Thales payShield 10K
The hardware security module that secures the world’s payments
payShield 10K, the fifth generation of payment HSMs from Thales, delivers a suite of payment security functionality proven in critical environments including transaction processing, sensitive data protection, payment credential issuing, mobile card acceptance and payment tokenization. Like its predecessors over the past 30+ years, payShield 10K can be used throughout the global payment ecosystem by issuers, service providers, acquirers, processors and payment networks.
payShield 10K delivers a suite of payment security functionality proven in critical environments including transaction processing, sensitive data protection, payment credential issuing, mobile card acceptance and payment tokenisation.
- Simplifies deployment in dark data centers
- Delivers high resilience and availability
- Offers the broadest support of card and mobile applications in a timely manner
- Supports performance upgrades without hardware change
- Maintains backwards compatibility with all legacy Thales payment HSMs
You can confidently secure digital payments. Watch the Thales payShield 10K overview video.
Playing a fundamental security role for both face-to-face and digital remote payments, it delivers the necessary trust that underpins the communications between payments participants. payShield 10K addresses the latest mandated security requirements and best practices for a wide range of organizations including EMVCo, PCI SSC, GlobalPlatform, Multos, ANSI and the various global and regional payment brands and networks.
Benefit
Simplify deployment
Our payment HSMs are capable of being securely configured, managed and monitored remotely from locations of convenience to reduce your costs and simplify your ongoing operations.
Maximize resilience
Equipped with dual hot-swappable power supplies and fans, our latest HSMs significantly increase the mean time between failure (MTBF) and simplify field maintenance.
Leverage proven integrations
Thales payment HSMs are the most widely deployed in the world and are supported by the largest number of payment application providers.
Common use cases
- Payment credential issuing – cards, mobile secure elements, wearables, connected devices and host card emulation (HCE) applications
- PIN routing
- Point to point encryption (P2PE)
- Security tokenization (for PCI DSS compliance)
- EMV payment tokenisation
- Card and mobile payment authorization
- POS, mPOS and SPoC key management
- PIN and EMV cryptogram validation
- Remote key loading
The choice of integrators
- Integration with all major payment authorization and
switching applications
Card/mobile payment support
- payShield 10K has a comprehensive range of functions that supports the needs of the leading payment brands (American Express, Discover, JCB, Mastercard, UnionPay and Visa) in a number of areas including:
- PIN and card verification functions for all major payment brands
- EMV transaction authorization and messaging
- Mobile payment transaction authorization and key management
- Remote Key Loading for ATM and POS devices
- Regional/National key management (including Australia,Germany and Italy)
- Mastercard On-behalf key management (OBKM) support
- Magnetic stripe and EMV-based data preparation and personalization including mobile provisioning
- PIN generation and printing
Cryptographic algorithms
- DES and Triple-DES key lengths 112 & 168 bit
- AES key lengths 128, 192 & 256 bit
- RSA (up to 4096 bit)
- HMAC, MD5, SHA-1, SHA-2
Financial services standards
- ISO: 9564, 10118, 11568, 13491, 16609
- ANSI: X3.92, X9.8, X9.9, X9.17, X9.19, X9.24, X9.31, X9.52, X9.97
- ASC X9 TR-31, X9
Physical security
- Tamper resistant and responsive design
- Sensitive data erased immediately in the event of any tamper attack
- Alarm triggers for motion, voltage and temperature
Logical security
- Local Master Key (LMK) options – variant and key block
- Two-factor authentication (2FA) of security officers using smart cards
- Dual control authorization – physical keys or smart cards
- Strongest security settings implemented by default
- Audit logs with user control over the scope of events recorded
Product models and options
- Dual hot-swappable power supply units and fans standard across all models
- Range of performance levels – 25, 60, 250, 1000 & 2500 calls per second (cps)
- Remote management and monitoring options via payShield Manager, payShield Monitor and payShield Trusted Management Device (TMD)
- Format preserving encryption (FPE) options
- Multiple LMK options – up to 20 partitions per HSM
Host connectivity
- TCP/IP & UDP (1Gbps) – dual ports
- Secure Host Communications Management option for TLS authenticated sessions on Ethernet host port
Security certifications
- FIPS 140-2 Level 3 (security sub-system)
- PCI HSM v3 (selected software versions)
Physical characteristics
- Form factor : 1U 19” rack mount
- Dimensions: 482.6 x 736.6 x 44.5mm (19 x 29 x 1.75”)
- Weight: 15.9 kg (35 Lbs)
- Electrical Supply: 90 to 264 VAC
- Power Consumption: 60W (maximum)
- Operating Temperature: 0 deg C to 40 deg C
- Transportation Temperature: -25 deg C to 70 deg C
- Storage Temperature: -5 deg C to 45 deg C
- Humidity: 10% to 90% (non-condensing)
Safety and environmental compliances
- UL, UL/CA, UL-AR, CE, BIS, FCC, Canada ICES, RCM, KC, VCCI
- RoHS2, REACH, WEEE
Top 10 reasons for migrating to payShield 10K now
Reduce costs
1. Slimmer form factor
Data center space is expensive. With payShield 10K we have reduced the height of the unit to 1U which means that you can stack twice as many units in the rack than you could with payShield 9000, reducing the cost of your real estate. The unit is now longer to make it easier to get to the connectors on the rear panel and comes supplied with sliding rails to help simplify and fast track the installation process. The front panel design retains the familiar left and right key mechanisms so that you can securely lock the HSM into the rack
2. Lower power consumption
Each watt of power a device requires increases your data center energy and cooling costs. With our new payShield 10K design we have, leveraged the latest energy-efficient components and power management techniques to lower the overall power consumption, even when operating at twice the cryptographic performance, by 40%. This undoubtedly will assist in driving down your data center electricity bill and contribute to your company reaching its “green goals”.
3. Higher resilience & availability
Planned downtime is still downtime. Being forced to take an HSM offline for routine configuration tasks or to replace a faulty power supply can adversely affect the availability of your financial services infrastructure. We have improved the physical design with payShield 10K by providing dual hot swappable power supplies and fans as standard which improves MTBF by a factor of 14, delivering very high predicted uptime. As part of our mission to help keep your payShield 10K running 24 x 7, we now perform additional background monitoring of HSM system processes and application code – if problems are detected, they are rectified automatically without any intervention required by you.
Streamline operations
4. Faster firmware updates
Loading firmware usually means taking the HSM offline for several minutes. With payShield 10K the firmware update workflow process has been reduced by more than a factor of 10 while still maintaining all the necessary security checks for code authenticity and integrity. Reliability and ease of use aspects have also been improved such that if power or connectivity interruptions occur, the loading process will recover automatically to minimize the possibility that the HSM may be rendered inactive
5. Clearer visual indicators
payShield 10K has a simple, uncluttered front panel design which displays a red warning triangle when a tamper event has occurred. It is obvious when all is well as the left handle of the front panel is illuminated in white and if the regular background health checks discover a problem the handle turns to red. To help identify which HSM in a rack may need scheduled work or attention, the operations team can now quickly direct local staff to the HSM requiring support by illuminating front and rear maintenance lights using their payShield Manager. In addition the front light illuminates the serial number of the unit, making it easier to read if required. These are just a few of the time saving features we have introduced, some inspired by customer feedback.
6. Simpler key erasure confirmation
Sometimes it is necessary to move an HSM out of a production environment to another less secure location. Under various security audit constraints the critical keys such as the live LMKs must not be present when the unit is in the new location. payShield 10K contains a dedicated key erasure confirmation light on the rear panel to provide assurance that no sensitive keys or data reside in the unit and it is safe to decommission. This enhanced approach to key erasure provides confirmation even after the unit has been powered off.
Be prepared
7. Stronger tamper protection
payShield 10K has multiple levels of tamper detection which (when activated) erase keys and sensitive data in the event of an attack. A fully locked-down lid (with no ability to open without causing significant damage to the device) is also used to increase the complexity for any attacker. Attempts to gain access inside the inner security module cause the device to be permanently disabled.
8. Broader cryptographic support
To support new payment methods payShield 10K is capable of leveraging very fast hardware-based ECC processing in addition to the legacy 3DES, AES and RSA algorithms. Many of the emerging payment credential issuing use cases utilize ECC rather than RSA especially when the payment instrument is a mobile, IoT or connected device. payShield 10K is ready to be enhanced to support a much broader range of cryptographic algorithms and mechanisms as they become formalized as part of the increasing range of payment security specifications.
9. Greater maximum performance
Card payments and digital online payments are growing year on year, requiring you to constantly monitor and upgrade your processing bandwidth. payShield 10K offers significantly higher RSA and 3DES performance than its predecessors which may reduce the number of payShield devices deployed and lower your costs. This faster cryptographic engine also provides a more consistent and predictable performance across all host commands, even in situations of heavy load and when TLS-based secure communications are in use.
10. Superior service architecture
As the payments world increasingly looks towards new deployment models involving a mixture of private and public clouds, payShield 10K has been specifically designed to offer secure remote management and monitoring delivering a true ‘no touch’ experience. This supports multiple types of payment service offerings and offers more capabilities to run functions securely in a broader range of operating environments.