We are very pleased to announce the general availability of Azure Payment HSM, a BareMetal infrastructure as a service (IaaS) that enables customers to access Payment HSM locally in the Azure cloud. With Azure Payment HSM, customers can seamlessly migrate PCI workloads to Azure and meet the most stringent security, audit compliance, low latency and high-performance requirements required by the Payment Card Industry (PCI).
The Azure Payment HSM service enables service providers and financial institutions to accelerate the digital transformation strategy of their payment systems and adopt the public cloud.
|“Payment HSM support in the public cloud is one of the most significant barriers to moving payment systems to the public cloud. Although there are many different solutions, none can meet the stringent requirements required for a payment system. Microsoft, working with Thales, stepped in to provide a payment HSM solution that could meet ACI Worldwide’s ambitions to modernize its technology platform. It’s been a pleasure working with both teams to make this solution a reality.”
— Timothy White, Chief Architect, Retail Payments and Cloud
The Azure Payment HSM solution is delivered using the Thales payShield 10K Payment HSM, which offers a single-tenant HSM and full remote management capabilities. The service is designed to enable complete customer control by strict separation of roles and data between Microsoft and the customer. HSMs are provisioned and connected directly to the customer’s virtual network, and the HSMs are under the sole administrative control of the customer. Once allocated, Microsoft’s administrative access is limited to “operator” mode and full responsibility for configuration and maintenance of the HSM and software rests with the customer. When the HSM is no longer needed and the device is returned to Microsoft, customer data is erased to ensure privacy and security. The solution comes with a Thales payShield premium package license and enhanced support plan, with a direct relationship between the customer and Thales.
Figure 1: After provisioning the HSM, the HSM device is directly connected to the customer’s virtual network via Thales payShield Manager and TMD with full remote HSM management capabilities.
The customer can quickly add more HSM capacity on demand and subscribe to the highest performance levels (up to 2500 CPS) for mission-critical payment applications with low latency. Customer can upgrade or downgrade HSM performance levels based on business needs without disrupting HSM product usage. HSMs can easily be provisioned as a pair of appliances and configured for high availability.
Azure is committed to helping customers comply with the payment card industry’s leading compliance certifications. Azure Payment HSM is certified to the strict security and compliance requirements established by the PCI Security Standards Council (PCI SSC), including PCI DSS, PCI 3DS and PCI PIN. Thales payShield 10K HSMs are certified to FIPS 140-2 Level 3 and PCI HSM v3. Azure Payment HSM customers can significantly reduce their compliance time, effort and cost by leveraging the shared responsibility matrix from Azure’s PCI Attestation of Compliance (AOC).
Typical use cases
Financial institutions and service providers in the payments ecosystem will benefit from Azure Payment HSM. Azure Payment HSM enables a wide range of use cases such as payment processing, which allows for card and mobile payment authorization and 3D-secure authentication; issuing payment credentials for cards, wearables and connected devices; Securing key and authentication data and sensitive data protection for point-to-point encryption, security tokenization and EMV payment tokenization.
Azure Payment HSM is available at launch in the following regions: East US, West US, South Central US, Central US, Northern Europe, and Western Europe
As Azure Payment HSM is a specialized service, customers should ask their Microsoft Account Manager and CSA to send a request via email.
Learn more about Azure Payment HSM
To download the PCI Certification Report and Shared Responsibility Matrix: