Last year, Thales announced the latest version of its payShield product family, the 10K. Since MYHSM’s inception we’ve been using the Thales 9000 for some of our services and were aware that a new model was on its way, but we were confident in Thales’ track
record of ensuring backwards compatibility of the API.
Turns out we were right! However, we were somewhat surprised at Thales’ aggressive timetable for ending the 9000 - whilst support for the 9000 continues to December 2022, sales of the 9000 ceased in June 2020.
This came as a surprise to me and my team, and were certain that we were not the only ones. So, after ruminating on the subject for a while, I wanted to share what I feel this aggressive changeover means for organisations using the Thales payShield products
already, both the positive and the negative aspects, while answering questions that users may have.
Do payShield 9000 users have to move to 10K?
Even if users do not currently have a need to migrate to 10K, they will be forced to by the end of 2022. This isn’t because their 9000s will stop working on 1st January 2023, but rather because PCI standards – DSS in particular – require users to apply the
vendor’s most recent patches, and these will only be available on the 10K.
Is it a change worth making?
If we consider the positives of the 10K, the most important is that user applications will continue to work without modification. Afterall, the basic management mechanisms are the same – left/right keys, smartcards, console, payShield Manager. However, this
doesn’t really count as a change as it is simply maintaining the status quo. So, what about the positives of changing to the 10K?
The top-end 10K model provides about 67% more throughput than the fastest 9000 model.
Then, there are some cost benefits as well. For example, the infrastructure and management costs of Payment HSMs are high. The 10K enhancements provide some relief in this area – 1U chassis instead of 2U, lower power consumption, hot-swap power supplies
and fans, greater MTBF, faster firmware updates.
As well as this, from a security aspect, there is stronger tamper protection. The 10K is also certified against the latest v3 PCI PTS HSM standard, whereas the 9000 v1 certification has expired. The 10K will continue to be updated as required whereas previous
models will be left behind, forced to fall out of compliance by the changing times.
It is important to recognise that this is still the start of the road for the 10K – future developments that would not have been possible on the 9000 will appear on the 10K. For example, Thales are promising ECC capabilities. There are many more we can expect
going forward, and Thales will be listening to user feedback to make more enhancements which will benefit fintech offerings.
Be prepared for trouble
Now, it’s only fair that we look at the negatives of switching, and the first that comes to mind is the cost. It will cost to make the upgrade and the old versions cannot simply be tossed in the bin; they will need to be disposed of properly, which will
likely incur another cost. But these issues are simply the tip of the iceberg.
The process of moving from the previous model to another – even within the same product family – needs a lot of planning, effort, time, and resource. There will be a testing regime which may involve a PoC and Pilot. And you will have to figure out how to
introduce the new models without interrupting service, and how to roll back in the event of a problem.
Although the management principles on the 10K are similar to the 9000, there are differences, such as the interpretation of status indicators and firmware update procedures. So, your staff will need re-training, and all your procedures (e.g. for PCI compliance)
will need to be reviewed and modified. And if you never migrated to the payShield Manager on the 9000, you will have no choice now.
In fact, you’re going to have to keep doing this with every new model. Here’s to the payShield 11K in seven years’ time…
A forcing of the hand
Ultimately, for users of the Thales payShield, there’s not really a choice regarding an eventual move to the 10K or remaining with the 9000. Everyone will have to move over eventually. So, instead it becomes a question of when you should move over - now
or later? And how should you migrate to the latest 10K? Users can continue with the never ending cycle of buying and maintaining on-premise models or look to utilise cloud-based deployment options and reap the rewards which are associated with The Cloud, these
namely being reduced capex costs, accelerated time to market reduced complexity and increased resilience & scalability.