The PCI Security Standards Council (PCI SSC) has published a major revision to the PCI PIN Transaction Security (PTS) Hardware Security Module (HSM) Modular Security Requirements from version 4.0 to version 5.0. This update represents a significant evolution in HSM security, addressing modern cryptographic practices, cloud and multi-tenant deployments, and emerging threats such as post-quantum risks.
PCI PTS HSM v5.0 introduces extensive requirement updates and additional guidance, reflecting stakeholder feedback and industry advancements. The revision modernizes the standard’s structure, strengthens cryptographic expectations, and better aligns HSM evaluations with real-world deployment models, including HSM-as-a-Service and remote administration environments.
Some of the key changes introduced in v5.0 include:
- Strengthened cryptographic requirements: Device-security keys (e.g., firmware authentication, tamper/storage keys) must now use cryptography with an effective key strength of at least 128 bits, and TDES is no longer permitted for device security purposes.
- Expanded support for modern cryptography: Updates include support for post-quantum cryptography considerations and new requirements such as Elliptic Curve Schnorr Digital Signature Algorithm (EC-SDSA) for certain use cases.
- Introduction of new evaluation modules: New modules have been added for Key-Transfer Functionality, Remote Administration, and HSM Solution Security, reflecting the growing importance of distributed and cloud-based HSM deployments.
- Enhanced focus on multi-tenant and HSM-as-a-Service environments: Requirements have been consolidated and expanded to address multi-tenant HSM architectures, including new controls such as tenant key erasure and strict isolation between tenants.
- Improved lifecycle and vulnerability management: Vulnerability management requirements have been strengthened and moved into lifecycle security modules, emphasizing continuous security throughout the HSM lifecycle.
- Clarifications and restructuring of requirements: Several legacy sections (e.g., key-loading devices, logical security, and specific functionality-based sections) have been removed or restructured, with responsibilities redistributed across new modular evaluation areas or aligned with the PCI Key Management and Operations (KMO) framework.
- Enhanced testing and validation expectations: Test laboratories are now required to perform deeper validation activities, including source code review for certain requirements, and more explicit documentation of vulnerability sources and testing methodologies.
- Stronger authentication and security controls: Requirements now mandate stronger authentication mechanisms (e.g., prohibiting weak methods such as CBC-MAC for firmware or application authentication) and enforce secure states and secure connections within HSM environments.
In addition to requirement changes, PCI SSC has introduced expanded guidance to improve clarity and consistency across evaluations. This includes updated terminology, alignment with modern standards (e.g., ANSI X9.143), and new definitions covering concepts such as HSM clusters, partitioned HSMs, secure channels, and post-quantum cryptography.
The PCI PTS HSM v5.0 Standard reflects the Council’s continued commitment to evolving security requirements in response to emerging technologies and deployment models. By addressing cloud adoption, strengthening cryptographic expectations, and improving evaluation consistency, v5.0 positions the HSM standard to better support the future of payment security.
The following documents, related to the PTS HSM v5.0 Standard, can be found in the PCI SSC Document Library:
- PCI PTS HSM Modular Security Requirements v5.0
- PCI PTS HSM Modular Derived Test Requirements v5.0
- PCI PTS Device Testing and Approval Program Guide
PCI SSC appreciates the valuable feedback received from stakeholders, which has been instrumental in shaping this release and ensuring the standard continues to meet the evolving needs of the payment ecosystem.
