What is a security module (HSM)?
A HSM (hardware security module) is a device used to encrypt token data using one of the specified EA and DKGA algorithms specified by the IEC62055-41 specification. The HSM contains all the algorithms required for the encryption of token data.
The HSM is typically used in the production of payment meters for encrypting and configuring the payment meter before shiiping to a customer. It is also used by vending systems to generate tokens for payment meters.API (Application programmer interface) documents (STS600-8-x documents) are available for developers wishing to use HSM devices in their system.
Security module types
Several HSM types exist for the implementation of STS compliant systems and payment meters.
The vending module allows the generation of credit and management tokens for payment meters. It is connected via TCP/IP or serial connections to the vending system.
The manufacturing HSM is only used for the manufacture of payment meters. It cannot generate credit tokens for payment meters.
The following fucntions are supported by HSM devices (this is not an exhaustive list - please consult the relevant API document for a full list of functions)
- generation of credit tokens
- generation of management tokens (including keychange tokens)
- verification of encrypted tokens
Connection to a vending system
Connection to vending systems is via TCP/IP or USB serial connections.
Coding a security module for use
The HSM devices are coded with vending keys by the Key Management Centre with customer specific vending keys. These keys are loaded into the security module by the vending system form special files obtained from the KMC, and are unique to a specific HSM device - i.e. a keyload file is only usable for a specific HSM device.
A keyload file is a file containing encrypted vending keys associated with specific Supply Group Codes.