Press Release

PCI Security Standards Council Updates Hardware Security Module Standard

Version 4.0 Supports Industry Shift to Utilization of Cloud-Based Devices

WAKEFIELD, Mass., 17 December 2021 — Today the PCI Security Standards Council (PCI SSC) published the latest version of its device security standard for Hardware Security Modules (HSMs). HSMs are secure cryptographic devices that are used for cryptographic-key management and the protection of sensitive data used in payment card processing.
The PCI PIN Transaction Security (PTS) Hardware Security Module (HSM) Modular Security Requirements Version 4.0 ensures that HSM devices provide the strongest protection for critical data elements used in card verification, PIN processing, chip transaction processing, payment card personalization, secure cryptographic key loading, remote HSM administration and other payment authentication activities. Organizations can use PTS Validated HSM devices in conjunction with other PCI Standards to support their efforts to protect payment data throughout their systems and networks.

PCI PTS HSM Security Requirements v4.0 includes the addition of a new evaluation module and approval class for evaluating cloud-based HSMs that are used as part of an HSM-as-a-service offering. These updates support the use of remote management methods and multi-tenant cloud-based devices, and reflect direct feedback received from the payment industry through two request for comment periods.

“The security of cryptographic devices is a critical part of protecting payment data,” says Emma Sutcliffe, SVP, Standards Officer at PCI SSC. “The latest evolution of the PCI PTS HSM Security Requirements reflects the payment industry’s need for flexible payment security solutions.”

Vendors can begin using PCI PTS HSM Requirements v4.0 now for payment device evaluations. Version 3.0 of the Requirements will retire in December 2022 for new device evaluations. Refer to the PCI PTS Device Testing and Approval Program Guide for detailed information regarding the transition period.

A full copy of the PCI PTS HSM Security Requirements v4.0 and supporting documentation, including Summary of Changes from v3.0 to v4.0, Derived Test Requirements, and a Technical FAQ document, are available in the PCI SSC Document Library.

About the PCI Security Standards Council
The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help businesses detect, mitigate and prevent cyberattacks and breaches. Connect with the PCI SSC on LinkedIn. Join the conversation on Twitter @PCISSC. Subscribe to the PCI Perspectives Blog.