Skip to main content

IBM CEX6S Achieves Unique PCI PTS HSM Certification

The IBM CEX6S with CCA offers an industry-unique and customer-focused set of PCI PTS HSM compliant features.

Red and white connecting lines and squares on a black background with a red gradient and Z Security Roundtable text header.

The IBM Crypto Express 6S (CEX6S) is IBM's fastest and most secure hardware security module (HSM) yet, and with CCA 6.0 it has achieved certification under the Payment Card Industry (PCI) PIN Transaction Security (PTS) HSM program.  
What Is PCI PTS HSM Certification? 
The Payment Card Industry Data Security Standard (PCI DSS) requirements for protection of account data apply broadly to businesses in the financial services and retail banking industry and specifically require HSMs for protection of cryptographic keys that protect cardholder data (Requirement 3.5.3). 
The PCI PTS Requirements and Testing Procedures spell out further required cardholder data protections and define broad qualifications for HSMs. The PCI PTS HSM Requirements establish a stand-alone, globally applicable testing regime with physical, logical and manufacturing security requirements for devices usable with PCI PTS.
Using a device that is certified under PCI PTS HSM can simplify PCI DSS evaluation based on guarantees that the cryptographic keys are only allowed to be used in a compliant fashion. Going forward, PCI PTS HSM certification is increasingly required for HSMs to be considered for use by banks and payment processors.
IBM HSMs protect the world’s financial transactions and important data with tamper-responsive hardware and software features, and the Common Cryptographic Architecture (CCA) is IBM’s unique financial services programming interface for IBM HSMs. While PCI PTS HSM certification might initially seem like a vendor parity milestone, the IBM HSM customer-driven design combining ease of use and virtualization with the highest level of security makes this much more.
IBM Implementation Business Differentiators 
IBM implementation for PCI PTS HSM compliance includes important business differentiators, including:
  1. PCI PTS HSM certified virtualization within the physical HSM allows PCI DSS and non-PCI DSS workloads to run on the same physical hardware, with no dedicated hardware required. The IBM CEX6S HSM on IBM Z can be configured as up to 85 cryptographically independent domains, known by PCI PTS as virtual HSMs, each of which may (or may not) be in PCI PTS HSM compliant mode. A virtual HSM must behave exactly like a unique physical HSM to achieve certification. 
  2. PCI DSS and non-PCI DSS workloads can coexist in the same logical environment—the same cryptographic domain. CEX6S with CCA supports a legacy “normal” mode on all virtual HSMs or domains, even on domains that are running in PCI PTS HSM compliant mode. IBM implementation creates an industry-unique secondary key space within each virtual HSM or domain that is used to manage and secure the population of PCI PTS HSM compliant-marked key tokens. The impact is that the same virtual HSM can run your “normal” or non-PCI DSS mode workload simultaneously with your PCI DSS workload, with auditable usage and provenance for the compliant-marked key tokens.
  3. PCI DSS key population audits are easier because your compliant-marked key tokens can never be used for non-compliant functions, or by a virtual HSM in non-compliant mode or by a legacy IBM HSM. This is true even when those HSMs are configured with the same Master Key as your CEX6S domain that is in PCI PTS HSM compliant mode. The IBM HSM uses a unique binding and encryption method that is not available in legacy HSMs or in virtual HSMs that are in non-compliant mode. This feature gives you complete backward security when migrating workloads to the new PCI PTS HSM compliant mode of operation.
  4. PCI DSS key population report generation and spot checks are easier since the marking of PCI PTS HSM compliant managed key tokens is both clear (user visible) and securely bound to the key material. This allows simple report generation to demonstrate PCI PTS HSM compliant management for your sensitive workload keys.
  5. There is no required interruption or downtime to enable PCI PTS HSM compliance mode on the IBM CEX6S HSM. Enablement is completely concurrent to any running legacy workload that uses that same virtual HSM. All of the administration and impact is isolated to the secure remote administration interface.
  6. Migration of your applications and keys to PCI PTS HSM compliance is greatly simplified by a unique “warn” feature. When enabled, this feature will track the usage of key tokens and services and provide running metadata to indicate which keys and services are used that are not PCI PTS HSM compliant. This metadata can be analyzed to generate reports on key populations or application service use cases that need to be addressed before the workload can be migrated to PCI PTS HSM compliant key tokens in PCI PTS HSM mode.
  7. Legacy key populations are not doomed to eventual irrelevance. Legacy key tokens may become compliance-marked keys using a compliance migration service available with the IBM HSM. This extends the features of compliance mode to eligible legacy key populations and applications.
  8. PCI PTS HSM compliant mode is available now, without extra cost, on every IBM CEX6S with CCA. The default firmware for the IBM HSM includes this capability for exploitation at any time the customer chooses.
Unique and Customer-Focused 
The IBM CEX6S with CCA offers an industry-unique and customer-focused set of PCI PTS HSM compliant features, available with the default firmware installed in every IBM CEX6S HSM shipped for IBM Z.  These features enhance usability, security and auditability as customers increasingly migrate workloads to PCI PTS HSM evaluated platforms. This was made possible through application of IBM Design Thinking and ongoing intensive collaboration with our customers.
Learn More

Stay on top of all things tech!
View upcoming & on-demand webinars →