This document and its contents may not be used, copied, disclosed, or distributed for any purpose except in accordance with the terms and conditions of the Non-Disclosure Agreement executed between the PCI Security Standards Council LLC and your company. Please review the Non-Disclosure Agreement before reading this document.
Requirements for key-loading devices and HSM remote administration platform requirements added. Device Management Information submitted by vendors is now validated. See PCI PTS HSM - Summary of Requirements Changes from Version 2.0 to 3.0.
Note to Assessors
When protecting this document for use as a form, leave Section 12 (final page of this document) unprotected to allow for insertion of a device-specification sheet. Under “Tools / Protect Document,” select “Forms” then “Sections,” and un-check Section 12 as illustrated below.
Table of Contents
Document Changes 3
Note to Assessors 5
About This Document 7
Scope of the Document 7
Main Differences from Previous Version 8
Evaluation Domains 9
Device Management 9
Related Publications 11
Required Device Information 13
Optional Use of Variables in the Device Identifier 13
Evaluation Module 1: Core Requirements 14
A – Physical Security Requirements 15
B – Logical Security Requirements 16
C – Policy and Procedures 19
Evaluation Module 2: Key-Loading Devices 20
D – Key-Loading Devices 21
Evaluation Module 3: Remote Administration 22
E – Logical Security 23
F – Devices with Message Authentication Functionality 24
G – Devices with Key-Generation Functionality 25
H – Devices with Digital Signature Functionality 26
I – Device Security Requirements During Manufacturing 28
J – Device Security Requirements Between Manufacturer and Point of Initial Deployment 30
Compliance Declaration – General Information – Form A 32
Compliance Declaration Statement – Form B 33
Compliance Declaration Exception – Form C 34
Appendix A: Requirements Applicability Matrix 35
Appendix B: Applicability of Requirements 36
Device-Specification Sheet 52
About This Document
HSMs (Hardware Security Modules) play a critical role in helping to ensure the confidentiality and/or data integrity of financial transactions. Therefore, to help engender trust in the legitimacy of the financial transactions being supported, it is imperative that HSMs are appropriately secure during their entire lifecycle. This includes manufacturing, shipment, use, and decommissioning. The purpose of this document is to provide guidance and direction for appropriately designing HSMs to meet the security needs of the financial payments industry, and for protecting those HSMs up to the point of initial deployment. Other security requirements apply at the point of deployment for the management of HSMs involved with financial payments industry.
This document provides vendors with a list of all the security requirements against which their products will be evaluated in order to obtain Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) device approval.
HSMs may support a variety of payment-processing and cardholder-authentication applications and processes. The processes relevant to the full set of requirements outlined in this document are:
There are many other applications and processes that may utilize general-purpose HSMs, and which may necessitate the adoption of all or a subset of the requirements listed in this document. However this document does not aim to develop a standard for general-purpose HSMs for use outside of applications such as those listed above that are in support of a variety of payment-processing and cardholder-authentication applications and processes for the financial payments industry.