Crypto Service Gateway allows businesses to deliver HSM Cryptography as a Service. Gone are the days where each business application manages its own security policies, encryption keys, crypto hardware and compliance requirements. With CSG, you can regain control of your organization's crypto and benefit from a robust, scalable and cost-saving management platform.



In addition to standard crypto operations, Crypto Service Gateway supports various algorithms, e.g. RSA, AES, 3DES, HMAC, etc. and offers several advanced functions that address common business problems, including:

  • Code signing

  • EMV authorization

  • Tokenization

  • Data at rest encryption

  • Data signing

  • Non-repudiation

  • PIN translation

  • Data in transit encryption

  • Data masking

  • Data scrambling

  • Signature verification

  • Hybrid encryption

  • Integrity checking

  • Random data generation

  • CVV verification

  • Credential management

  • PIN re-advise

  • Format Preserving Encryption

  • MAC'ing and MAC verification

Crypto Service Gateway is a cryptographic control center that delivers and manages crypto for any application in your business.



Crypto Service Gateway
Selected Features

Code Signing

In an ever-connected world with devices, apps and even things (IOT) on the internet, code signing plays an increasingly important role to ensure the integrity, authenticity and provenance of the underlying code - whether that be Windows or mobile applications right through to the signing of firmware for hardware devices.

The CSG service manages a pool of HSMs to ensure a resilient and available code signing service; together with exposing a simple-to-use API for consuming various other cryptographic services. CSG supports both RSA and ECDSA signing. Code signing services are consumed either directly through the CSG’s API (Java, C++, .NET and RESTful) or using a CSG extension. CSG extensions provide additional platform specific encoding and/or integration into 3rd party signtools. Extensions include a CSP for Microsoft Authenticode, JAR/APK signers and more.

Endorsed signing is a unique CSG feature which is tailored for the code-signing market. CSG’s endorsed signing feature gives you the secure work flows necessary to control what code may be signed. Endorsed signing requires that a minimum mandatory number of authorized ‘endorsers’ must endorse a code signing request before a secure signing operation is permitted.

Download the Code Signing Topic Paper

Managed Data Encryption

CSG's managed encryption technology addresses a common crypto headache - ensuring encrypted data can be safely decrypted at a later date, even if the original key has been replaced. This technique is ideally suited for long-term storage of encrypted data within a business database, for example. Managed encryption is an optional feature that can be made available to any application using CSG.

Managed encryption provides confidentiality, authenticity and integrity (while normal encryption only offers the first of these). This means CSG can ensure the data hasn't been modified while it was stored. The encrypted data returned by CSG contains a pointer to the key used to perform the encryption. Even if the encryption key is updated, CSG retains access to the old key and can use it to decrypt historical data. Support is also provided for updating old encrypted data to use a newer key.


Tokenization is a common technique for protecting sensitive data, such as PANs, as they pass through business systems. The original data is replaced with a token of the same length, using a reversible process.

CSG offers tokenization as a basic crypto function available to any application. The tokenization process is customizable and can allow parts of the data to pass through unchanged (e.g. the last four digits of the PAN). A configurable mixture of format-preserving encryption and database storage is used to produce the token values.

For those concerned with PCI-DSS, tokenization may provide a way to bring systems out of scope for audits. For more information on PCI-DSS compliance with CSG, please refer to PCI-DSS topic paper

Secure PIN Translation

Secure PIN translation is the process of changing the key that encrypts a PIN, without exposing the PIN data in server memory. This operation is commonly needed in payment systems, where the PIN must travel through different systems which use different zone-related keys.

CSG supports PIN translation using our secure code execution (SCE) technology, which is a vendor-neutral approach to executing code within an HSM. The PIN translation function supports a variety of standard PIN block formats.

We are always ready to assist you 

It doesn't matter where you are. We can work anywhere in the world! And we would love to hear from you, be sure we will reply asap.


Case Study - Barclays

Read the case study to see why Barclays Bank chose CSG as their strategic enterprise crypto service.

Business Benefits

Understand how Crypto Service Gateway offers tremendous advantages over alternative technology. 


At the leading edge of security provision within its key markets, Cryptomathic closely supports its global customer base with many multinationals as longstanding clients.