The benefits of a Payment HSM ‘as a service’ model

Published: 21 March 2022

Reading time: 4 minutes

Financial institutions are embracing and adopting the cloud for core systems and platforms such as banking and payment transactions to enhance competitiveness. An ‘as a service’ model for Payment HSMs allows companies to modernise their IT infrastructure by leveraging a cloud-based architecture which avoids lengthy vendor lock-ins and delivers greater operational efficiencies, but maintaining regulatory compliance.

Removing and or reducing on-premises infrastructure and migrating to the cloud via an ‘as a service’ model means Banks and Financial Institution’s are better positioned to respond to evolving market demands allowing them to deliver more innovative products and offerings quickly & securely.

The cloud has become a key digital enabler for the industry and according to a recent survey by McKinsey, more than 60% of banks are planning to move the bulk of their environment to the public cloud in the next five years. Payment HSMs as a Service provides the missing piece of the cloud adoption puzzle.

Top 10 reasons for migrating to payShield 10K now

payShield Thales

Reduce costs

Slimmer form factor
Data center space is expensive. With payShield 10K we have reduced the height of the unit to 1U which means that you can stack twice as many units in the rack than you could with payShield 9000, reducing the cost of your real estate.

Lower power consumption
Each watt of power a device requires increases your data center energy and cooling costs. With our new payShield 10K design we have, leveraged the latest energy-efficient components and power management techniques to lower the overall power consumption, even when operating at twice the cryptographic performance, by 40%. This undoubtedly will assist in driving down your data center electricity bill and contribute to your company reaching its “green goals”.

Higher resilience & availability
Planned downtime is still downtime. Being forced to take an HSM offline for routine configuration tasks or to replace a faulty power supply can adversely affect the availability of your financial services infrastructure. We have improved the physical design with payShield 10K by providing dual hot swappable power supplies and fans as standard which improves MTBF by a factor of 14, delivering very high predicted uptime.

Streamline operations

Faster firmware updates
Loading firmware usually means taking the HSM offline for several minutes. With payShield 10K the firmware update workflow process has been reduced by more than a factor of 10 while still maintaining all the necessary security checks for code authenticity and integrity.

Clearer visual indicators
payShield 10K has a simple, uncluttered front panel design which displays a red warning triangle when a tamper event has occurred. It is obvious when all is well as the left handle of the front panel is illuminated in white and if the regular background health checks discover a problem the handle turns to red. To help identify which HSM in a rack may need scheduled work or attention, the
operations team can now quickly direct local staff to the HSM requiring support by illuminating front and rear maintenance lights using their payShield Manager.

Simpler key erasure confirmation
Sometimes it is necessary to move an HSM out of a production environment to another less secure location. Under various security audit constraints the critical keys such as the live LMKs must not be present when the unit is in the new location. payShield 10K contains a dedicated key erasure confirmation light on the rear panel to provide assurance that no sensitive keys or data reside in the unit and it is safe to decommission.


Be prepared

Stronger tamper protection
payShield 10K has multiple levels of tamper detection which (when activated) erase keys and sensitive data in the event of an attack. A fully locked-down lid (with no ability to open without causing significant damage to the device) is also used to increase the complexity for any attacker. Attempts to gain access inside the inner security module cause the device to be permanently disabled.

Broader cryptographic support
To support new payment methods payShield 10K is capable of leveraging very fast hardware-based ECC processing in addition to the legacy 3DES, AES and RSA algorithms. Many of the emerging payment credential issuing use cases utilize ECC rather than RSA especially when the payment instrument is a mobile, IoT or connected device. payShield 10K is ready to be enhanced to support a much broader range of cryptographic algorithms and mechanisms as they become formalized as part of the increasing range of payment security specifications.

Greater maximum performance
Card payments and digital online payments are growing year on year, requiring you to constantly monitor and upgrade your processing bandwidth. payShield 10K offers significantly higher RSA and 3DES performance than its predecessors which may reduce the number of payShield devices deployed and lower your costs.

Superior service architecture
As the payments world increasingly looks towards new deployment models involving a mixture of private and public clouds, payShield 10K has been specifically designed to offer secure remote management and monitoring delivering a true ‘no touch’ experience. This supports multiple types of payment service offerings and offers more capabilities to run functions securely in a broader range of operating environments.


Payment HSM skills are specialised and difficult to maintain, but ALFATEC Group team of experts can enhance the overall security for your organization.
Contact us for more information!

To make this website run properly and to improve your experience, we use cookies. For more detailed information, please check our Cookie Policy.

  • Necessary cookies enable core functionality. The website cannot function properly without these cookies, and can only be disabled by changing your browser preferences.