Merge pull request #185326 from msmbaldwin/payment-hsm-pubpreview

ttorble · web-flow · commit e6fa8b0fac16 · 2022-02-02T10:45:29.000Z
Payment HSM (Public Preview)
diff --git a/articles/payment-hsm/breadcrumb/toc.yml b/articles/payment-hsm/breadcrumb/toc.yml
@@ -0,0 +1,7 @@
+- name: Azure
+  tocHref: /azure/
+  topicHref: /azure/index
+  items:
+  - name: Payment HSM
+    tocHref: /azure/
+    topicHref: /azure/payment-hsm/index
diff --git a/articles/payment-hsm/certification-compliance.md b/articles/payment-hsm/certification-compliance.md
@@ -0,0 +1,27 @@
+---
+title: Azure Payment HSM certification and compliance
+description: Information on Azure Payment HSM certification and compliance
+services: payment-hsm
+author: msmbaldwin
+
+tags: azure-resource-manager
+ms.service: payment-hsm
+ms.workload: security
+ms.topic: article
+ms.date: 01/25/2022
+ms.author: mbaldwin
+---
+
+# Certification and compliance
+
+Thales payShield 10K HSMs are certified to FIPS 140-2 Level 3 and PCI HSM v3.
+
+The Azure Payment HSM service is currently undergoing PCI DSS and PCI 3DS audit assessment.
+
+The Azure Payment HSM can be deployed as part of a validated PCI P2PE and PCI PIN component or solution, Microsoft can provide evidence of proof for customer to meet their P2PE and PIN certification requirements.
+
+## Next steps
+
+- Learn more about [Azure Payment HSM](overview.md)
+- See some common [deployment scenarios](deployment-scenarios.md)
+- Read the [frequently asked questions](faq.yml)
diff --git a/articles/payment-hsm/deployment-scenarios.md b/articles/payment-hsm/deployment-scenarios.md
@@ -0,0 +1,39 @@
+﻿---
+title: Azure Payment HSM deployment scenarios
+description: Azure HSM deployment scenarios for high availability deployment and disaster recovery deployment
+services: payment-hsm
+author: msmbaldwin
+
+tags: azure-resource-manager
+ms.service: payment-hsm
+ms.workload: security
+ms.topic: article
+ms.date: 01/25/2022
+ms.author: mbaldwin
+
+
+---
+# Deployment scenarios
+
+Microsoft deploys payment hardware security modules (HSM) in stamps within a region and multi-region to enable high availability (HA) and disaster recovery. In a region, HSMs are deployed across different stamps to prevent single rack failure, and customers must provision two devices in a region from two separate stamps in order to achieve high availability. For disaster recovery, customer must provision HSM devices in an alternative region.
+
+Thales doesn't provide PayShield SDK to customers, which supports HA over a cluster (a collection of HSMs initialized with same LMK). However, the customers usage scenario of the Thales PayShield devices is like a Stateless Server. Thus, no synchronization is required between HSMs during application runtime. Customers handle the HA using their custom client. One implementation would be to load balance between healthy HSMs connected to the application. Customers are responsible for implementing high availability by provisioning multiple devices, load balancing them, and using any kind of available backup mechanism to back up keys.
+
+## Recommended high availability deployment
+
+:::image type="content" source="./media/deployment-1.png" alt-text="Architecture diagram for high availability deployment":::
+
+For High Availability, customer must allocate HSM between stamp 1 and stamp 2 (in other words, no two HSMs from same stamp)
+
+## Recommended disaster recovery deployment
+
+:::image type="content" source="./media/deployment-2.png" alt-text="Architecture diagram for disaster recovery deployment":::
+
+This scenario caters to regional-level failure. The usual strategy is to completely switch the application stack (and its HSMs), rather than trying to reach an HSM in Region 2 from application in Region 1 due to latency.
+
+## Next steps
+
+- Learn more about [Azure Payment HSM](overview.md)
+- Find out how to [get started with Azure Payment HSM](getting-started.md)
+- Learn about [Certification and compliance](certification-compliance.md)
+- Read the [frequently asked questions](faq.yml)
diff --git a/articles/payment-hsm/faq.yml b/articles/payment-hsm/faq.yml
@@ -0,0 +1,44 @@
+### YamlMime:FAQ
+metadata:
+  title: Frequently asked questions - Azure Payment HSM
+  description: Find answers to common questions about Azure Payment Hardware Security Module, such as basic information, getting started, and support.
+  services: payment-hsm
+  author: msmbaldwin
+  tags: azure-resource-manager
+  ms.service: payment-hsm
+  ms.workload: security
+  ms.topic: conceptual
+  ms.date: 01/25/2022
+  ms.author: mbaldwin
+  
+    
+title: Frequently asked questions (FAQ)
+summary: Find answers to common questions about Microsoft Azure Payment HSM.
+
+sections:
+  - name: The Basics
+    questions:
+      - question: |
+          Where is Azure Payment HSM preview available? 
+        answer: |
+          Azure Payment HSM is available for preview in East US and North Europe regions. 
+
+      - question: |
+          How does Azure Payment HSM work? 
+        answer: |
+          After HSMs are provisioned, they’re connected directly to a user’s virtual network, and HSMs are under users’ sole administrative control. HSMs can be provisioned as a pair of devices and configured for high availability. The service uses Thales payShield Manager for secure remote access to the HSM. 
+          
+      - question: |
+          Which industries might use Azure Payment HSM? 
+        answer: |
+          Financial institutions and service providers in the payment ecosystem including issuers, service providers, acquirers, processors, and payment networks would benefit from Azure Payment HSM. 
+
+      - question: |
+          What are some common use cases for Azure Payment HSM? 
+        answer: |
+          With benefits including low latency and the ability to quickly add more HSM capacity as required, Azure Payment HSM is a perfect fit for a broad range of use cases, including payment processing, payment credential issuing, securing keys and authentication data, and sensitive data protection. For more, see [Azure Payment HSM: typical use cases](overview.md#typical-use-cases)
+
+      - question: |
+          How do I get started with the service? 
+        answer: |
+          As Azure Payment HSM is a specialized service, you can request access [via email](mailto:paymentHSMRequest@microsoft.com).
diff --git a/articles/payment-hsm/getting-started.md b/articles/payment-hsm/getting-started.md
@@ -0,0 +1,65 @@
+---
+title: Getting started with Azure Payment HSM
+description: Information to begin using Azure Payment HSM
+services: payment-hsm
+author: msmbaldwin
+
+tags: azure-resource-manager
+ms.service: payment-hsm
+ms.workload: security
+ms.topic: article
+ms.date: 01/25/2022
+ms.author: mbaldwin
+---
+
+# Getting started with Azure Payment HSM
+
+To get started with Azure Payment HSM (preview), contact your Microsoft sales representative and request access [via email](mailto:paymentHSMRequest@microsoft.com). Upon approval, you'll be provided with onboarding instructions.
+
+## Availability
+
+The Azure Public Preview is currently available in **East US** and **North Europe**.
+
+## Prerequisites 
+
+Azure Payment HSM customers must have:
+
+- Access to the Thales Customer Portal (Customer ID)
+- Thales smart cards and card reader for payShield Manager
+
+## Cost
+
+The HSM devices will be charged based on the service pricing page. All other Azure resources for networking and virtual machines will incur regular Azure costs too.
+
+## payShield customization considerations
+
+If you are using payShield on-premise today with a custom firmware, a porting exercise is required to update the firmware to a version compatible with the Azure deployment. Please contact your Thales account manager to request a quote.
+
+Ensure that the following information is provided:
+- Customization hardware platform (e.g., payShield 9000 or payShield 10K)
+- Customization firmware number
+
+## Support
+
+There is no service-level agreement (SLA) for this public preview.  Use of this service for production workloads isn't supported
+
+The HSM base firmware installed in public preview is Thales payShield10K base software version 1.4a 1.8.3.
+
+Microsoft will provide support for hardware issues, networking issues, and provisioning issues. Support tickets can be created from the Azure portal. Select **Dedicated HSM** as the Service Type, and mention "payment HSM" in the summary field, with a severity case of B or C.
+
+Support through engineering escalation is only available during business hours: Monday - Friday, 9 AM - 5 PM PST.
+
+Thales provides application-level support, such as client software, HSM configuration, and backup.
+
+Customers are responsible for applying payShield security patches and upgrading payShield firmware for their provisioned HSMs. Thales payShield10K versions prior to 1.4a 1.8.3. aren't supported
+
+Microsoft will apply payShield security patches to unallocated HSMs.
+
+## Next steps
+
+- Learn more about [Azure Payment HSM](overview.md)
+- See some common [deployment scenarios](deployment-scenarios.md)
+- Learn about [Certification and compliance](certification-compliance.md)
+- Read the [frequently asked questions](faq.yml)
+
+
diff --git a/articles/payment-hsm/index.yml b/articles/payment-hsm/index.yml
@@ -0,0 +1,54 @@
+### YamlMime:Landing
+
+title: Azure Payment HSM documentation
+summary: Learn how to use Azure Payment HSM to provide cryptographic key operations for real-time, critical payment transactions in the Azure cloud
+metadata:
+  title: Azure Payment HSM documentation
+  description: Learn how to use Azure Payment HSM to provide cryptographic key operations for real-time, critical payment transactions in the Azure cloud
+  services: payment-hsm
+  ms.service: payment-hsm
+  ms.topic: landing-page # Required
+  author: msmbaldwin
+  ms.author: mbaldwin
+  manager: rkarlin
+  ms.date: 01/25/2022 #Required; mm/dd/yyyy format.
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+  # Card
+  - title: About Azure Payment HSM
+    linkLists:
+      - linkListType: overview
+        links:
+          - text: What is Payment HSM?
+            url: overview.md
+
+
+  # Card
+  - title: Get started
+    linkLists:
+      - linkListType: deploy
+        links:
+          - text: Get started with Azure Payment HSM
+            url: getting-started.md
+
+  # Card
+  - title: Concepts
+    linkLists:
+      - linkListType: concept
+        links:
+          - text: Deployment scenarios
+            url: deployment-scenarios.md
+          - text: Certification and compliance
+            url: certification-compliance.md
+
+  # Card
+  - title: References
+    linkLists:
+      - linkListType: reference
+        links:
+          - text: Frequently asked questions
+            url: faq.yml
diff --git a/articles/payment-hsm/media/deployment-1.png b/articles/payment-hsm/media/deployment-1.png
diff --git a/articles/payment-hsm/media/deployment-2.png b/articles/payment-hsm/media/deployment-2.png
diff --git a/articles/payment-hsm/overview.md b/articles/payment-hsm/overview.md
@@ -0,0 +1,115 @@
+﻿---
+title: What is Azure Payment HSM?
+description: Learn how Azure Payment HSM is an Azure service that provide cryptographic key operations for real-time, critical payment transactions
+services: payment-hsm
+author: msmbaldwin
+tags: azure-resource-manager
+
+ms.service: payment-hsm
+ms.workload: security
+ms.topic: overview
+ms.date: 01/20/2022
+ms.author: mbaldwin
+
+
+---
+# What is Azure Payment HSM?
+
+Azure Payment HSM Service is a "BareMetal" service delivered using [Thales payShield 10K payment hardware security modules (HSM)](https://cpl.thalesgroup.com/encryption/hardware-security-modules/payment-hsms/payshield-10k) to provide cryptographic key operations for real-time, critical payment transactions in the Azure cloud. Azure Payment HSM is designed specifically to help a service provider and an individual financial institution accelerate their payment system's digital transformation strategy and adopt the public cloud. It meets the most stringent security, audit compliance, low latency, and high-performance requirements by the Payment Card Industry (PCI). 
+
+Payment HSMs are provisioned and connected directly to users' virtual network, and HSMs are under users' sole administration control. HSMs can be easily provisioned as a pair of devices and configured for high availability. Users of the service utilize [Thales payShield Manager](https://cpl.thalesgroup.com/encryption/hardware-security-modules/payment-hsms/payshield-manager) for secure remote access to the HSMs as part of their Azure-based subscription. Multiple subscription options are available to satisfy a broad range of performance and multiple application requirements that can be upgraded quickly in line with end-user business growth. Azure payment HSM service offers highest performance level 2500 CPS.
+
+Azure Payment HSM a highly specialized service. Therefore, we recommend that you fully understand the key concepts, including [pricing](https://azure.microsoft.com/services/azure-payment-hsm/) and [support](getting-started.md#support).
+
+## Why use Azure Payment HSM?
+
+Momentum is building as financial institutions move some or all of their payment applications to the cloud. This entails a migration from the legacy on-premises (on-prem) applications and HSMs to a cloud-based infrastructure that isn't generally under their direct control. Often it means a subscription service rather than perpetual ownership of physical equipment and software. Corporate initiatives for efficiency and a scaled-down physical presence are the drivers for this. Conversely, with cloud-native organizations, the adoption of cloud-first without any on-premise presence is their fundamental business model. Whatever the reason, end users of a cloud-based payment infrastructure expect reduced IT complexity, streamlined security compliance, and flexibility to scale their solution seamlessly as their business grows.
+
+The cloud offers significant benefits, but challenges when migrating a legacy on-premise payment application (involving payment HSMs) to the cloud must be addressed. Some of these are:
+
+- Shared responsibility and trust – what potential loss of control in some areas is acceptable?
+- Latency – how can an efficient, high-performance link between the application and HSM be achieved?
+- Performing everything remotely – what existing processes and procedures may need to be adapted?
+- Security certifications and audit compliance – how will current stringent requirements be fulfilled?
+
+Azure Payment HSM addresses these challenges and delivers a compelling value proposition to users of the service through the following features.
+
+### Enhanced security and compliance
+
+End users of the service can leverage Microsoft security and compliance investments to increase their security posture. Microsoft maintains PCI DSS and PCI 3DS compliant Azure data centers, including those which house Azure Payment HSM solutions. The Azure Payment HSM solution can be deployed as part of a validated PCI P2PE / PCI PIN component or solution, helping to simplify ongoing security audit compliance. Thales payShield 10K HSMs deployed in the security infrastructure are certified to FIPS 140-2 Level 3 and PCI HSM v3. 
+ 
+### Customer-managed HSM in Azure
+
+The Azure Payment HSM is a part of a subscription service that offers single-tenant HSMs for the service customer to have complete administrative control and exclusive access to the HSM. The customer could be a payment service provider acting on behalf of multiple financial institutions or a financial institution that wishes to directly access the Azure Payment HSM service. Once the HSM is allocated to a customer, Microsoft has no access to customer data. Likewise, when the HSM is no longer required, customer data is zeroized and erased as soon as the HSM is released to ensure complete privacy and security is maintained. The customer is responsible for ensuring sufficient HSM subscriptions are active to meet their requirements for backup, disaster recovery, and resilience to achieve the same performance available on their on-premise HSMs.
+
+### Accelerate digital transformation and innovation in cloud
+
+For existing Thales payShield customers wishing to add a cloud option, the Azure Payment HSM solution offers native access to a payment HSM in Azure for "lift and shift" while still experiencing the low latency they're accustomed to via their on-premise payShield HSMs. The solution also offers high-performance transactions for mission-critical payment applications. Consequently, customers can continue their digital transformation strategy by leveraging technology innovation in the cloud. Existing Thales payShield customers can utilize their existing remote management solutions (payShield Manager and payShield TMD together with associated smart card readers and smart cards as appropriate) to work with the Azure Payment HSM service. Customers new to payShield can source the hardware accessories from Thales or one of its partners before deploying their HSM as part of the subscription service. 
+
+## Typical use cases
+
+With benefits including low latency and the ability to quickly add more HSM capacity as required, the cloud service is a perfect fit for a broad range of use cases, including:
+Payment processing
+- Card & mobile payment authorization
+- PIN & EMV cryptogram validation
+- 3D-Secure authentication
+
+Payment credential issuing
+- Cards
+- Mobile secure elements
+- Wearables
+- Connected devices
+- Host card emulation (HCE) applications
+
+Securing keys & authentication data
+- POS, mPOS & SPOC key management
+- Remote key loading (for ATM & POS/mPOS devices)
+- PIN generation & printing
+- PIN routing
+
+Sensitive data protection
+- Point-to-point encryption (P2PE)
+- Security tokenization (for PCI DSS compliance)
+- EMV payment tokenization
+
+## Suitable for both existing and new payment HSM users
+
+The solution provides clear benefits for both Payment HSM users with a legacy on-premise HSM footprint and those new payment ecosystem entrants with no legacy infrastructure to support and who may choose a cloud-native approach from the outset. 
+
+Benefits for existing on-premise HSM users
+- Requires no modifications to payment applications or HSM software to migrate existing applications to the Azure solution
+- Enables more flexibility and efficiency in HSM utilization
+- Simplifies HSM sharing between multiple teams, geographically dispersed
+- Reduces physical HSM footprint in their legacy data centers
+- Improves cash flow for new projects
+
+Benefits for new payment participants
+- Avoids introduction of on-premise HSM infrastructure
+- Lowers upfront investment via the Azure subscription model 
+- Offers access to latest certified hardware and software on-demand
+
+## Glossary
+
+| Term | Definition |
+|---|---|
+| 3DS | 3D Secure |
+| ATM | Automated Teller Machine |
+| EMV | Europay Mastercard Visa |
+| FIPS | Federal Information Processing Standards |
+| HCE | Host Card Emulation |
+| HSM | Hardware Security Module |
+| mPOS | Mobile Point of Sale |
+| P2PE | Point-to-Point Encryption |
+| PCI | Payment Card Industry |
+| PIN | Personal Identification Number |
+| POS | Point of Sale |
+| SPOC | Software-based PIN Entry on Commercial off the Shelf (COTS) Solutions |
+| TMD | payShield Trusted Management Device |
+
+## Next steps
+
+- Learn more about [Azure Payment HSM](overview.md)
+- Find out how to [get started with Azure Payment HSM](getting-started.md)
+- See some common [deployment scenarios](deployment-scenarios.md)
+- Learn about [Certification and compliance](certification-compliance.md)
+- Read the [frequently asked questions](faq.yml)
diff --git a/articles/payment-hsm/toc.yml b/articles/payment-hsm/toc.yml
@@ -0,0 +1,28 @@
+- name: Payment HSM Documentation
+  href: index.yml
+- name: Overview
+  items:
+  - name: Payment HSM overview
+    href: overview.md
+- name: Get started
+  items:
+  - name: Getting started with Azure Payment HSM
+    href: getting-started.md
+- name: Concepts
+  items:
+  - name: Deployment scenarios
+    href: deployment-scenarios.md
+  - name: Certification and compliance
+    href: certification-compliance.md
+- name: Reference
+  items:
+  - name: Thales payShield 10K
+    href: https://cpl.thalesgroup.com/encryption/hardware-security-modules/payment-hsms/payshield-10k
+  - name: Thales payShield Manager
+    href: https://cpl.thalesgroup.com/encryption/hardware-security-modules/payment-hsms/payshield-manager
+  - name: Thales payShield Trusted Management Device
+    href: https://cpl.thalesgroup.com/encryption/hardware-security-modules/payment-hsms/payshield-trusted-management-device
+- name: Resources
+  items:
+  - name: Frequently asked questions
+    href: faq.yml
