Data Security and Key Management - Thales e-Security

Key Management Device


Key Management Device (KMD)

Secure, flexible, and efficient key management for payment HSMs

The Thales e-Security Key Management Device (KMD) for payment HSMs is a compact tamper-resistant security module (TRSM) that enables keys to be formed securely from separate components in a manner that is compliant with relevant security standards including X9 TR-39, ANSI X9.24-1 and PCI PIN Security. Unlike the traditional approach, this critical key management task can be carried out without any physical connection to a production hardware security module (HSM), providing greater operational flexibility without compromising security. A single KMD can form keys for multiple payment HSMs using different local master keys (LMKs). With its touch screen graphical user interface, the KMD is simple and intuitive to operate, and is compatible with the full range of Thales payment HSMs including the award-winning payShield 9000 and legacy HSMs such as the HSM 8000. 

Benefits of Key Management Device (KMD)

  • Reduces operating costs by streamlining key management tasks.
  • Works with payShield 9000 and other Thales payment HSMs.
  • Complies with ANSI/ISO key management standards to simplify security audits.
  • Maximizes flexibility by managing keys for multiple HSMs and LMKs.

Key Management Device Features

Security Features 

  • Fully hardened and tamper-resistant device is fully PCI PED approved and provides high levels of protection against physical attack.
  • Method of forming keys from components using a tamper-resistant security module (TRSM) is compliant with the latest security requirements in the banking industry from ANSI, X9 and PCI.
  • HSM security officers also typically act as KMD Administrators and have complete control over functionality made available to KMD Operators, reducing the risk of a security breach.

Operational Features

  • Portable form factor with touch screen interface is convenient for use in an office environment or for carrying into the field.
  • Standalone operation enables personnel to import, export, and manage HSM keys without the need to interact with or visit transaction HSMs, saving time, reducing travel, and reducing operating costs.
  • The ability to manage keys for multiple HSMs with multiple LMKs from a single KMD maximizes efficiency.
  • Software upgrade capability provides a cost effective method of satisfying future key management requirements.

Key Management Device (KMD) Options and Accessories


Power Supply Unit

The KMD is supplied with a power cable that is specific to the country/region of use. The countries supported are US, UK, Continental Europe, Australia, Italy, Denmark, Switzerland, Israel, India and Japan. 

Additional Smart Card Packs

The KMD supports two distinct roles, Administrator (analogous to HSM security officer) and Operator. The smart cards used by each role are programmed in a different secure manner and for security reasons are not interchangeable. To complement the smart cards supplied with KMD, customers can purchase additional Administrator and Operator smart cards in packs of 12.

Key Management Device (KMD) Specifications

Key management support

  • Compatible with variant local master keys (LMKs) used in Thales payment HSMs
    • payShield 9000
    • HSM 8000
    • RG7000
  • Compatible with Thales standard HSM LMK smart cards
  • Support for multiple LMKs in a single KMD device
  • Separate Administrator and Operator roles

Administration options

  • Administrator roles created by LMK component holders
  • Administrators assign roles to Operators
  • Dual control enforced for all Operator functions (including key management and system operations)

Physical security and certifications

  • Tamper-resistant and responsive device proven under PCI PED certification scheme
  • Two-factor authentication using ISO 7816 compliant smart cards
  • Key component management compliant with the following security standards
    • ANSI X9.24-1:2009
    • X9 TR-39/TG-3:2009
    • PCI PIN Security requirements V2.0:2008

Key Management Device Data Sheet

Related Product