Picture1

How CloudHSM can help transform the payments industry


By Aleksey Staroverov, Development Manager of 2C2P


The accelerating shift to digital payments has opened the door to increased cybersecurity risks. Online fraud and theft of personal data have an impact on businesses, financial institutions, and consumers. Understandably, data security compromise is a concern for many consumers, and how companies manage it can influence trust and loyalty in a brand.

How are payment providers rising to the challenge of the fast-evolving cybersecurity landscape to deliver a superior customer experience? What measures are they taking to mitigate risks of data compromise?

This article discusses some of the enhancements made to 2C2P’s processes and why our adoption of cloud HSM as a service will enable businesses to give their customers the best safeguards for digital payments.

What is HSM, and what does it do?

What exactly is HSM or Hardware Security Module? HSM is a specialised, highly trusted physical device that protects vast amounts of sensitive data by encrypting it with complex, tamper-resistant codes. Aside from encryption, it’s capable of performing other cryptographic operations, such as decryption, authentication, key exchange, and key management. In simple terms, imagine it as a secure box protected from external access, providing a high level of confidentiality and integrity. Its robust operating systems means access to it is highly controlled, and security features become paramount.

How is HSM used in the payments industry?

HSM is frequently used in the payments industry, especially to encrypt and decrypt data. For example, HSM is used by credit card issuing companies to verify and validate the chip data whenever a customer inserts their physical card to make payment. HSM itself is required to comply with FIPS or PCI requirements (at least FIPS 140-2 Level 3 or PCI PTS approved), which is a standard requirement for payment systems and banks. (Note: 2C2P is fully compliant with PCI DSS 3.2 and is certified as a Level 1 Service Provider, which is the key security standard within the payments industry. 2C2P’s HSMs are certified to be at least FIPS 140-2 Level 3 or PCI PTS approved.)

HSM is also used to authenticate online e-commerce transactions. For example, 3DSecure protocols use HSM to compute and generate an authentication value which is then recomputed and validated by the issuer, to ensure a quick and secure authorisation of the transaction.

The shift to cloud-based HSM and its benefits

As part of 2C2P’s goal to continuously innovate and deliver cutting-edge solutions for the rapidly evolving payments space, we are taking cybersecurity to the next level with Cloud HSM. As the name suggests, unlike the previous physical HSM, this is a cloud-hosted HSM service that allows users to host encryption keys and perform cryptographic operations in a cluster of FIPS 140-2 Level 3 certified HSMs. Cloud services have grown in popularity over recent years due to their simplicity, flexibility and agility.

One of the key benefits of Cloud HSM is scalability. You can add and remove HSM capacity at any time. In essence, Cloud HSM as a service provides a reliable HSM in the cloud on-demand, at scale and with a pay-as-you-use model. Need more capacity when scaling? Request for more boxes, and you’ll get clusters with keys that are synchronised.

Secondly, there is a maximum level of security when moving to Cloud HSM, as long as there is a sound encryption key management strategy.

2C2P uses Cloud HSM in two distinct ways. As a 3DSecure Service Provider, we use Cloud HSM to compute the authentication value on behalf of the client for a quicker and more secure authentication and authorisation process.

Separately, to provide the highest level of security, 2C2P also encrypts the key for databases containing payment data and transaction information using Cloud HSM. 2C2P also implements integrations with various types of HSM for different banks, as they operate with other communication protocols. Cloud HSM adheres strictly to regulatory standards such as the PCI DSS, making it a good choice for payment providers seeking privacy, security and compliance, to adopt the technology. In an era where payment standards have risen dramatically, 2C2P believes that we can be part of the solution to fight payment card data compromise.

The future of Cloud HSM in payments

For startups and small companies who are looking for accessibility and scalability, Cloud HSM has many advantages.

Before the arrival of Cloud HSM, big companies would have difficulty scaling as it can be an expensive exercise. With the switch to Cloud HSM, companies have more flexibility and agility when it comes to performance and capabilities.

In other words, Cloud HSM is an invaluable new tool for any business dependent on digital payments. At 2C2P, we value your privacy and security above all else. With Cloud HSM, merchants and customers can transact through 2C2P with peace of mind, knowing that their payment transaction data is treated with the utmost sensitivity and using the latest security technologies.

Get peace of mind and an added layer of protection for your business and customers by leveraging 2C2P’s award-winning secure payment platform today. Chat with our friendly team today.