New encryption methods and technologies emerge and evolve. Many companies and individuals have questions about specific features of different encryption solutions. In this article, we are going to explain the differences between hardware security modules (HSM) and tokenization appliances. There appears to be confusion in this topic. So, we decided to explain what each of the two solutions is and clarify the situation.
Functions of an HSM
An HSM appliance is a physical computing device that safeguards and manages digital keys for strong authentication and provides crypto-processing.
In essence, the device stores the keys and implements certain algorithms for encryption and hashing. External applications, such as payment gateway software, can use it for these functions.
Particularly, an hardware security module can be used for:
- encryption and decryption of card numbers
- decryption of card PINs
- verification of card security code (at the back of the card)
- verification of EMV cryptogram
- other functions
A hardware security module is able to encrypt payment data, particularly using AES algorithm. So, many people assume that a hardware security module is the same as a tokenization appliance. However, it is not exactly so. Indeed, tokenization appliances use an HSM of some sort, but they implement some additional logic on top of it.
For instance, an HSM can encrypt a card number, and generate a token based on one-way hashing algorithm. It only stores the encryption key and does not store the token and the encrypted value. Consequently, if a card needs to be processed later, and only the token is available, an HSM is unable to provide corresponding card data, because it doesn’t store all the necessary values within itself.
Another difference between HSMs and tokenization appliances is that although an HSM stores the keys within itself, it does not control, which key is used to encrypt each value (generate an encrypted value) at a specific moment. Consequently, an HSM does not provide a complete mechanism for rotation of keys, which is required by PCI.
Functions of a Tokenization Appliance
As for tokenization appliances, they can, generally, handle the following tasks.
- A tokenization appliance has an API for interaction with an HSM.
- It receives the card number, encrypts it using the HSM, and generate the token
- It keeps track of the keys which are used for encryption and can rotate them with time
- It stores the encrypted values and tokens
- It can decrypt any value from the token (as it “knows” which key has been used to generate the value)
As we see, tokenization appliances implement the so-called vault functionality, and use HSMs for data encryption and decryption only. The correspondence between the token, encrypted value, and the key (or, to be exact, the key number), is the vault function, implemented in the tokenization appliance itself, and not in the HSM.
It should be understood, that just an HSM is not an immediate solution of tokenization requirement. If you need tokenization functionality, you need a respective appliance. If you need to implement such functions as P2PE, PIN processing, or card issuance, you need to use an HSM. If you need both categories of functions, you have several options to choose from.
- You can purchase both a tokenization appliance and HSM if your budget allows
- You can also purchase an HSM and license tokenization software that works with it
- You can purchase an HSM and develop your own vault software on top of the HSM
Before you make an investment in either tokenization or HSM, be sure to understand your needs and based on the totality of your requirements, make an intelligent and informed decision.