Time for change?

Bernard Foot, Strategy Analyst at MYHSM, muses on the opportunities banks and other organisations involved in the payments industries have to change the Payment HSMs they are using.

It’s not just a PC

A lot of IT infrastructure has become a commodity. If you want to upgrade your desktop PCs or servers, it certainly needs money and effort, but it’s a known quantity and relatively easy to switch to a different supplier. Your software and skills will be transferable to your new platforms.

But it’s not really like that with Payment HSMs. Each brand of Payment HSM has its own API and UI, and so ripping out the old and bringing in a new type of HSM burns money, time and effort – in amending application software, retraining staff, and rewriting procedures (such as those required for PCI audits).

This has been a double-edged sword for Payment HSM vendors – making it easier to retain their users, but more difficult to win over their competitors’ customers. From the user’s point of view, they may feel locked in to a vendor they selected decades ago.

So is the selection of which Payment HSM to use a decision for life? Fortunately not – there are a number of opportunities that can be seized upon to review what is the best path for the organisation going forward.

Internal triggers for change

An understandable inclination is to maintain the legacy Payment HSM strategy, perhaps on the principle that if it ain’t broke, don’t fix it.

But actually there are circumstances where the user organisation can profit by reviewing their strategy – especially when there are major changes such as:

• a new system being developed, for example to launch new products and services. There are often few barriers to deploying a different approach to that of legacy systems.
• serious surgery is being done on the IT infrastructure. In the context of the whole IT infrastructure, the HSM estate is small beer, so even if there is life left in the existing HSMs this shouldn’t limit the options going forward.
• consolidation following mergers and acquisitions. There will probably be a plan to deploy one type of HSM across the whole organisation.
• changes in the supplier community. Vendors of Payment HSMs may be taken over by competitors, possibly resulting in the withdrawal of product lines. Or a vendor may drop out of the market altogether.
• vendors bring out new models . Users of Thales payShield HSMs are in exactly this position right now following the announcement of the withdrawal of the payShield 9000. Users have to move off the older models to retain vendor support for security updates, as required by PCI. The decision may well be to stick with the same product family for backwards compatibility. But there is the opportunity to review how the Payment HSM capability is to be acquired – continuing with the traditional own-and-operate approach or switching to a modern cloud-based services.

Environmental triggers for change

And what about environmental circumstances that might trigger a change? The big change that we are in the middle of is the dash to the cloud: according to research by the Ponemon Institute*, by 2021 an average of 53 percent of all IT and data processing requirements will be in the cloud.

Operating Payment HSMs on-premise doesn’t make sense in an environment where the rest of the IT infrastructure is going into the cloud.

Grasping the opportunity

So there are a number of trigger points where it makes sense to review the choice of HSM.

But it’s definitely a good time to review the how of obtaining HSM capability – whether to move from an on-premise model to a service model. The cloud providers don’t offer Payment HSM as a Service – but that’s where the strength of specialised Payment HSM as a Service providers like MYHSM are important: organisations can fulfil their cloud-oriented goals with a cost effective alternative to owning and operating Payment HSMs.

* Ponemon Institute: Protecting Data In The Cloud – 2019 Thales Cloud Security Study

For more information about MYHSM and its services, please visit www.myhsm.com .