|
| 1 | +--- |
| 2 | +title: Azure Payment HSM Service support guide |
| 3 | +description: Azure Payment HSM Service support guide |
| 4 | +services: payment-hsm |
| 5 | +author: msmbaldwin |
| 6 | + |
| 7 | +tags: azure-resource-manager |
| 8 | +ms.service: payment-hsm |
| 9 | +ms.workload: security |
| 10 | +ms.topic: article |
| 11 | +ms.date: 07/28/2022 |
| 12 | +ms.author: mbaldwin |
| 13 | +--- |
| 14 | + |
| 15 | +# Azure Payment HSM service support guide |
| 16 | + |
| 17 | +This article outlines the Azure Payment HSM prerequisites, support channels, and division of support responsibility between Microsoft, Thales, and the customer. |
| 18 | + |
| 19 | +> [!IMPORTANT] |
| 20 | +> There is no service-level agreement (SLA) during the Azure Payment HSM public preview. Use of this service for production workloads will not be supported until GA. |
| 21 | +
|
| 22 | +## Prerequisites |
| 23 | + |
| 24 | +Microsoft will work with Thales to ensure that customers meet the prerequisites before starting the onboarding process. |
| 25 | + |
| 26 | +- Customers must have access to the [Thales CPL Customer Support Portal](https://supportportal.thalesgroup.com/csm) (Customer ID). |
| 27 | +- Customers must have Thales smart cards and card readers for payShield Manager. If a customer need to purchase smart cards or card readers they should contact their Thales representatives, or find their contacts through the [Thales contact page](https://cpl.thalesgroup.com/contact-us). |
| 28 | +- If a customer need to purchase a payShield Trusted Management Device (TMD), they should contact their Thales representatives or find their contacts through the [Thales contact page](https://cpl.thalesgroup.com/contact-us). |
| 29 | +- Customers must download and review the "Hosted HSM End User Guide", which is available through the Thales CPL Customer Support Portal. The Hosted HSM End User Guide will provide more details on the changes to payShield to this service. |
| 30 | +- Customers must review the "Azure Payment HSM - Get Ready for payShield 10K" guide that they received from Microsoft. (Customers who do not have the guide may request it from [Microsoft Support](#microsoft-support).) |
| 31 | +- If a customer is new to payShield or the remote management option, they should take the formal training courses available from Thales and its approved partners. |
| 32 | +- If a customer is using payShield on premises today with custom firmware, they must conduct a porting exercise to update the firmware to a version compatible with the Azure deployment. Contact a Thales account manager to request a quote. |
| 33 | + |
| 34 | +## Firmware and license support |
| 35 | + |
| 36 | +The HSM base firmware installed in public preview is Thales payShield10K base software version 1.4a 1.8.3 with the Premium Package license. Versions below 1.4a 1.8.3. are not supported. Customers must ensure that they only upgrade to a firmware version that meets their compliance requirements. |
| 37 | + |
| 38 | +Customers are responsible for applying payShield security patches and upgrading payShield firmware for their provisioned HSMs, as needed. If customers have questions or require assistance, they should work with Thales support. |
| 39 | + |
| 40 | +Microsoft is responsible for applying payShield security patches to unallocated HSMs. |
| 41 | + |
| 42 | +## Microsoft support |
| 43 | + |
| 44 | +Microsoft will provide support for hardware issues, networking issues, and provisioning issues. |
| 45 | + |
| 46 | +Explore the range of Azure support options and choose the plan that best fits at [Microsoft Support Plans](https://azure.microsoft.com/support/plans/). Customers should understand initial response time, listed at [Support scope and responsiveness](https://azure.microsoft.com/support/plans/response/). |
| 47 | + |
| 48 | +Microsoft support can be contacted by creating a support ticket through the Azure portal: |
| 49 | + |
| 50 | +- From the Azure portal homepage, select the "Support + troubleshooting" icon (a question mark in a circle) in the upper-right. |
| 51 | +- Select the "Help + Support" button. |
| 52 | +- Select "Create a support request". |
| 53 | +- On the "New support request" screen, select "Technical" as your issue type, and then "Payment HSM" as the service type. |
| 54 | + |
| 55 | +## Thales support |
| 56 | + |
| 57 | +Thales will provide payment application-level support including client software, HSM configuration and backup, and HSM operation support. |
| 58 | + |
| 59 | +All Azure Payment HSM customers have Enhanced Support Plan with Thales. The [Thales Welcome Pack for Authentication and Encryption Products](https://supportportal.thalesgroup.com/csm?sys_kb_id=1d2bac074f13f340102400818110c7d9&id=kb_article_view&sysparm_rank=1&sysparm_tsqueryId=e7f1843d87f3c9107b0664e80cbb352e&sysparm_article=KB0019882) is an important reference for customers, as it explains the Thales support plan, scope, and responsiveness. Please download the [Thales Welcome Pack PDF](https://supportportal.thalesgroup.com/sys_attachment.do?sys_id=52681fca1b1e0110e2af520f6e4bcb96). |
| 60 | + |
| 61 | +Thales support can be contacted through the [Thales CPL Customer Support Portal](https://supportportal.thalesgroup.com/csm). |
| 62 | + |
| 63 | +## Support contacts |
| 64 | + |
| 65 | +Depending on the nature of your issue or query, you may need to contact Microsoft and/or Thales support. The table below provides high level guidance. When you do not know where to get support, contact Microsoft support first. |
| 66 | + |
| 67 | +| Issues | Microsoft Support | Thales Support | Additional Information | |
| 68 | +|--|--|--|--| |
| 69 | +| HSM provisioning, HSM networking, HSM hardware, management and host port connection | X | | | |
| 70 | +| HSM reset, HSM delete | X | | | |
| 71 | +| HSM Tamper event | X | | Microsoft can recover logs from medium Tamper based on customer's request. It is highly recommended that customer should implement Realtime log replication and backup. | |
| 72 | +| payShield manager operation, key management | | X | | |
| 73 | +| payShield applications, host commands | | X | | |
| 74 | +| payShield firmware upgrade, security patch | | X | Customers are responsible for upgrading their allocated HSM's firmware and applying security patches. Firmware versions below 1.4a 1.8.3. are not supported.<br><br>Microsoft is responsible for applying payShield security patches to unallocated HSMs. | |
| 75 | +| Smart card, Card Readers | | X | Customers can purchase smart cards and readers through their Thales representatives. | |
| 76 | +| TMD | | X | The customer can purchase TMD through their Thales representatives. | |
| 77 | +| Hosted HSM End User Guide | | X | Customers must download "Hosted HSM End User Guide" from Thales support portal for more details on the changes to payShield to this service. | |
| 78 | +| payShield 10K documentation, TMD documentation | | X | | |
| 79 | +| payShield audit and error logs backup | N/A | N/A | The customer is responsible for implementing their own mechanism to back up their audit and error logs. It is highly recommended that customer implement real time log replication and backup. | |
| 80 | +| Key backup | N/A | N/A | Customers are responsible to implement their own mechanism to back up keys. | |
| 81 | +| Custom firmware | | X | If customers are using payShield on premise today with a custom firmware, a porting exercise is required to update the firmware to a version compatible with the Azure deployment. Contact Thales account manager to request a quote. Custom firmware will be supported by Thales support. | |
| 82 | + |
| 83 | +## Next steps |
| 84 | + |
| 85 | +- Learn more about [Azure Payment HSM](overview.md) |
| 86 | +- See some common [deployment scenarios](deployment-scenarios.md) |
| 87 | +- Learn about [Certification and compliance](certification-compliance.md) |
| 88 | +- Read the [frequently asked questions](faq.yml) |
0 commit comments