30 April 2020
MST has fully integrated support for Thales payShield 10K Hardware Security Modules (HSM) into the JoinTMS terminal management system.
For banks transitioning from Thales payShield 9000 to payShield 10K using the same LMK key, no additional setup is required—remote key loading (RKL) functions will activate automatically.
The Thales payShield 10K version introduces enhanced PCI HSMv3 security parameters, which are enabled by default:
- Enforce PCI HSMv3 Key Equivalence
- Enforce minimum key strength of 1024-bits for RSA signature verification
- Enforce minimum key strength of 2048-bits for RSA
From firmware version 2.0 onward, the PKCS#1 v1.5 alignment algorithm is blocked, now relying solely on PKCS#1 v2.2 OAEP.
We’ve also enhanced JoinTMS’s compatibility with HSM security modules produced by Practical Security Systems (PSS LLC) and CryptoPro (CryptoPro LLC).
In line with Central Bank requirements, all payment system operators must switch to certified HSM modules by April 1, 2024. Each HSM module must be certified and verified for compliance with Federal Security Service (FSS) standards.
