Find answers to common questions about Microsoft Azure Payment HSM.
Where is Azure Payment HSM available?
Azure Payment HSM is available in East US, West US, South Central US, Central US, North Europe, and West Europe.
How does Azure Payment HSM work?
After HSMs are provisioned, they're connected directly to a user's virtual network, and HSMs are under users' sole administrative control. HSMs can be provisioned as a pair of devices and configured for high availability. The service uses Thales payShield Manager for secure remote access to the HSM.
Which industries might use Azure Payment HSM?
Financial institutions and service providers in the payment ecosystem including issuers, service providers, acquirers, processors, and payment networks would benefit from Azure Payment HSM.
What are some common use cases for Azure Payment HSM?
With benefits including low latency and the ability to quickly add more HSM capacity as required, Azure Payment HSM is a perfect fit for a broad range of use cases, including payment processing, payment credential issuing, securing keys and authentication data, and sensitive data protection. For more, see Azure Payment HSM: typical use cases
How do I get started with the service?
What HSM SKUs are supported for Azure Payment HSM?
How do I change the performance level or SKU of my payment HSM?
What default license comes with Azure Payment HSM?
The service comes with Thales payShield 10K Premium Package license with 1 or 2 LMK at 60CPS, 250CPS or 2500CPS. For pricing, please see Azure Payment HSM pricing details; for firmware information, see Azure Payment HSM service support guide: Firmware and license support.
In what scenarios you need to contact Thales for licenses?
Device licenses are required when applying custom firmware or returning to base firmware version. For license, contact Thales support with device serial number.
How are physical keys are handled?
Physical keylocks are decoupled from payShield Manager use and are no longer tied to system state.
Can I still use a console to manage HSM?
HSMs are managed remotely with payShield Manager. This access does provide a virtual console which can be used for configuration. No access to Local Console is available and availability of local console cannot be controlled.
How do I set up payShield monitor with Azure Payment HSM?
Paysheild Monitor is distributed as a Virtual Machine and can be deployed on-premises or hosted in an Azure VM instance.
When do I need TMD?
TMD enables key management for these typical use cases:
- Forming keys from components
- Splitting existing keys into components
- Sharing symmetric KEKs internally within an organization or externally with trusted third party
What kind of performance can I expect?
Performance of a hosted payShield is no different from an on-premises deployment. The actual end-to-end performance of the payment API depends on the location of the workloads and network latencies. When the payment service workloads are run on virtual machines hosted in the same service provider's network, performance should match an on-premises deployment. Network latencies between the computer virtual machine(s) running payment service workloads and the hosted payShield are typically very low, but this would depend on the provider's network setup
How do I decommission an HSM?
Releasing a device process removes ALL customer data, logs, keys, and so forth. For steps, see Tutorial: Remove a commissioned payment HSM.