STS Association Wiki

Security Modules

What is a security module (HSM)?

A HSM (hardware security module) is a device used to encrypt token data using one of the specified EA and DKGA algorithms specified by the IEC62055-41 specification. The HSM contains all the algorithms required for the encryption of token data.


The HSM is typically used in the production of payment meters for encrypting and configuring the payment meter before shiiping to a customer. It is also used by vending systems to generate tokens for payment meters.API (Application programmer interface) documents (STS600-8-x documents) are available for developers wishing to use HSM devices in their system.

Security module types

Several HSM types exist for the implementation of STS compliant systems and payment meters.

Vending module

The vending module allows the generation of credit and management tokens for payment meters. It is connected via TCP/IP or serial connections to the vending system.

Manufacturing module

The manufacturing HSM is only used for the manufacture of payment meters. It cannot generate credit tokens for payment meters.

​Functions supported

The following fucntions are supported by HSM devices (this is not an exhaustive list - please consult the relevant API document for a full list of functions)

  • generation of credit tokens
  • generation of management tokens (including keychange tokens)
  • verification of encrypted tokens

Connection to a vending system

Connection to vending systems is via TCP/IP or USB serial connections.

Coding a security module for use

​The HSM devices are coded with vending keys by the Key Management Centre with customer specific vending keys. These keys are loaded into the security module by the vending system form special files obtained from the KMC, and are unique to a specific HSM device - i.e. a keyload file is only usable for a specific HSM device.

Keyload files

A keyload file is a file containing encrypted vending keys associated with specific Supply Group Codes.

Vending keys