PTS Hardware Security Module (HSM)


PIN Transaction Security (PTS) Hardware Security Module (HSM) Standard

The PIN Transaction Security (PTS) Hardware Security Module (HSM) Standard offers security requirements for characteristics and management of hardware security modules throughout their lifecycle, to ensure confidentiality and data integrity during activities such as financial transactions and payment card personalization.

The PTS HSM Standard provides guidance and direction for appropriately designing HSMs to meet the security needs of the financial payments industry, and for protecting those HSMs up to the point of initial deployment. Other security requirements apply at the point of deployment for the management of HSMs involved with the financial payments industry.  Additionally, the standard supports validation of Remote Administration Platforms (RAP) for HSMs and of key loading devices (KLDs); and has been expanded to include Multi-tenant HSMs, which are HSMs intended for concurrent usage by multiple organizations at a cloud services provider.

Important Information


Intended Audience

Vendors that design and manufacture HSMs.


PTS HSM Documents

Find all of the related documents in the PCI SSC Document Library.


Listings & Professionals

The PCI SSC encourages entities to use the PCI SSC listing in selecting approved PTS HSM devices for their payment environments.

Independent PCI-Recognized Laboratories evaluate HSMs against PTS HSM security requirements. PCI SSC reviews evaluation reports, approves PTS HSM devices, and provides a listing of approved devices.


Training Information

The Payment Card Industry Professional is an individual, entry-level certification in payment security information and provides you with the understanding to help your organization build a secure payment environment. Becoming a PCIP demonstrates a level of understanding that can provide a strong foundation for a career in the payments security industry.

Compliance programs for all PCI SSC standards are managed by the payment brands. Questions about which entities need to validate compliance to any PCI SSC standard, or whether use of a PCI-listed product is required and for which entities, should be referred to the payment brands. Contact information for the payment brands is in FAQ #1142.