Need help?Do you have a question about the Thales payShield 10K and is the answer not in the manual?
Outlines the various manuals for the payShield 10K Hardware Security Module (HSM).
Defines the intended audience for the payShield 10K Installation and User Guide.
Provides a general description of the payShield 10K HSM, its functions, and role.
Explains the data flow and processing of commands between the Host and the payShield 10K.
Explains the Customer Trust Authority (CTA) as a public/private key pair for authenticating keys.
Describes the encryption mechanism for locally stored keys using the Local Master Key (LMK).
Details the AES HSM Recovery Key (HRK) for restoring keys after tampering.
Discusses the support for multiple LMKs and their benefits for security and operational management.
Describes the Terminal Master Key (TMK) for distributing data-epcryption keys to ATMs or POS terminals.
Details the master/session key management scheme for exchanging data-encrypting keys during a session.
Describes how host commands support multiple LMKs and LMK schemes through optional fields.
Introduces the Trusted Management Device (TMD) for securely managing key components to meet PCI standards.
Lists the major differences in Host Interface and Commands between payShield 9000 and payShield 10K.
Lists modifications made to the console commands for the payShield 10K compared to previous versions.
Describes the front panel of the payShield 10K, including key locks and LEDs.
Lists the enhanced physical security features designed into the payShield 10K for default security.
Describes changes to payShield Monitor and SNMP for enhanced monitoring capabilities.
Details the front panel components, including key locks, smart card reader, and LEDs.
Describes the LED display changes during the payShield 10K's power-up sequence.
Describes the air inlets on the payShield 10K, providing cooling for the system and power supplies.
Explains the dual AC/DC power supply units and their features, designed for redundancy.
Describes the two redundant fan trays and their components, which can be independently removed.
Mentions the single PCIe interface slot available on the HSM.
Describes the single USB Type A port, providing power to attached devices.
Outlines the necessary pre-installation tasks, including reading safety documents and planning clearances.
Details the physical characteristics of the payShield 10K, including form factor and dimensions.
Details the step-by-step procedure for installing the HSM, including unpacking and rack mounting.
Introduces the facility for migrating between Local Master Keys (LMKs) for security purposes.
Introduces the payShield 10K hardware platform variant that supports 10G Ethernet.
Lists general notes regarding the payShield 10K 10G Ethernet Hardware Platform, including network connections and port settings.
Provides information on the power consumption of the 10G Ethernet Hardware Platform variant under different port configurations.
Introduces payShield Manager, detailing its features for HSM configuration, installation, and maintenance.
Introduces the chapter on commissioning the payShield 10K using payShield Manager, covering local and remote methods.
Details the steps required for preparing the payShield 10K before the commissioning process begins.
Guides on connecting to payShield 10K, installing browser extensions, and configuring the smart card reader.
Details the steps required to complete the commissioning of the payShield 10K for LMK generation and configuration.
Explains how to create a new security domain, which is made up of HSMs and Remote Access Cards.
Describes the functionality provided by payShield Manager, assuming the commissioning process is complete.
Provides instructions on how to log into payShield Manager using the payShield 10K's IP address.
Explains the Summary Tab, which displays summary information about the HSM.
Explains the Status Tab, allowing viewing of device information and causing a reboot.
Describes the Domain Tab, used for viewing and managing the payShield Security Group's Smart Card whitelist and Security Domain.
Describes the icons displayed at the bottom of the screen, providing status and state information.
Explains the Online state, where the HSM permits communication with a Host computer system.
Explains the Secure state, required for highly sensitive functions like generating or loading LMKs.
Details the process of switching the HSM to its Secure state, requiring authentication of specific RACC cards.
Displays information about the HSM, including serial number, firmware version, and PSU status.
Displays the number of error and audit log entries, system uptime, and number of LMKs installed.
Details how to log in additional users and how to log out logged-in users.
Displays a table with HSM details like Model Number, Serial Number, Software Version, and LMK status.
Provides steps to resolve reported errors, using the Status > Maintenance navigation.
Shows the Local Master Key Table and Key Change Storage Table, providing an overview of LMK status.
Displays system name, unit description, serial number, model, performance, and manufacturing date.
Allows enabling/disabling health statistics collection and resetting gathered statistics.
Lists tests that can be run periodically or immediately to diagnose HSM components.
Describes the Error Log, which stores fault information for support personnel.
Configures auditing for user actions, error responses, utilization data resets, diagnostic self tests, and ACL failures.
Allows enabling or disabling auditing for specific host commands.
Provides information on installed software versions and allows new software to be loaded.
Details the FIPS/Licensing tab, including License Summary, Installed Licenses, and FIPS Validated Algorithms.
Lists all licenses currently installed on the HSM.
Explains how to load a TLS certificate into the payShield for secure host communications.
Guides on installing a certificate for securing payShield Manager connections.
Explains Local Master Keys (LMKs), their use in encrypting operational keys, and their security settings.
Explains how to verify an LMK card by reading its data and comparing check values.
Provides instructions on how to duplicate an LMK card to create copies for backup or distribution.
Guides on installing an LMK into Key Change Storage from a set of RLMK cards.
Details the procedure for replacing an installed LMK with a new one, including loading components and confirming details.
Describes how to set a management LMK for HSM purposes not linked to a particular LMK, like authenticating audit trails.
Details the Single Authorization Mode, requiring two cards with authorizing PINs to authorize activities.
Explains the Key Change Storage table, a tamper-proof memory area for storing old LMKs used in LMK migration.
Explains how to control domains and cards, and displays information on loaded certificates.
Manages domains and cards, displaying information on loaded certificates and available operations.
Explains how to decommission a card by erasing its certificates, making it unusable until recommissioned.
Guides on creating a new security domain by entering various parameters like shares, quorum, and common name.
Covers various configuration settings, including Host, Printer, Security, Management, General, Commands, Audit, and SNMP settings.
Shows the current active Host interface (Ethernet or FICON) and allows selection.
Allows network settings configuration for each Ethernet interface, including IP address, subnet mask, and gateway.
Configures TCP and UDP protocol settings, including port, connections, and keepalive parameters.
Allows configuration of connected printers, including port, status, timeout, and line feed order.
Refers to the payShield 10K Security Manual for detailed descriptions of security parameters and their settings.
Configures network settings for the Management Ethernet interface, including MAC address and IP configuration.
Displays the certificate created during the security domain (CTA) establishment.
Allows enabling or disabling specific PIN Block formats on the HSM when in offline or secure state.
Configures fraud detection settings, including HSM reaction to exceeding limits and PIN validation failure limits.
Allows setting HSM System Name, Description, Location, and Contact fields for identification.
Configures the HSM's auditing capabilities to log various events in the Audit Log.
Allows enabling or disabling auditing for specific console commands.
Enables auditing of all HSM Manager events, including logins, state changes, and configuration changes.
Allows saving active configurations to a smartcard, reloading data, or resetting HSM to factory defaults.
Explains the facility to migrate between LMKs for re-encrypting operational keys and data.
Discusses the payShield 10K's ability to install multiple LMKs and their management by security officers.
Details the first stage of LMK setup: creating smart cards with components for the new LMK.
Explains the need to format smart cards before writing LMK components, except for RLMK cards.
Emphasizes the importance of making copies of LMK component cards for security and distribution.
Details how to install the new LMK into Live storage or Key Change storage using Console or payShield Manager.
Describes the process of loading an LMK using console commands, including the required HSM states.
Details how to load the new LMK using the Install button in payShield Manager tabs.
Describes loading the old LMK into Key Change Storage using the LO console command.
Examines the BW host command for converting operational keys from an old LMK to a new LMK of the Variant type.
Describes the BW host command structure for migrating keys from Variant LMKs to Key Block LMKs.
Details the BW host command structure for migrating keys between Key Block-type LMKs.
Explains how to move keys to meet PCI PTS HSM security standards.
Describes the structure of the BG host command used for re-encrypting PINs.
Describes the system state after migrating to a new LMK and synchronizing applications.
Covers the steps for cleaning up after migrating to a new LMK, including deleting old LMKs.
Explains how to delete an LMK from Key Change Storage using the DO console command.
Details the BS host command for erasing an LMK in Key Change Storage.
Explains the syntax for enabling and disabling console commands, including the use of wildcards.
Describes the RESET command to return the HSM to its factory default state, erasing all configuration and data.
Describes the CONFIGCMDS command to view, enable, or disable host and console commands.
Sets the security configuration of the HSM and processing parameters, with options for saving to a smartcard.
Configures the Host port to emulate data communications equipment, allowing settings to be saved to a smartcard.
Selects and configures a connection to a printer attached via USB port.
Configures the Management port, an Ethernet port used solely for HSM management.
Configures the Auxiliary port, an Ethernet port used for SNMP traffic transmission.
Enables or disables motion alarms and configures temperature alarms.
Displays and allows amendment of the period for collecting instantaneous utilization statistics.
Suspends or resumes the collection of Health Check counts, useful when data is not required.
Adds an SNMP User for SNMP version 3, requiring username, authentication, and privacy algorithms.
Displays and configures individual SNMP Trap settings.
Deletes an SNMP Trap destination.
Sets the configuration of the HSM fraud detection function, defining responses and limits for failures.
Lists console commands for performing diagnostic operations on the payShield 10K.
Displays software release number, revision number, and build number.
Records and displays network activity details on Management and Host Ethernet ports for diagnostic purposes.
Displays the path taken from the HSM to a specified address, showing hop details.
Displays Health Check counts and allows resetting accumulated data, requiring specific HSM states for reset.
Describes Variant LMKs and Key Block LMKs, detailing their characteristics and algorithms.
Details the attributes associated with each LMK slot, including ID, Key Scheme, Algorithm, Status, Comments, Authorization, and Old/New Status.
Generates key components for LMKs and stores them on smartcards, supporting various LMK types.
Explains loading an old LMK component set into Key Change Storage for key translations.
Confirms the check value of an installed LMK by comparing it with the value recorded during installation.
Describes how to delete a selected LMK and its corresponding entry in key change storage.
Displays the LMK table and the corresponding table for key change storage, showing LMK details.
Lists host commands for generic key management operations like generation, import, and export.
Generates a key in components and writes them to smartcards, encrypting the formed key.
Builds a key from components, forcing odd parity if clear components are used.
Translates a key from encryption under a ZMK to encryption under an LMK.
Generates a key check value (KCV) for a key encrypted under a specified LMK.
Lists console commands supporting card payment systems host commands.
Generates a VISA PIN Verification Value (PVV) using a PVK and PIN data.
Encrypts a 16-digit decimalization table for use with host commands using IBM 3624 PIN Generation & Verification.
Generates a MAC on the Cryptogram component of a CAP IPB.
Formats an HSM smartcard for LMK storage or HSM settings, with notes on legacy smartcard compatibility.
Verifies key components or shares on a smartcard by comparing computed check values.
Reads details from otherwise unidentifiable smartcards, like RACCs and RLMKs.
Lists console commands for encryption/decryption of data with DES keys.
Encrypts and decrypts data blocks using a given double-length key.
Lists console commands used to configure HSM for payShield Manager use.
Decommissions the HSM by deleting payShield Manager keys and groups.
Commissions the factory warranted HSM, requiring CTA smartcards and key cards.
Defines a RACC as a left or right key in the HSM whitelist.
Transfers an existing HSM LMK from legacy smartcards to payShield Manager RLMK cards.
Shows the state of HSM Management commissioning and whitelist, including trust status and authorized RACCs.
Configures payShield 10K for secure host connections using TLS.
Imports a certificate for storage in the HSM for secure host communications.
Lists currently installed certificates, their status, and chain of trust validity.
Generates a new HSM Recovery Key (HRK) for backing up secret key material.
Restores the HRK and backed-up secret key material in case of tamper-protected memory erasure.
Generates components of a KMD Transport Key (KTK) and stores them on smartcards.
Displays the KTK table, listing all KTKs currently installed in the HSM.
Deletes a selected KTK from the HSM.
Describes how to physically configure the payShield HSM to work with the Host system via console commands.
Configures the Management port, an Ethernet port used solely for HSM management.
Configures HSM Host interfaces using the Console to emulate data equipment, with an option to save settings to a smart card.
Explains the message header used in transactions, its purpose, and configurable length.
Lists various prompts for configuring software parameters like message header length, TCP/IP sockets, and IP addresses.
Explains the payShield's trust model with two key hierarchies: Pre-placed Trust and Customer Trust Authority (CTA).
Outlines the procedure for commissioning the payShield, including securing the HSM and generating a Customer Trust Authority.
Explains how to generate a Customer Trust Authority using the XI console command and store shares on smartcards.
Describes the XH console command for commissioning a factory warranted HSM, requiring CTA smartcards and key cards.
Details how to transfer existing HSM LMKs from legacy smartcards to payShield Manager RLMK cards using the XT console command.
Link to the Thales support portal for technical assistance, warranty, and support information.
General| Brand | Thales |
|---|---|
| Model | payShield 10K |
| Category | Network Card |
| Language | English |
To Next Page
