Your suggested change has been received. Thank you.

Free Registration
- Explore Thales Docs

Accounts
Services
Technical Resources
DPoD APIs

All

All
CipherTrust Manager
CipherTrust Application Data Protection (CADP)
CipherTrust Application Key Management (CAKM)
CipherTrust Batch Data Transformation (BDT)
CipherTrust Cloud Key Management (CCKM)
CipherTrust Data Discovery and Classification (DDC)
CipherTrust Data Protection Gateway (DPG)
CipherTrust Database Protection (CDP)
CipherTrust Intelligent Protection (CIP)
CipherTrust Integrations
CipherTrust Migrations
CipherTrust RESTful Data Protection (CRDP)
CipherTrust Transparent Encryption (CTE)
CipherTrust Transparent Encryption Userspace (CTE-U)
CipherTrust Secrets Management (CSM)
CipherTrust Vaulted Tokenization (CT-V)
CipherTrust Vaultless Tokenization (CT-VL)
CTE-Linux
CTE-Windows
CTE-AIX
CTE-K8s
CTE-U
Crypto Command Center
Data Protection on Demand
Luna Cloud HSM
Luna Network HSM
Luna PCIe HSM
Luna USB HSM
OneWelcome Identity Platform
ProtectApp LUKS
ProtectServer 2 HSM
ProtectServer 3 HSM
SafeNet Trusted Access (STA)
SafeNet MobilePASS+
SafeNet MobilePASS+ for Android
SafeNet MobilePASS+ for Chrome
SafeNet MobilePASS+ for macOS
SafeNet MobilePASS+ for iOS
SafeNet MobilePASS+ for WatchOS
SafeNet MobilePASS+ for Windows
SafeNet Synchronization Agent
SafeNet Logging Agent
SafeNet Agent for FreeRADIUS
SafeNet Agent for NPS
SafeNet Agent for Windows Logon
SafeNet Authentication Service Private Cloud Edition (SAS PCE)
SafeNet Remote Logging Agent
SafeNet Keycloak Agent
SafeNet IDPrime Virtual (IDPV)
SafeNet FIDO Key Manager
SafeNet FIDO Key Manager for Android
SafeNet FIDO Key Manager for iOS
SafeNet FIDO Key Manager for Windows

payShield Cloud HSM Service

Service Overview

Services
Luna Cloud HSM Services
Luna Cloud HSM Service Integrations
CipherTrust Key Management Services
- Key Broker for Salesforce
  - Adding a Key Broker for Salesforce Service
  - Managing a Key Broker for Salesforce Service
  - Setting a Rotation Policy
  - Migrating Key Broker for Salesforce to CipherTrust Data Security Platform as a Service
- Key Broker for Google Cloud EKM
  - Service Guide
  - Key Setup Guide
  - Key Use Guide
  - Frequently Asked Questions
  - Migrating Key Broker for Google Cloud EKM to CipherTrust Data Security Platform as a Service
- CipherTrust Data Security Platform as a Service
payShield Cloud Services
- payShield Cloud HSM Service
  - Service Overview
  - Prerequisites
  - Getting Started
    - payShield Cloud HSM Configuration/Subscription Options
    - How to Subscribe to the payShield Cloud HSM Service
  - Service Specifications
  - Connecting to the payShield Cloud HSM Service
    - Azure Connection Guide
    - GCP Connection Guide
    - AWS Connectiontion Guide
  - Service Provisioning from DPoD Platform
    - Trial Tier Provisioning
    - Production Tier Provisioning
    - View Sevice Status
  - HSM Management using payShield Manager
    - Preparing for HSM Commission
    - Steps to Commission payShield Manager
    - Adding Another HSM to the Security Domain
    - Transitioning between HSM States via payShield Manager
    - Viewing Network Interfaces in payShield Manager
  - HSM Deprovisioning
  - APPENDIX A - Glossary
  - APPENDIX B - DPoD Errors
- Point-to-Point Encryption
  - Adding a Point-to-Point Encryption Service
  - Using the service
  - P2PE CLI
    - p2pe key
    - p2pe service
    - p2pe tls
  - P2PE REST API
  - P2PE errors
  - Service Details
  - Frequently Asked Questions
Partner Services

Was this document helpful? Yes No

Feedback Sent!

If you like, you can provide additional feedback.

DPoD Documentation
Services
payShield Cloud Services
payShield Cloud HSM Service
Service Overview

Service Overview

payShield Cloud HSM is a ‘bare metal’ hosted HSM service from Thales delivered using payShield 10K HSMs, providing you with the secure real-time, cryptographic processing capabilities required by your payment workloads running in any of the major public clouds. The service addresses the needs of both existing users of payment HSMs and new payment entrants looking to leverage hardware-based security for the first time. Thales is offering its customers a choice of deployment model, namely on-prem, cloud or hybrid (when a mixture of on-prem and cloud HSMs are utilized). Whatever model is chosen, consistent HSM functionality is available with the highest levels of security compliance.

When the payShield cloud HSM variant is deployed, the separation of roles between the end user of the service (you) and the service provider (in this case Thales) differs from the on-prem configuration (where Thales is not directly involved). With the cloud HSM, the physical infrastructure is managed by Thales, and the HSMs are housed in datacenters under Thales control with high-speed links being available if required to connect to public clouds running the application workloads.

Thales allocates each single-tenant HSM to you (the end user) as a part of the subscription service. You therefore have complete administrative control and exclusive access to the HSMs assigned to you under the chosen subscription – importantly you can configure each HSM to support multiple distinct applications or use cases (through the multiple LMK capability) in the same way you would perform secure segregation today with Thales on-prem payShield 10K HSMs. Once the HSM is allocated to you, Thales has no access to any of your data, cryptographic keys, or audit logs. Likewise, when you decide that the HSM is no longer required, all data and keys, belonging to you, are securely erased to ensure complete security and privacy. The HSM is then free to be assigned by Thales to another subscriber as required.

Note

The datacenters used to host the HSMs are PCI DSS certified. Also, the HSMs are PCI HSM v3 and FIPS certified, and the service will maintain ongoing compliance with PCI PIN audit requirements.

payShield Cloud HSM meets the stringent security requirements of the Payment Card Industry (PCI) and the individual payment brands and networks. It offers a high performance, low latency service that enables you to comply with the same payment security audits that apply to any on-prem HSM infrastructures you may be operating. In a hybrid scenario, you can use the same management and monitoring tools (payShield Manager and payShield TMD) and associated smart cards and readers for both on-prem and cloud HSMs.

This guide covers all the typical tasks that you will need to perform to enable your payment application to issue host commands to the HSM. The specific details of the host commands available for use are in the payShield 10K Core Host Commands Guide that you can download from the Customer Support Portal.

On this page

DPoD Documentation

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Services
Support
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

Print

Suggest An Edit

Download this Page

Download Project