New Generation Cloud Payment HSMs

Leverage the benefits of trulyCloud-based Payment Security

Product description

VERISEC | 10XPAY is payment cryptography as a service that allows financial entities — from large banks and payment processors to smaller FinTechs and startups — leverage the benefits of a truly Cloud-based Payment Security infrastructure designed to validate and process payment transactions. VERISEC | 10XPAY offers the scalability, adaptability, lower overheads and many other benefits that organizations have come to expect from state-of-the-art Cloud services. 

Main application areas

Contactless payments

Card-present transactions

EMV issuer processing

ATM transactions & key loading

Commercial model

VERISEC 10XPAY Tier accounts are based on the Average and PEAK cps range. Customers’ transactions will not be interrupted by the HSM’s capacity limitation.

Compliance

Verisec works with the council to establish cloud HSM attestation around PCI DSS / PCI PIN / PCI P2PE Decryption / PCI PTS assisted by a third party QSA. 

Frequently Asked Questions

VERISEC 10XPAY is a Payment Cryptography as a Service (PCaaS) that can be used for credit and debit card processing systems, card data preparation systems, card personalization systems, or for terminal/ATM key management systems etc. VERISEC 10XPAY is fully compliant to PCI PIN, PCI DSS, and PCI P2PE Decryption while operating in the cloud, reducing the customer’s scope of certification significantly. It also minimize the changes required on the host application or with working keys while migrating to the cloud.

The Payment Industry typically requires very specific cryptographic functions developed and managed by the payment card schemes under organizations such as ANSI and EMVCo. VERISEC 10XPAY offers cloud-based payment HSMs’ functionality for financial entities that participate in the Payments Ecosystem, such as Payment Processors, Card Issuers & Acquirers, Mobile Wallets and many types of Fintech companies.

Unlike the other cloud HSMs offerings, VERISEC 10XPAY offers the most transparent and flexible integration for existing payment processing systems. Naturally the service is equipped with cloud-native security layers that meets PCI and other industry standards, as well as optimizing your operational needs in the cloud.

Yes, it is supported. VERISEC 10XPAY allows customers to use the own keys with the Service. These can be customer generated keys or keys imported from an existing on-premises HSM environment. This is sometimes called ‘Bring Your Own Key’ (BYOK) in the cloud.
Tap on mobile allows credit card and debit card transactions to be accepted on the standard mobile devices such as phone or tablet, with no external PIN pad or other card reader device. This helps small merchants, delivery companies, or Fintechs to provide the payment system without a special POS terminals. Tap on mobile can also support online PIN (“PIN on Glass”), for environments where PIN is required. VERISEC 10XPAY is perfect solution for such payment service providers offloading much of part of burden of PCI compliance and operational management of the HSMs. VERISEC 10XPAY also supports most commonly used HSM APIs as well as a modern REST API to ease development efforts.
Using VERISEC 10XPAY, not only customers are fully supported for HSM installation, maintenance, or life-cycle management of HSMs, but also provided with cloud-native tools, customer portals, and key management hardware to deliver the customer’s own control. (Operational Responsibility Matrix Overview)

Verisec has worked with an external assessor to establish cloud HSM attestation for the following areas:

  • PCI DSS – audit performed by External Assessor
  • PCI PIN – audit performed by External Assessor
  • PCI P2PE Decryption – audit performed by External Assessor

On top of the data center certifications such as PCI-DSS, ISAE-3402, ISO 27001 offered by the data centers, VERISEC 10XPAY service operation is independently audited by a third party QSA, for PCI DSS, PCI PIN, PCI P2PE. All critical components such as hardware security modules are PCI PTS HSM v3 or v4 certified, or FIPS 140-2/140-3 level3 or above.
Please contact VERISEC for further details.

VERISEC 10XPAY Acquiring and P2PE Decryption tiers are subscription based on the range of average CPS (API call per second) and number of active LMKs. After the initial set-up, all acquiring and P2PE Decryption tiers offers average CPS and MAX CPS, which allows applications to endure the “PEAK” loads if necessary without changing tiers. Contact VERISEC for more details.

Yes. VERISEC 10XPAY supports both redundancy within region, as well as cross-regional redundancy. The service is designed to meet customer’s data sovereignty requirements by offering 2 data centers in each region. Customers can also achieve a cross-regional redundancy, by having regional accounts with the same customer keys. For more details of available and up-coming data centers locations, contact VERISEC.

Yes. There are TEST and UAT environment in VERISEC 10XPAY. Service environment is clearly separated into TEST service, UAT service, as well as PRODUCTION services in each region. This is to support customer’s needs for payment HSMs in its entire life-cycle. Customers are strongly recommended to separate the test data or test keys from their production environment.

Yes. VERISEC 10XPAY can be operated together with payment HSMs on-premises, as so called a hybrid cloud configuration. This can be useful for migration, additional HSM resources, or test purposes. Payment applications can be in a public clouds, in a private clouds, or an on-premises data center.

Yes, it is possible to migrate from on-premises HSMs seamlessly. VERISEC 10XPAY is designed to be as transparent as possible when migrating from a physical HSMs in on-premises data centers. Customers are able to maintain their existing key materials, procedures, and policy using VERISEC 10XPAY, and migrate, or to use VERISEC 10XPAY as a part of HSM cluster.

HSM master keys are generated, imported, and managed by customers’ own key custodians. Once the keys are imported into the VERISEC 10XPAY, the service handles them by protecting them under individual customer’s service key. Service mapping mechanisms, that handles the customer specific keys are also protected within the secure runtime environment, and never exposed or stored to outside secure service boundaries.

The Service Tier costs covers not only cryptographic functions, but also customer’s own management controls, cloud-native security tools to comply to PCI regulations, as well as the standard support. Customer portal also facilitates monitoring, key custodians’ management, and certificate management.
Optionally customers are also offered with additional services, such as reporting, monitoring, and key custodianship services.

VERISEC 10XPAY portal offers the monitoring feature by default. Additionally there is additional monitoring and reporting services such as PCI PIN/P2PE reporting depending on customer’s needs.

VERISEC 10XPAY is designed with highly available micro-services with automated HSM resource allocations. Customers may experience a sudden transaction increase only in high season, and such additional loads will be handled as ‘PEAK’ CPS requirement within the tier. Even the volume goes beyond the tier range unexpectedly, service continues to provide the cryptographic functionality and customers will be able to review it later.

Payment providers are responsible for their own compliance to PCI, depending on their volume or payment functions provided for their customers. Although since VERISEC 10XPAY has been independently audited for PCI PIN, PCI DSS, PCI P2PE, it is possible for customers to refer to our AoC (attestation of compliance) report, and reduce their own time and effort on compliance activities.