Prerequisites
This section covers the facilities and people you will need, the accessories you can obtain from Thales and the public cloud subscriptions that are required when using cloud-based payment workloads.
Facilities
In addition to your HSMs being housed in secure, PCI-certified datacenters under Thales control, you will also need to have an appropriate, secure room with a dedicated laptop available to you (on your premises ideally) to perform security-sensitive tasks using the Thales-supplied HSM management tools (payShield Manager and payShield TMD). This is similar to what you would use today for any HSMs deployed on-premises.
Accessories
To access your HSMs via secure remote connections, you need some additional management tools designed by Thales. If you are an existing payShield HSM user, these are likely to be already available in your organization – if not, we recommend ordering from Thales or one of its approved resellers in advance of activating your subscription. The applications, accessories, and recommended quantities are as follows:
payShield Manager Smart Card Reader and Smart Cards
payShield Manager is the only solution you can use to perform secure remote management of each of your HSMs – it uses a standard browser interface (we support Chrome, Edge, and Firefox) running on a remote computer or laptop. As a minimum, you will require 1 smart card reader and 24 payShield Manager smart cards.
We recommend for backup and resilience, you purchase the payShield Manager starter kit, which contains 2 smart card readers and a pack of 30 smart cards. The smart cards are proprietary to the payShield environment and are used in conjunction with payShield Manager to perform tasks including commissioning the HSM, user login, and device authorization. The same smart cards and readers can be used for both on-prem and cloud devices, if required.
For detailed information on commissioning of payShield manager using the associated smart cards, please see the payShield 10K Installation and User Guide that you can download from the Customer Support Portal.
payShield Trusted Management Device (TMD) and Smart Cards
The Thales payShield TMD is a compact, intuitive, self-contained secure cryptographic device (SCD) that enables you to perform symmetric key management tasks including securely forming keys from separate components or splitting existing keys retrospectively into new components. payShield TMD generates and shares keys in a manner that is compliant with relevant security standards, including X9 TR-31, ANSI X9.24-1 and PCI PIN Security.
As per PCI PIN requirements, clear text components should only be entered into an SCD when managing the HSM remotely – that is why you will require at least one TMD and a pack of 12 smart cards to load and manage symmetric keys (normally ZMKs or KEKs) which are shared in component form between different parties in the payments’ ecosystem. You can share the same TMD and smart cards between your on-prem and cloud HSMs, if required.
For detailed information on how to generate, manage and share keys using the payShield TMD, please see the payShield Trusted Management Device User Guide that you can download from the Customer Support Portal.
Public Cloud Subscriptions
You will also need to subscribe to one or more of the public cloud service providers (CSPs) to run your payment applications that need to connect to the payShield Cloud HSM service. These are separate from the HSM subscriptions you purchase through Thales and are ordered directly through the CSPs in question. Thales currently has tested compatibility with Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). You should also select the CSP data-center location as close as possible to the Thales data-center where your cloud HSMs are hosted.
See Connecting to the payShield Cloud HSM Service to check the steps to connect with the above-mentioned cloud service providers to start accessing the payShield Cloud HSM Service offered by Thales.
