Professional Documents
Culture Documents
USBC
USBA or C
Ethernet
Standard Management
PC or Laptop port
payShield Manager User Types
Restricted – Auditor View
Basic view-only of settings and LMK functions
Can use Virtual Console
Administrator
Restricted RACC smart card authenticated at payShield
Access to very basic and view-only management functions
Single RACC smart card authenticated at payShield
Similar to ‘Offline’ management functions
Two RACC smart cards authenticated at payShield
Similar to ‘Secure Mode’
Access to all functions
Some functions will require Authorization by authorizing officers
payShield Manager – Commissioning Process
Establishes Trust Between HSMs and the Management Cards
For all new payShields and management cards
Warranting at Thales factory establishes initial key material and certificates for
establishing initial trust path between HSMs and management cards
Group
Domain
HSM Commissioning #2 – Group HSMs, and the Left
and Right Administrator and Restricted Cards
Group HSM Administrator Cards with HSMs to be Managed by the
Same Personnel
Whitelist of allowed HSM left and right administrator and restricted ‘auditor’
cards added to each HSM
Forms secondary grouping within security Domain (e.g., separates out
management of Banks application systems)
How to Recover after a Medium Tamper
If an HSM is tampered, then the key material is erased.
Aside from LMK, the key material also includes HSM and smart card
certificates signed by CTA and required to access payShield Manager.
HRK encrypts the certificates of the HSM and security group smart cards
in non-volatile memory, so even after a medium tamper, the certificates
remain protected in the HSM, but not accessible for use.
The two passphrases are then entered to restore the certificates to the
HSM secure memory.
payShield Manager is now accessible for remote management.
How to Recover HSM with HRK
Recovery is Only Possible on the Console using SL Command
Ensures that the data center operators are able to inspect the HSM prior to
recovery
Suggested approach:
Data center operators call HSM operators for passphrases
Once both passphrases are entered, payShield Manager is recovered
HSM operators change passphrases
Secure Two keys turned • Both Left and Right • View status information
RACC login • Configure HSM
• Select secure • Load and manage LMKs
• Update firmware / licenses
• No host access
Commissioning payShield Manager
Commissioning Process
For payShield 9000 3.x and payShield 10K
Supported by wizard running on payShield Manager
Builds on “Warrant” (Thales Certified keys) installed at manufacture
9000 and 10k can share the same CTA and LMKs
Not applicable to payShield 9000 purchased prior to v3.x
HSMs without Thales warrant must use local commissioning process using console and Domain
Authority cards
Migration from Remote HSM Manager to payShield Manager is not supported
on 10k
Migration must be done on a 9000
Host
Security:
Computer PIN is in-the-clear
within application &
Encrypted PIN blocks on cable
decrypted by
payShield 10K
payShield 10K
PIN Mailer Printing: HSM-attached Printer
Host
Computer
Security Importance
Allows selection of options which reduce security
Generally default to most secure selection (not all PCI compliant) – only
change if necessary
Often default configurations require no change. Following is an example of
configuration that regularly needs to change.
Import/Export Key
Parameters:
Enable X9.17 for import? [Y/N]:
Enable X9.17 for export? [Y/N]:
Enables support for the ANSI X9.17 mechanism for key import and
export
Each key of double or triple length is encrypted/decrypted
separately using Electronic Code Book (ECB) encryption
Default = N (for both)
Keys exported as component values
Note: This is a lower security option, but is the only widely-supported standard
method for interoperation between systems until TR31 key blocks is implemented
as mandated.
Export in Trusted Format
The payShield 10K uses default values which have good security
practices.
The export of keys is configured to disallow un-trusted export.
This need to be turned off unless you are using key blocks.
Parameters:
Enable keys import/export in trusted format only [Y/N]:
Note: This is a lower security option, but is the only widely-supported standard
method for interoperation between systems until TR31 key blocks is
implemented as mandated.
Disabling Unused and Potentially Weaker Options
HSM should be hardened before use by disabling unused
commands and weaker options
Disabling of Host Commands
Disable commands with no valid use
Host commands are disabled from factory settings and after reset
Using Console:
ConfigCmds [+ or -] [C or H] [<Command Code>]
Enable/Disable Commands Error Codes
If a disabled command is used on the HSM, an error is returned.
Console: The message “Function Disabled” is shown.
Host: Error code 68 is returned.
Example – Weak PIN Block Formats
Thales Format 03 – may b e used in IBM, Diebold, Docutel ATMs (Disabled by default)
Structure: 0, PIN length, PIN, F padding
(PIN = 92389 )
See payShield 10K Host Programmers Manual - Chapter 14 for PIN Block definitions.
HSM Clock
Time used in Audit and Error logs
Console: SETTIME requires authorization
Can check current clock setting through
Console / payShield Manager
Host health check
SNMP – Management information
Save HSM Settings
Current configuration can be saved to smart card
Saves Alarm, Host Port, Security, Audit, Command, and PIN Block