payShield 10K Installation and User Guide
payShield 10K Installation and User Guide
© Thales Group
Page 30
All Rights Reserved
2.1.8 Rear Panel
2.1.9 Enhanced Security Features
payShield 10K software has been designed, where practical, to be secure by default. Most security settings affecting
configurations are set to their most secure value by default.
Attention: All Host commands, most console commands and all PIN Blocks
have been disabled by default
.
Note:
The security parameters required may vary depending on your security policy and system environment, and
Thales recommends that you review the
payShield 10K Security Manual
as well as consult your internal Security
Manager for full details.
payShield 10K has been designed with the following enhanced physical security features:
•
A tamper resistant and responsive design
•
Fully locked-down chassis lid with no ability to open
•
Tamper sensors for chassis lid, crypto processor cover, motion, voltage and temperature
•
Two levels of tamper:
•
Medium tamper erases all sensitive data
•
High tamper erases all sensitive data and permanently disables use of the unit
•
Sensitive data immediately erased in the event of any tamper attempt
Compliance with PCI HSM Version 3 requirements introduce some rules which may cause incompatibility between
PCI HSM compliant payShield 10K HSMs and earlier non-compliant HSMs:
•
In most cases, security settings default to the most secure option
•
All Host and console commands are disabled.
Note: The
console command CONFIGCMD is not disabled by default.
•
All PIN blocks are disabled
Control is provided in the security settings to allow the user to select whether to operate in the “classic” manner or
in the PCI HSM compliant manner.
Three new settings have been added to the “Security Configuration Settings” for PCI HSM V3: