Hardware security modules (HSM) are used, among other things, in the background systems of electronic payment transactions for carrying out sensitive cryptographic operations. The physical security properties of the HSM influence the requirements for the application environment. With strong physical security mechanisms, organizational security measures can be largely dispensed with, while the environment must meet high security standards with weak physical security mechanisms.
Criteria for use in electronic payment systems of hardware security modules are defined by the German Banking Industry (DK) and the Payment Card Industry (PCI), among others. SRC is approved as an assessor at DK and PCI for the assessment of HSMs.
SRC provides security assessments for hardware security modules and supports manufacturers of security modules, network operators and acquirers in proving the security requirements placed on them. SRC employees have conducted a variety of safety investigations of hardware and software of HSMs. Due to our knowledge of all aspects of the approval process, we not only uncover weak points, but also successfully lead our customers to their goal: the timely approval of their components.
In principle, it is possible to combine the assessment processes of different processes so that synergy effects result for the manufacturer. For example, a PCI HSM evaluation can be extended to include auditing aspects of DK.
If FIPS 140–2 certification is required, SRC works with a partner laboratory that performs the additional tests required for FIPS 140–2 certification, taking into account SRC’s test results.
- Hardware and software of the HSM,
- System concepts, cryptographic methods, random number generators and protocols,
- Semiconductors (including testing resistance to side channel attacks, such as Simple Power Analysis SPA and Differential Power Analysis DPA),
- Organisational measures during the development, production and operation of HSMs.