2 min read

Cryptomathic CKMS: Centralized, Automated Key Management for payShield

Dawn M. Turner (guest) : 11. August 2021

Key Management PCI DSS HSM Centralized Automated KMS key blocks
Cryptomathic CKMS: Centralized, Automated Key Management for payShield

Banks and financial institutions must adhere to a rigorous set of security and regulatory practices to protect data, communications, and processes.

New Call-to-action To effectively accomplish these tasks, Hardware Security Modules (HSMs) for strong cryptography are used to protect data that are critical to their core functions, especially with card payment schemes (both issuing and acquiring) and with ATM and POS networks. If the cryptographic keys were to be stolen or misused, the results would be catastrophic for these institutions.

Therefore, many choose to use payShield HSMs in combination with Cryptomathic’s CKMS to provide centralized and automated key lifecycle management and protect their “keys to the kingdom.”

Managing Cryptographic Keys is an Ongoing Challenge for Banks

The keys need to be available to processes and business applications within their internal systems and outside. The number of cryptographic keys used across business applications continues to grow rapidly.

Manual, decentralized processes are too risky. They are error-prone and costly in terms of staff hours and costs to mitigate errors when they do occur.

Banks and financial institutions frequently cite these three challenges when it comes to key management:

  • Lack of clear ownership of processes and keys
  • Lack of skilled personnel
  • Existence of isolated and fragmented systems

Key Management Compliance - ExplainedDemonstrating compliance is also a time-consuming headache. For many enterprises, demonstrating compliance with PCI DSS and other data protection standards is non-negotiable.

A solution is needed to address these daunting challenges by asserting strong control over creating and distributing cryptographic keys. The solution must set clear responsibilities and enforce specific roles over keys. However, it must also be automated to free staff from the mechanical and repetitive tasks required to manage keys across disparate systems while supporting various standard key formats.

The Benefits of Cryptomathic CKMS

The Cryptomathic CKMS is a centralized key management system that directly addresses the challenges that banks and financial institutions face with key management. CKMS allows its users to take control with centralized and automated key management. It delivers automated key updates and distributes them to a wide range of applications.

Cryptomathic’s CKMS manages the entire lifecycle of both symmetric and asymmetric keys. It provides support for robust business practices. Additionally, it allows users to comply confidently with and pass both internal and external audits.

New Call-to-actionLet’s consider the key benefits that Cryptomathic CKMS provides:

  • Complete remote administration workflow, including key approval and distribution
  • Central management of keys through their complete lifecycle
  • Automated delivery and update of keys
  • Keys shared between HSMs and applications
  • Comprehensive audit logs of CKMS configuration, operation, and key management workflow

Pairing Cryptomathic CKMS with Thales payShield further enhances its value. The same keys can be delivered to the HSM and a supporting business application, whether internal or external to the bank or financial institution. A broad range of import and export options are supported by CKMS, including TR-31 key blocks. It also supports both manual and programmatic key delivery.

The integration of Cryptomathic CKMS and Thales payShield allows key management administration to be performed without time or place restrictions. This is done via an intuitive GUI that is supported by using secure PIN entry devices (PEDs) and smart cards for strong authentication.

The keys are distributed to Thales payShield HSMs, where they are made available for immediate use to calling applications. A tamper-evident audit log records all critical operations to track what keys are used and by what applications.

Why Thales payShield HSM with Cryptomathic CKSM?

The “Thales payShield HSM” is the market leader in payment HSMs. Cryptomathic’s CKMS is designed to meet the rigorous key lifecycle management demands of banks and other financial institutions.

By integrating these two best-of-breed products, these organizations benefit from the security of an integrated solution for their systems’ key management and key use that is both centralized and automated.

Thales payShield HSM with Cryptomathic CKSM supports the following:

  • KEK Exchange, including KEK generated by CKMS or payShield
  • Automatic generation of LMK-encrypted Application Key(s)
  • Application Key Support types:
    • DES3-K2
    • DES3-K3
    • AES-128
    • AES-192
    • AES-256

The integration of Cryptomathic CKMS with Thales payShield HSM provides the centralized and automated key management banks and financial institutions need to protect their cryptographic keys and keep both their and their clients’ data safe.

Contact us for more information on support for centralized 

New call-to-action