Request for Comments: PTS HSM Security Requirements v4.0

PTS Vendors who are Participating Organizations and PCI Recognized labs are invited to review and provide feedback on the draft PCI PIN Transaction Security (PTS) Hardware Security Module (HSM) Modular Security Requirements during a 30 day request for comments (RFC) period running from 9 February 2021 through 11 March. This is the first of two RFCs for v4.0 of the requirements. A second RFC is planned in Q3 and will be open to all PCI SSC Participating Organizations and Assessors.

The RFC will be available to primary contacts through the PCI SSC portal, including instructions on how to access the document and submit feedback. Eligible stakeholders will also receive instructions via email. As a reminder, participants are required to accept a Non-Disclosure Agreement (NDA) to download the document. Please review the RFC Process Guide for more information.

Please note that PCI SSC can only accept comments that are submitted via the PCI SSC portal and received within the defined RFC period.

Background on the PTS HSM Security Requirements
PTS HSM Security Requirements are designed to ensure HSM devices provide the strongest protection for critical data elements used in card verification, PIN processing, chip transaction processing, payment card personalization, secure cryptographic key loading, remote HSM administration and other payment and authentication activities.

The updates in the RFC are designed to address industry needs by:

• Adding a new module for Cloud Based HSMs as a Service – Multi-tenant Usage Security Requirements
• Requiring support for ANSI and ISO standards based Key Blocks
• Requiring support for AES

Please review the RFC Process Guide  and our resource guide: What to Know Before Participating in a PCI SSC RFC for more information on the PCI SSC RFC process.