From 30 October to 15 December, eligible PCI SSC stakeholders are invited to review and provide feedback on the draft PCI PIN Transaction Security (PTS) Hardware Security Module (HSM) Modular Security Requirements v5.0 during a 45-day request for comments (RFC) period.
The RFC will be available through the PCI SSC Portal, including instructions on how to access the documents and submit feedback. Eligible stakeholders will also receive instructions via email. As a reminder, participants are required to accept a Non-Disclosure Agreement (NDA) to download the document. Please review the RFC Process Guide for more information.
Please note that PCI SSC can only accept comments that are submitted via the PCI SSC portal and received within the defined RFC period.
Background on PCI PTS Hardware Security Module (HSM) v5.0
The PCI Security Standards Council is planning a major revision to the PCI PTS Hardware Security Module (HSM) Modular Security Requirements, moving from version 4.0 to version 5.0. These requirements are designed to ensure HSM devices provide the highest level of protection for critical data elements used in card verification, PIN processing, chip transaction processing, payment card personalization, secure cryptographic key loading, remote HSM administration, and other payment and authentication activities.
The updates in the RFC are designed to address industry needs, and include:
- A complete restructuring of requirements and applicability matrix.
- Defining that cryptographic keys used for device security must provide a minimum of 128 bits of effective strength.
- Specifying additional requirements that must be met in both PCI and non-PCI mode.
- Removing the requirement for deployment in an environment meeting at least the security of a controlled environment (ISO 13491) as a factor in physical attack considerations.
- Adding a new section for key transfer.
- Adding a new section for remote administration.
