How to Subscribe to the payShield Cloud HSM Service
Please contact your local Thales Account Manager or Authorized Reseller for more information on how you can subscribe to this service.
On-boarding Process
Thales promises a smooth on-boarding process to the users of payShield Cloud HSM service. The on-boarding steps are easy to follow as mentioned below:
-
Data Center Selection: Thales hosts the HSMs in its secure data centers. It is recommended to select the hosted HSM region as much as close to the payment application region. Example: US-East.
-
HSM Subscriptions: Decide the number of HSMs subscriptions as per your requirement in terms of use cases and risk profile.
Customers can opt to subscribe to HSMs in one or multiple data centers.
-
Performance Option: Thales offers access to HSMs via a flexible subscription service – 60, 250 and 2500 cps performance options are available. Determine the subscription tier as per the payment workload.
-
On-boarding form: You must complete the on-boarding form supplied by Thales. The information provided will be used by Thales to establish the connection between the customer cloud provider you have selected and the payShield Cloud HSM service.
Pre-requisites to complete the on-boarding form.
a. Create your cloud setup as specified in Connecting to payshield Cloud HSM Service.
b. After the cloud setup is complete, you are required to provide the following information in the form.
Cloud Provider Tenant ID Region Amazon AWS Customer Account ID E.g., us-east-1 MS Azure ExpressRoute Service Key E.g., East US Google GCP Interconnect Pairing Key E.g., us-east4 c. For each HSM subscription, share the HSM and host application specific network details.
HSM Network Configuration Details HSM Host port IP address
NOTE: Host 1 and Host 2 should be in the same subnet.• Host 1 and Host 2 IP
• Subnet Mask
• Gateway IPHost Application IP range E.g., 10.1.0.0/24 HSM Management port IP address • Management IP
• Subnet Mask
• Gateway IPManagement Application IP range E.g., 10.1.2.0/24 -
Place Order: After you have decided on the specification, you can then proceed with ordering the subscription(s) in question. Login to DPoD platform and place your request for payShield Cloud HSM service (view section Service Provisioning on DPoD).
-
HSM Provisioning: Thales provisions the HSM(s) on your behalf and configures the host and management IP as per the details shared in the on-boarding form.
-
HSM De-provisioning: After your subscription term is over, you must release the device via payShield Manager and then de-provision the service from DPoD Marketplace.
If the customer fails to release the HSM, for any reason whatsoever, Thales holds the right to reclaim the HSM and restore it to factory settings.
• Thales has access to the HSM Auxiliary port to provision and de-provision the HSM. Thales does NOT have access to the crypto operations and LMK(s) in the HSM.
• After Thales has configured the host and management port IP addresses, you’ll not be able to make any changes. -
Customer Dedicated Environment: Thales shares the information about the provisioned HSM and customer cloud tenant details to the service provider to create a dedicated customer environment. The customer environment connects the provisioned HSMs to the customer cloud instance.
• Additional information will be required from customer to complete the connection between the hosted HSM and the public cloud instance. The additional information will be requested from Thales during order fulfillment.
• Each customer environment created is separate from other environment. -
Perform HSM Configuration: Customer connects to the payShield HSM for HSM configuration and LMK management. Your applications connect to HSMs residing in the data center via high performance and secure communication link. At this stage, you have the full remote control and management of HSMs. Subscription to payShield Cloud HSM helps to deploy new HSMs for development, test, or production in days rather than weeks. Thales has no access to your sensitive data or cryptographic keys.
