HSMs are an established technology, widely used throughout the financial services sector. They provide a 'tamper proof' technology that enables the secure communication of sensitive information. Using dedicated hardware to store Public Key Infrastructure (PKI) identity credentials, HSMs perform the encryption and decryption of data using digital signatures.
Previously with Bacstel, BACSAFE devices were used to generate passwords to authenticate payment submissions. Under Bacstel-IP, Originators have the choice of using either Smartcards or HSMs to manage the security of their payment files. This means that, with the appropriate software, Originators can design their submission systems with as much or as little user involvement as required.
HSMs allow the partial or full automation of the following Bacstel-IP functions:
- digitally signing and securing payment files
- transmitting payment files to Bacstel-IP
- retrieving and distributing reports
For many Originators, the migration to an HSM-based Bacstel-IP solution will result in the least disruption and change to their existing processes.
As HSMs allow the automatic signing and transmission of payment files with little or no user intervention, this places a significant degree of responsibility on protecting the system configuration. Therefore a key consideration when selecting an HSM is the level of security required.
The globally accepted standard for HSM rating is FIPS (Federal Information Processing Standards - an American standard similar to ISO or BS). There are 4 levels of accreditation for HSMs, 1 to 4, with 4 being the most secure. Bacs mandate a minimum accreditation of FIPS140-1 Level 2. Many users may wish to consider a higher level depending on specific requirements.
Experian Payments recommends a minimum of Level 3. This is because there are two specific areas in which Levels 3 and 4 have a clear differentiation between Level 2. These are tamper related issues and Key Management issues.
Tamper related issues
Level 2 requires HSMs to be ‘tamper evident’. This means that if someone attempts or succeeds in gaining physical access to the HSM components, their access would be clearly visible.
Level 3 requires ‘active detection and response’. This means that the casing of the HSM is alarmed in such a way that if unauthorised access is detected, the HSM automatically destroys its own encrypted information.
Level 4 builds upon level 3’s active detection and response by providing a total security 'envelope‘ where the HSM is not only alarmed but also monitors fluctuations in operating conditions such as temperature, voltage and, in some cases, movement.
Key Management issues
Level 2 allows keys to be entered or removed in a clear text or unencrypted format. This is inconsistent with Bacs’ requirement that keys must be transported in encrypted format.
Level 3 and 4 require keys to be output in an encrypted or split knowledge form. This is a major deterrent to 'administrative' attacks.
Benefits of HSMs
HSMs have the potential to deliver significant strategic benefits to Originators through:
Reductions in risk - by automating payment submissions and reducing the number of manual steps in the process, the opportunity for mistakes and fraud is significantly reduced.
Reductions in costs - automating payment submissions and the report retrieval process eliminates many of the unnecessary administration costs associated with managing payments.
Consolidation - an automated payment submission and reports retrieval system creates an ideal opportunity to replace disparate systems with one enterprise-wide system.
Process improvements - for high transaction volumes and multi-bank Originators, HSMs are significantly faster and avoid the potential for user error associated with multiple Smartcards.
Maintains confidentiality - where manual authorisation is required for particular files (such as payroll files), only a summary need be presented.
HSM deployment considerations
With Smartcards the process of Key Management is straightforward. The user applies for Smartcards from their bank which then issues them in a similar way to credit and debit cards.
With HSMs the process is more complicated and involves the generation of public/private keys and a Certificate Signing Request (CSR) which is used by the Sponsoring Bank to generate a Digital Certificate for installation on the HSM. It is important to select a Bacstel-IP software solution that provides a simple and user-friendly Key Management Interface for generating the keys and CSR and one that allows easy installation of certificates.
As HSMs allow the automatic signing and transmission of payment files with little or no user intervention, this places a significant degree of responsibility on protecting the system configuration. The highest level of security is therefore required to manage and protect the configuration of the Bacstel-IP process.
Contingency and responsibilities
Although HSMs are extremely reliable, contingency arrangements must exist in the event of hardware failure. Users can revert to using Smartcards, however the availability of a secondary HSM is the most comprehensive approach to ensuring business continuity.
Originators are responsible for the security of the PKI Credentials held by the HSM. Bacs and the sponsoring banks have mandated a number of procedures to ensure a minimum level of operational safeguards. These include the maintenance of an audit log of all changes and administrative actions, as well as ensuring that all operations carried out on an HSM are performed in the presence of at least two trusted individuals.