Digital payments have risen rapidly and continue to accelerate due to the current pandemic. This has placed a greater demand on the banking infrastructure needed to support digital payments, whether in-store or online.
According to ITWeb, Nedbank saw an increase in digital payments by 72% in June 2020 and Absa documented a 200% year-on-year increase in e-commerce transaction volumes between January and August 2020.
Behind all these payments, a Hardware Security Module (HSM) is required to securely process the payment and maintain payment system compliance.
With new cyber threats evolving almost daily, the hardware and software that businesses relied on previously to protect their information may not be good enough. Investment is required to protect against current and future cyber threats.
Synthesis Head of Payments, Pierre Aurel explains: “Everyone is transacting on their mobile phones due to the speed and convenience it offers, but they aren’t necessarily aware of all the security required to protect their information.”
“High-end devices like Samsung and Apple have got fantastic chipsets for performing secure operations, but most often security needs to be provided by the backend. Increased security demands obviously mean you need better HSMs to meet the demand that modern consumers expect.”
Payment Security strategist at Thales, Simon Keates explains that you need to strike a balance between reduced security features on the phone with an increased amount of security on the server side, and thus you need scalable encryption services backed by HSMs.
Modern HSMs address the lack of security present on the device that is in the users’ hands.
End of life and its risks
Yesterday’s technology is inadequate for the acceleration of digital payments. The payShield 9000 was launched back in 2009 and has been the stalwart of payment encryption ever since.
For more than a decade it has been the gold standard for encryption in financial services. However, the payShield 9000 is coming to its End of Life (EOL) at the end of 2022, making way for the new payShield 10K.
Once the EOL date of 31 Dec 2022 is reached, the payShield 9000 will no longer be supported, which means no additional security fixes will be issued, and Thales won’t be in a position to resolve support issues.
While the hardware will continue to operate, it will be vulnerable to new exploits and attacks. Without receiving the latest security fixes, yesterday’s workhorse may be today’s trojan horse.
The benefits of future-first HSMs
State-of-the-art HSMs are needed to scale security and keep up with the pace of cyber-attacks. Keates explains: “The protection of the future is making sure that as your business digitises and relies more and more on cards, mobile and online, that you have the underlying security infrastructure to cope with that increased need.”
Customers who upgrade to the payShield 10K will benefit from performance gains as well as best-in-class security.
The payShield 10K is more energy efficient and has far greater transactional throughput compared to the previous model. Licensing and software packages have also been optimised for the newer product.
Time for an upgrade?
HSMs have a long lifespan, double most other Capex items, but still require major upgrades every couple of years. Keates simplifies it: “HSMs are a bit like having a laptop – you just can’t use the same laptop forever. At some point you need to change even though it’s still working.”
Right size and save
According to Aurel, considering the upgrade purely as a replacement exercise is flawed. “At Synthesis, we view this as an opportunity to help our customers right-size and reduce their operating costs.”
“You do not need to replace your HSMs on a one-for-one basis and beware when being told otherwise. Discuss your HSM requirements with an accredited provider and scope the hardware to match your performance needs. An upgrade is the ideal time to optimise your operational environment.”
When to start?
Start Now. The EOL date may seem far off, but when you consider the times for budget provision, procurement cycles, skills and technical implementation, this can take 12 months in a banking environment.
Aurel shares his experience from HSMs migrations with customers: “Cryptography and Information managers who oversee HSM migration have a responsibility to their businesses to de-risk this, and this involves planning adequately ahead of any critical dates.”
“For example, requesting budget and planning before you even get to development and test and pre-production and production takes months.”
“We often see these deals exceeding the threshold that a typical business unit can sign off on. This often goes to procurement and it can take two months to receive the request for a product document.”
“This then needs to go out to market for quotes and then there an assessment for approval of the vendor. That can be a six-month process.”
Keates explains what the implementation process looks like based on his experience working at a bank: “Typically organisations such as banks implement strict change control and require changes to the development, pre-production and production environments to be scheduled to a particular change window, with each phase being dependant on the success of the previous.”
“Any slip therefore impacts the entire project plan. If each of these phases take two months and any one phase slips, you can quickly see how the timeline for migration could take up to 12 months, at this point in time leaving only six months contingency until the end of life date”
The future of payments
The rise of digital payments and Open Banking are factors driving the need for new HSMs. Keates explains: “There will be a seismic shift in the world of payments when organisations can interact directly with banks through APIs, sending and receiving sensitive information as well as triggering financial transactions.”
“The data protection and privacy requirements are going to be substantial.”
The evolution of quantum computing is another threat on the horizon. Current cryptography standards and algorithms need to be bolstered to protect data in a post-quantum world.
All today’s cryptographic keys, certificates and encrypted data are at risk of being ‘cracked’ by quantum computing.
Aurel adds: “To defend against this, quantum-resistant algorithms are needed, combined with high entropy, random number generation and tamper-resistant key storage. These factors can only be achieved with purpose-built hardware like the payShield 10K.”
If you are in the Payments industry, it is time to take the necessary steps to upgrade HSM hardware and prepare for a new era in cryptography.
Most importantly, you need to ask yourself; is your technology ready to support the future, or are you opening the door to trojans?