can we utilise a general purpose HSM for EMV related work ? like ARQC/ARPC ? PCI guidelines do not specifically prohibit general purpose HSM from being used. There are certain constraints (e.g. disallow trnslation of ISO Type 0 to Type 1), etc.
But im generally curious - has anyone passed certification of a EMV switch using a general purpose HSM ?
Here's why I think it is possible: ISO 9564 and TR-31 standards mandate that a few common things like
b) It must prevent the determination of key length for variable length keys. c) It must ensure that the key can only be used for a specific algorithm (such as TDES or AES, but not both). d) It must ensure a modified key or key block can be rejected prior to use, regardless of the utility of the key after modification. Modification includes changing any bits of the key, as well as the reordering or manipulation of individual single DES keys within a TDES key block
In forthcoming TR-31 regulations, I see that AWS KMS is compliant at the "at-rest integrity checks" using stuff like EncryptionContext and Policy Constraints
so im generally wondering what prevents us from using KMS for this purpose ?
For ARQC/ARPC verification, PINBLOCK transfers, CVV verification/generation and PIN authentication, a payment HSM such as Thales payShield 9k must be used, in the cloud there is the MyHSM option or AWS has recently released the AWS Payment Cryptogrhapy service . You can comply with PCI DSS with a general purpose HSM, but only to encrypt/decrypt data.
https://aws.amazon.com/es/payment-cryptography/