payShield 9000

 payShield9000
 

payShield 9000

Proven, scalable payment system security

FIPS 140-2

Designed specifically for payments applications, payShield 9000 from Thales e-Security is a proven hardware security module (HSM) that performs tasks such as PIN protection and validation, transaction processing, payment card issuance, and key management. payShield 9000 is the most widely deployed payment HSM in the world, used in an estimated 80% of all payment card transactions. The payShield 9000 design benefits from over 25 years of Thales experience with payment system security, giving organizations confidence in a state-of-the-art solution that delivers an ideal combination of security and operational ease. The payShield 9000 device is deployed as an external peripheral for mainframes and servers running card issuing and payment processing software applications for the electronic payments industry—delivering high assurance protection for Automated Teller Machine (ATM) and Point of Sale (POS) credit and debit card transactions. The cryptographic functionality and management features of payShield 9000 meet or exceed the card application and security audit requirements of the major international card schemes, including American Express, Discover, JCB, MasterCard, UnionPay, and Visa. payShield 9000 is certified to FIPS 140-2 level 3 and is also available in configurations certified to the PCI HSM v1.0 specification as published by the PCI Security Standards Council. 

Benefits of payShield 9000

  • Delivers comprehensive, certified security specially designed for card issuing and payment processing.
  • Provides off-the-shelf support for all major payment applications.
  • Maximizes business continuity with redundant hardware, field serviceable components, and support for clustering and failover.
  • Streamlines deployment and maintenance and reduces the cost of compliance with a choice of software options tailored for issuers, processors, and acquirers.
  • Offers a range of scalable, high-performance models, so you pay only for the capacity you need. 

    

payShield 9000 Features

Security Features  

  • PCI HSM security certification on selected configurations enables users to plan their migration to PCI compliant environments in advance of anticipated future card scheme mandates.
  • Multiple local master keys (LMKs) in a single HSM provide cryptographic isolation between different applications or tenants that share a common HSM. This is ideally suited to service bureaus who can establish complete key database separation between their multiple banking clients.
  • Optional Key Management Device (KMD) enables security staff to manage key components, reconstitute keys, and export application keys in a highly secure portable device without the need to make a physical connection to a production HSM.
  • Secure audit trail satisfies the requirements of the latest banking industry security audit standards and provides peace of mind that all security-sensitive operations being carried out on the HSM are recorded and available for review. 

Operational Features 

  • Optional Remote HSM Manager lowers operating costs and enables a security team from a central location to manage multiple HSMs in multiple data centers without the need for travel.
  • Utilization statistics enable users to monitor the commands being performed over any user-selected time period in order to assist with capacity planning and avoid performance bottlenecks.
  • High resilience features in the form of dual power supplies and dual Ethernet host ports provide maximum uptime and provide flexibility in data center maintenance and support.
  • Software-upgradeable and customizable functionality enables organizations to maximize the value of their initial hardware investment and to satisfy their specific requirements in a cost effective, secure, and timely manner.

payShield 9000 Options & Accessories


QUICK LINKS

payShield 9000 Options

payShield 9000 Accessories


Base Software Packages

Each payShield 9000 is configured with one of a selection of base software packages that closely reflect the intended usage of the product. The range of packages currently supported includes functionality relevant to transaction processing, magnetic stripe card issuing, EMV card issuing, point-to-point encryption (P2PE), mobile point-of-sale (mPOS), and mobile payments.

Optional Software Licenses

In additional to the base software package, additional functions can be added through a series of optional licenses which can be purchased independently and installed at any time throughout the product lifecycle. The functionality supported by the various optional licenses includes user authentication, data protection, enhanced key management (including multiple LMK support), regional payment options, high performance RSA key generation, and PIN/key mailer printing.

Performance

payShield 9000 is available in a range of performance levels. As transaction volumes grow the customer has the option to deploy additional HSMs to meet the higher load requirements or if applicable purchase a performance upgrade for an existing HSM. The performance upgrade has the advantage of requiring just an upgraded software license to be applied with no physical hardware changes necessary.

Remote HSM Manager

As an alternative to the Local HSM Manager supplied as standard with payShield 9000 (which requires a direct physical connection to the HSM), Remote HSM Manager is a separate standalone system (running on a remote PC/laptop) which provides the ability to perform all administration tasks remote from the data center and without the need for the security team to be in the physical presence of the HSM.

Key Management Device

The Key Management Device (KMD) is a standalone handheld device that supports the forming of a key from its constituent components in a highly secure manner without the need to have a physical connection to a production HSM. 

Security Resource Manager (SRM) for Tandem Host Systems

The Tandem SRM is a software application that runs on the Tandem host system and is the interface between the host payment application and the bank of HSMs. Its main purpose is to provide load balancing and resilience, enabling the host application to communicate through a simple interface to the SRM without having to manage the complexity of multiple HSMs – they will appear as a logical single HSM resource.

Security Resource Manager (SRM) for IBM Host Systems

The IBM SRM is a software application that runs on the IBM host system and is the interface between the host payment application and the bank of HSMs. Its main purpose is to provide load balancing and resilience, enabling the host application to communicate through a simple interface to the SRM without having to manage the complexity of multiple HSMs—they will appear as a logical single HSM resource.

Additional Smart Cards

Each payShield 9000 is shipped with a set of blank LMK component cards together with test LMK cards. Additional packs of 6 cards are available to assist with individual user configurations where a large number of cards are necessary to meet operational and security requirements across multiple data centers. All smart cards can be used with all current and legacy Thales payment HSMs – payShield 9000, HSM 8000 and RG7000.

Cabinets and Runner Kits

Customers can choose from a wide range of cabinets of different heights to suit their individual data center storage requirements. Complementary runners are available as kits to fit to the sides of the payShield 9000. 

Replacement Locks and Keys

payShield 9000 uses two highly secure locks with associated keys on the front panel as part of the security administration procedures. The items are tightly controlled and registered and are not available on the open market. Thales provides a lock replacement and additional key supply service where for example locks are damaged or keys are lost.

Adapter Cables

payShield 9000 makes use of USB ports on its rear panel to provide connectivity for peripherals such as consoles and printers. In the legacy range of payment HSMs RS232 D-Type or Centronics parallel printer ports were supplied. For customers needing to reuse legacy cables, Thales is able to provide adapters to convert the end of the cables to the USB format.

payShield 9000 Specifications 

Cryptographic algorithms supported

  • Symmetric
    • DES and Triple DES (key lengths 112 bit, 168 bit)
    • AES (key lengths 128 bit, 192 bit, 256 bit)
  • Asymmetric
    • RSA (key lengths up to 2048 bit)
  • Hashing
    • MD1
    • SHA-1
    • SHA-2 

Certifications:

  • FIPS 140-2 level 3
  • PCI HSM V1 (selected configurations only)
  • APCA
  • MEPS

Key Management Support:

  • Thales Key Block (compliant with ANSI X9.24; superset of X9 TR-31)
  • X9 TR-31 Key Block
  • RSA Public Key
  • DUKPT for PIN and data encryption
  • Master/Session Key Scheme
  • Racal Transaction Key Scheme
  • AS2805

Host connectivity:

  • TCP/IP and UDP (10, 100, 1000 Base-T) – dual ports for resilience
  • FICON (factory fitted option)
  • Asynchronous (V.24, RS-232)

Applications supported:

Below is a non-exhaustive list of applications that utilize these APIs and have been tested by Thales partners and/or customers.

  • ACI Worldwide: Base 24, Postilion
  • Aconite: Affina Enterprise, Mobile Application Manager
  • Compass Plus: TranzWare
  • CR2: BankWorld
  • CSFi: SWITCHWARE
  • Euronet: Payments Hub
  • OpenWay: WayFour
  • Prime Factors: Bank Card Security System (BCSS)
  • RS2: Bankworks 

payShield 9000 Data Sheet

payShield 9000

 

Related Product