the IBM host system and is the interface between the host payment application and the bank of HSMs. Its main purpose is to provide load balancing and resilience, enabling the host application to communicate through a simple interface to the SRM without having to manage the complexity of multiple HSMsthey will appear as a logical single HSM resource.
Additional Smart Cards
Each payShield 9000 is shipped with a set of blank LMK component cards together with test LMK cards. Additional packs of 6 cards are available to assist with individual user configurations where a large number of cards are necessary to meet operational and security requirements across multiple data centers. All smart cards can be used with all current and legacy Thales payment HSMs payShield 9000, HSM 8000 and RG7000.
Cabinets and Runner Kits
Customers can choose from a wide range of cabinets of different heights to suit their individual data center storage requirements. Complementary runners are available as kits to fit to the sides of the payShield 9000.
Replacement Locks and Keys
payShield 9000 uses two highly secure locks with associated keys on the front panel as part of the security administration procedures. The items are tightly controlled and registered and are not available on the open market. Thales provides a lock replacement and additional key supply service where for example locks are damaged or keys are lost.
payShield 9000 makes use of USB ports on its rear panel to provide connectivity for peripherals such as consoles and printers. In the legacy range of payment HSMs RS232 D-Type or Centronics parallel printer ports were supplied. For customers needing to reuse legacy cables, Thales is able to provide adapters to convert the end of the cables to the USB format.