From 8 July to 8 August, eligible PCI SSC stakeholders are invited to review and provide feedback on the draft PCI PTS Hardware Security Module (HSM) Modular Security Requirements v5.0 during a 30-day request for comments (RFC) period.
The RFC will be available through the PCI SSC portal, including instructions on how to access the documents and submit feedback. Eligible stakeholders will also receive instructions via email. As a reminder, participants are required to accept a Non-Disclosure Agreement (NDA) to download the document. Please review the RFC Process Guide for more information.
Please note that PCI SSC can only accept comments submitted via the PCI SSC portal and received within the defined RFC period.
Background on the PCI PTS Hardware Security Module (HSM) v5.0
The PCI Security Standards Council is planning a major revision to the PCI PTS Hardware Security Module (HSM) Security Requirements from version 4.0 to version 5.0. PTS HSM Security Requirements are designed to ensure HSM devices provide the strongest protection for critical data elements used in card verification, PIN processing, chip transaction processing, payment card personalization, secure cryptographic key loading, remote HSM administration and other payment and authentication activities.
The updates in the RFC are designed to address industry needs, and include:
- A complete restructure of requirements and the applicability matrix.
- Defining that cryptographic keys used for device security must provide a minimum of 128 bits of effective strength.
- Specifying additional requirements that must be met in both PCI and non-PCI mode.
- Eliminating restricted to deployment in an environment meeting at least the security of a controlled environment as defined in ISO 13491 from a consideration in physical attacks.
- Adding a new section for key transfer.
- Adding a new section for remote administration.