Do you want the good news or the bad news?
John Cragg, CEO at Payment HSM as a Service provider MYHSM, considers the announcement by Thales to upgrade their payShield product family, and what this means for users.
6000, 7000, 8000, 9000 – and now 10K
MYHSM uses the Thales payShield family for our Payment HSM as a Service. When we started building the MYHSM service, we were using the latest payShield model – the payShield 9000. We knew a newer model was coming, and were confident in Thales’ track record of ensuring backwards compatibility of the API.
Sure enough, the new 10K was introduced while we were still building the MYHSM service. We were involved in the 10K Beta Test programme and were able to satisfy ourselves on the backwards compatibility aspect.
We were however somewhat surprised at Thales’ aggressive timetable for end-of-lifeing the 9000: whilst support for the 9000 continues to December 2022, sales of the 9000 cease in June 2020.
Do payShield 9000 users have to move to 10K?
Effectively, yes. Buying a 9000 doesn’t make much sense with such a short life and no current PCI PTS HSM certification.
Even if users don’t need new HSMs, they need to migrate to 10K by the end of 2022. It’s not that their 9000s will stop working on 1st January 2023. But PCI standards – DSS in particular – require users to apply the HSM vendor’s current patches – and these will only be available on the 10K.
So, what’s the good news?
Most importantly, user applications will continue to work without modification. And the basic management mechanisms are the same – left/right keys, smartcards, console, payShield Manager. But that’s just maintaining the status quo – what about the positives?
The top-end 10K model provides about 67% more throughput than the fastest 9000 model. This will be a great benefit to MYHSM service users as we will be able offer greater economies of scale when sharing Payment HSMs between users.
The infrastructure and management costs of Payment HSMs are high – that’s why a service like MYHSM’s is so attractive compared with the traditional own-and-operate model. The 10K enhancements provide some relief in this area – 1U chassis instead of 2U, lower power consumption, hot-swap power supplies and fans, greater MTBF, faster firmware updates.
There is stronger tamper protection, and the 10K is certified against the latest v3 PCI PTS HSM standard, whereas the 9000 v1 certification has expired.
It is important to recognise that this is the start of the road for the 10K – future developments that would not have been possible on the 9000 will appear on the 10K. For example, Thales are promising ECC capabilities. We have already given Thales a shopping list of enhancements to benefit our service.
OK – and the bad news?
The first that comes to mind is the cost of buying new HSMs. And don’t forget the costs of secure disposal of the old HSMs – you can’t just dump them in a skip. But these costs are just the tip of the iceberg.
The process of moving from one HSM to another – even within the same product family – needs a lot of planning, effort, time, and resource. There will be a testing regime which may involve a PoC and Pilot. You will have to figure out how to introduce the new models without interrupting service, and how to roll back in the event of a problem.
Although the management principles on the 10K are similar to the 9000, there are differences – such as the interpretation of status indicators and firmware update procedures. So your staff will need re-training, and all your procedures (e.g. for PCI compliance) will need to be reviewed and modified. And if you never migrated from HSM Manager to payShield Manager on the 9000, you’ll have no choice now.
And, like mowing the lawn, you’re going to have to keep doing this. Here’s to the payShield 11K in seven years’ time …
And now the really good news
MYHSM brings a specialised cloud-based service which gives you access to Payment HSMs as a Service. You can enjoy the benefits that each new generation of Payment HSM brings, and leave the pain with MYHSM.