Thales eSecurity Payment HSM

The scalable payShield 9000 is the most widely deployed payment HSM in the world, used in an estimated 80% of all payment card transactions

payShield 9000

Designed specifically for payment applications, payShield 9000 from Thales eSecurity is a proven hardware security module (HSM) that performs such tasks as PIN protection and validation, transaction processing, mobile and payment card issuance, and key management. The payShield 9000 payment HSM security solution delivers high assurance protection for automated teller machine (ATM) and point of sale (POS) credit and debit card transactions.

Payment HSM
Leverage Proven Capabilities

The payShield 9000 payment HSM delivers comprehensive, certified security specially designed for card issuing, mobile provisioning and payment transaction processing. Provides off-the-shelf support for all major payment applications.

Reduce Compliance Costs

Streamlines deployment and maintenance and reduces the cost of compliance. Features software options and a flexible platform tailored to issuers, processors and acquirers.

Maximize Resilience

Ensures maximum business continuity, offering redundant hardware, field serviceable components and support for clustering and failover.

Cryptographic Algorithms Supported


  • DES and Triple DES (key lengths 112 bit, 168 bit)
  • AES (key lengths 128 bit, 192 bit, 256 bit)


  • RSA (key lengths up to 4096 bit)


  • MD1
  • SHA-1
  • SHA-2
  • FIPS 140-2 level 3
  • PCI HSM V1 (selected configurations only)
  • APCA
  • MEPS
Key Management Support
  • Thales Key Block (compliant with ANSI X9.24; superset of X9 TR-31)
  • X9 TR-31 Key Block
  • RSA Public Key
  • DUKPT for PIN and data encryption
  • Master/Session Key Scheme
  • Racal Transaction Key Scheme
  • AS2805
Base Software Packages

Thales eSecurity provides a selection of base software packages that are closely aligned with customer deployment and usage requirements.

Optional Software Licenses

In addition to the base software package, you can add more functions through a series of optional licenses, which can be purchased independently and installed at any time throughout the product lifecycle.

Performance Updates

As transaction volumes grow, you can deploy additional HSMs to meet higher load requirements. You can also purchase a performance upgrade for an existing HSM.

Remote Management

Each payShield HSM can be managed remotely via the purchase of a dedicated optional license, helping to reduce operating costs.

Key Management Device (KMD)

The KMD is a standalone handheld device that builds keys from constituent components. The device operates in a highly secure manner, and eliminates the need to have a physical connection to a production HSM.

Cabinets and Runner Kits

Customers can choose from a wide range of cabinets to suit their specific data center storage requirements. Optional runners are available as kits to fit to the sides of the payShield 9000.

Replacement Locks and Keys

payShield 9000 uses two highly secure locks with associated keys on the front panel as part of the security administration procedures. The items are tightly controlled and registered and are not available on the open market. In the event customers' locks are damaged or keys are lost, Thales provides lock replacement and key supply services.

Additional Smart Cards

Each payShield 9000 is shipped with a set of blank LMK component cards as well as test LMK cards. Additional packs of 6 cards are available, helping you meet operational and security requirements across multiple data centers.

Data Sheet : payShield 9000

Thales payShield 9000 is a hardware security (HSM) payment module that provides the cryptographic protection required for ATM, point of sale (POS), credit and debit card issuance, and processing Of transactions. Encryption and management functionality meets or exceeds the operational and security requirements of the major international card system, including American Express, Discover, JCB, MasterCard, UnionPay and Visa. It is deployed as an external peripheral for mainframes and servers running card issuance applications, mobile platform provisioning, and payment processing software for the electronic payment industry.


Brochure : Sensitive Data Protection in the Retail Card Payments Ecosystem

This document provides an overview of how organizations can leverage a mixture of the payShield HSM and Vormetric Data Security Platform solutions to provide complete protection of sensitive data as part of their retail card payment processing activities which are linked to a customer PAN. The technology covered is suitable for protecting transactions made using physical plastic cards (contact and contactless), mobile wallet transactions (in-store and remote) and online/e-Commerce browser-based transactions.


Brochure : Transaction Processing using payShield HSMs

Thales payShield HSMs are the HSMs of choice for leading payment solution providers and technology vendors. This document provides an overview of the features and benefits of the payShield transaction processing functionality that is used to help secure the retail payments ecosystem.


Brochure : Payment Credential Issuing using payShield HSMs

Thales HSMs have been used for many years to prepare data for EMV chip cards, personalize the cards and help manage the complete lifecycle of the cryptographic keys and associated payment application credentials. payShield also supports the data preparation and provisioning of mobile devices, wearables and connected devices used to make payments. This document provides an overview of the payShield issuance functionality.


Data Sheet : Key Management Device

The Thales eSecurity Key Management Device (KMD) for payment HSMs is a compact, secure cryptographic device (SCD) that enables keys to be formed securely from separate components in a manner that is compliant with relevant security standards including X9 TR-39, ANSI X9.24-1 and PCI PIN Security. With its touch screen graphical user interface, the KMD is simple and intuitive to operate, and is compatible with the full range of Thales payment HSMs including the award-winning payShield 9000. The device configuration and management user interface complies with banking grade security best practices and the installed software is automatically validated for integrity prior to use. Upgrades are supported to meet future functional enhancements and security audit requirements.


Data Sheet : payShield Manager

payShield Manager enables security teams to perform all tasks remote from data centers, reducing costs and delivering greater operational efficiency. payShield Manager is a hardware security module (HSM) management tool specifically designed for the Thales payShield 9000 HSM that operates in both local and remote modes via a standard browser interface. A secure connection to the HSM underpinned by smart card access control enables key management, security configuration and software/license updates to be carried out remotely from the data center.


PCI Approvals for payShield 9000 FAQ

payShield 9000 is independently certified against security standards including FIPS 140-2 and PCI HSM. This FAQ document helps answer questions on broader PCI compliance and how payShield 9000 assists in such efforts.


Case study : CreditCall

CreditCall, a leading payment gateway service provider, saw a huge opportunity to reach a new market with an innovative, mobile point-ofsale (POS) credit card payment technology. In years past, it was difficult for certain types of merchants to utilize mobile POS systems. The technology was expensive – smaller merchants often couldn’t afford the costs or want the long term contractual commitments. Traditional POS equipment requires a physical network connection meaning merchants who provided products or services away from an office or retail location were forced to either operate on a cash basis, missing out on the convenience and security that credit card payments offered, or rent expensive and bulky GPRS terminals. With the enormous popularity of mobile devices, CreditCall envisioned an opportunity to bring face-to-face card payment solutions to a whole new category of smaller businesses and micro-merchants by incorporating portable, low cost card reader devices that could connect wirelessly via (merchant-owned) tablets and smartphones to remote payment gateways. Mobile businesses like gardeners, plumbers and electricians could now accept credit card payments on-site at their customers’ homes. This solution now stands to replace conventional POS systems in certain environments, with low cost readers and mobile device-based application software. This significantly reduces cost and complexity, paving the way for widespread adoption by all types of merchants, not just micro-merchants.


Case study : Mint Payments

With the decline of cash payments, merchants of all sizes are increasingly looking for a flexible, cost effective and secure payments solution to accept EFTPOS (electronic funds transfer at point of sale) and credit card transactions on the go. It is no longer just the established bank acquirers and third party processors that want to offer card-based payment solutions to merchants, with telcos and other service providers looking to integrate card payments into their solutions or expand their current offerings. Together with the increasing desire for integrators to develop payment functions into their mobile apps, a solution supporting secure card acceptance without the traditional merchant POS device installation, configuration and security audit complexity is urgently needed.


Case study : Swiftch

Swiftch, a nimble start-up company, saw an opportunity to be a part of this cashless society by providing innovative, simple and secure card-based acceptance solutions to all levels of merchants and acquirers. The biggest challenge was to choose an industry leading partner who would be able to assist in delivering a flexible, secure and scalable hardware infrastructure, compliant with the stringent Payment Card Industry Data Security Standard (PCI DSS) security requirements.


Solution brief : Miura

Mobile payment card acceptance solution using Miura Shuttle and Thales payShield 9000. The Thales payShield 9000 HSM is used by the PSP to provide a card scheme certified method for remotely deploying the cryptographic keys required by the Miura Shuttle device for PIN and data encryption and to perform the secure decryption of the payment transaction data prior to onward transmission to the acquirer.


Solution brief : Verisoft

Learn how to balance risk and security in mobile payments Build and deploy a complete end-to-end HCE ecosystem quickly and securely with a hardened root of trust. Thales payShield HSM integrates with D8 HCE Server to ensure encryption and secure storage of the keys used to generate EMV cryptograms for issued tokens. - Cover the complete end-to-end ecosystem for HCE-based payments - Separate mobile and card PANs in common customer accounts - Leverage Google Play store for mobile application downloads - Use certified HSMs throughout system to deliver maximum key protection.


Watch our interactive demo Explore
Schedule a live demo Schedule
Get in contact with a specialist Contact us