On 18 May 2026, the PCI SSC published the version 5.0 of the PCI PTS HSM standard (or simply PCI HSM). This standard includes numerous changes that may affect, directly or indirectly, compliance with other PCI SSC standards. Here we tell you the details.

Introduction to PCI PTS HSM

The standard Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM), better known as PCI PTS HSM or PCI HSM, specifies a series of physical and logical security controls for Secure Cryptographic Devices (Secure Cryptographic Devices – SCDs). This standard is part of the family of standards PIN Transaction Security (PTS), of which PCI PTS PIN (or PCI PIN) and PCI PTS POI (or PCI POI) are also part, initially focused on PIN security in face-to-face transactions. However, to this day, this family of standards (especially PCI HSM and PCI POI) also covers the protection of other account data, such as PAN and cryptographic key management for firmware validations, authentication, etc.

In the particular case of PCI HSM, this standard focuses on lifecycle management. HSM Devices, including their manufacture, dispatch, use and dismantling, as well as in controls related to the management and operation of algorithms, key lengths and processes of generation, loading, export, transmission, storage, replacement and destruction of keys used in cryptographic routines.

Relevant changes to PCI HSM version 5.0

PCI HSM version 4.0 was released in December 2021 and since then, the crypto landscape has changed by leaps and bounds. This was already known to the PCI SSC and, for that reason, it had been actively working in the version 5.0 of PCI HSM. Some of the most relevant changes are:

  • Restructuring of requirements and updating of terminology, especially references to other standards, such as X9.143 (formerly TR-31).
  • Reinforcement of cryptography used for device security purposes (e.g. firmware validations and storage keys), which must support at least 128-bit strength, excluding TDEA (Triple DES).
  • Explicit identification of controls that must be present when the device operates in PCI and non-PCI modes.
  • Modern cryptography support, including post-quantum cryptography and reinforcement of requirements for other algorithms, mainly asymmetric cryptography.
  • Environment-specific sections multi-tenant and HSM-as-a-Service (HSMaaS), aligned with the new services of Cloud Service Providers (CSPs) of managed cryptography.
  • Three new HSM assessment modules are included:
    • Key Transfer Functionalities (Key-transfer functionality), which describes the controls necessary for loading clear keys, components, cryptograms and signed public keys, either by manual, direct or network techniques.
    • Remote management, which lists the controls to be employed when performing remote management of HSM devices, including the use of secure hardware, authentication, log management, encryption during data transmission, and physical security.
    • HSM Security Solution (HSM Solution Security), which includes controls for the protection of virtualized environments, validation of firmware updates and anti-handling controls.
  • Optimization of vulnerability management processes.
  • Clarifications and improvements in the testing and validation processes.

From an organisational point of view, this new version of the standard includes five (5) assessment modules:

Evaluation Module 1: Core Requirements
Evaluation Module 2: Key-Transfer Functionality Requirements
Evaluation Module 3: Remote Administration Requirements
Evaluation Module 4: HSM Solution Security Requirements
Evaluation Module 5: Life Cycle Security Requirements

PCI HSM version 5.0 can be downloaded from the PCI SSC Document Library.

Entities affected by this change

It is important to clarify that the PCI HSM standard applies to manufacturers of hardware safety modules (HSMs) and that standard is evaluated by approved laboratories. The products evaluated are listed in la page of devices approved in PTS of the PCI SSC, under the categories ‘HSM’, ‘Multi-tenant HSM’ and ‘RAP’:

However, those entities that must comply with standards such as PCI PIN, PCI P2PE, PCI 3DS, PCI Card Production or PCI TSP must use an HSM solution validated under FIPS 140-2/140-3 or PCI HSM. In this case, HSM devices that are validated in PCI HSM must not be expired and must be deployed in accordance with the relevant security policies.

Technical implications of this new version

As explained above, PCI HSM version 5.0 was developed with three main changes in mind:

  • The gradual migration of symmetric algorithms (such as TDEA) and asymmetric algorithms categorized as weak or obsolete towards more robust and current solutions, including post-quantum cryptography.
  • The massification of cryptographic services in the cloud, including HSM-as-a-Service (HSMaaS) and multi-tenant solutions.
  • Improving the internal security of hardware and firmware of cryptographic devices.

This leads to the conclusion that the payment media sector is progressively migrating solutions on-premises to cloud solutions, delegating much of the hardware responsibilities to external vendors. The management of physical HSMs and their security, which were traditionally part of specific areas in financial institutions, following cryptic protocols and distrusting any external operation, gradually assume that they must be integrated into hybrid environments or fully in the cloud.

This is due to reasons arising from geographical availability, interoperability with multiple manufacturers and cost optimisation (total cost of ownership – TCO), prioritising hardware purchase (expenses seen as Capital Expenditure – CapEx) for operational expenditure (Operating Expense – OpEx) derived from the use of services calculated by consumption.

Posted by David Acosta

Qualified Security Assessor (QSA) for PCI DSS, PCI PIN, PCI 3DS, P2PE and PCI TSP. CISSP, CISA, CISM, CRISC, C|EH, C|HFI.

Leave to Reply