Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Microsoft Releases Azure Payment HSM in Public Preview for the Payment Card Industry

Microsoft Releases Azure Payment HSM in Public Preview for the Payment Card Industry

This item in japanese


Recently, Microsoft announced the public preview of a bare-metal infrastructure as a service (IaaS) Azure Payment HSM that provides cryptographic key operations for real-time payment transactions in Azure. It uses the Thales payShield 10K payment HSMs, which delivers a suite of payment security functionality proven in critical environments, including transaction processing, sensitive data protection, payment credential issuing, mobile card acceptance, and payment tokenization.

The Payment Card Industry's (PCI) most stringent security, audit compliance, low latency, and high-performance requirements are met by Azure Payment HSM Service. Additionally, financial institutions and service providers can use this service to easily migrate their PCI workloads to Azure. And it can be a fit for a broad range of use cases, including payment processing, payment credential issuing, securing keys and authentication data, and sensitive data protection.

HSMs are provisioned and connected directly to users' virtual networks, and they have complete administrative control over them. Furthermore, HSMs can be provisioned as a pair of devices and configured for high availability with ease - and as part of their Azure subscription, users can use Thales payShield Manager for secure remote access to the HSMs. In an Azure blog post on the service, Devendra Tiwari, senior director, Azure Security, explains:

Once the HSM is allocated to a customer, Microsoft has no access to customer data. Likewise, when the HSM is no longer required, customer data is zeroized and erased as soon as the HSM is released to Microsoft to maintain complete privacy and security. The customer is responsible for deploying and configuring HSMs for high availability, backup, and disaster recovery requirements and achieving the same performance on their on-premises HSMs.


Note that the Azure datacenters that house Azure Payment HSM solutions are PCI DSS and PCI 3DS compliant – and the Azure Payment HSM can be deployed as part of a validated PCI P2PE and PCI PIN component or solution, which helps simplify ongoing security audit compliance. In addition, Thales payShield 10K HSMs deployed in the security infrastructure are certified to FIPS 140-2 Level 3 and PCI HSM v3.

Other public clouds providers like AWS offer Cloud Payment HSM through their marketplace with VirtuCrypt, also available on the Azure Marketplace. Yet Microsoft brings a payment HSM service natively on their cloud platform. Holger Mueller, principal analyst and vice president at Constellation Research Inc., told InfoQ:

Enterprise needs to move to the cloud fast to practice Enterprise Acceleration. Vertical offerings make this more accessible, and today Microsoft's payment vertical is such an example. First, we must see if Microsoft got the offering right and what enterprises will see adoption.

Azure Payment HSM is currently available in East US and North Europe regions. Access to the service can be required through email. Furthermore, it uses a pay-as-you-go model with an hourly billing meter that records the number of HSM resources, performance speed, timespan, and other factors. In addition, the pricing details are available on the pricing page. Lastly, more information and guidance on Azure Payment HSM are available on the landing page.

About the Author

Rate this Article


Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

  • Microsoft Azure Payment HSM - PCI PIN certification?

    by Darren Busby,

    Your message is awaiting moderation. Thank you for participating in the discussion.

    How will the new Azure Payment HSM IaaS achieve PCI PIN certification and an AoC thereof that any end customers will need for their own PCI PIN certification? There are requirements under PCI PIN that mandate physical dual control over access to the equipment, and there is a requirement for a physical audit of the facility and those controls...

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p