Close this search box.

Instant Financial Transactions: Security with HSM

Instant financial transactions or instant payments, as they are also known, will play a key role in accelerating the economy. One of the reasons that directly impacts the development of trade in general is the lack of agility in transactions.

Despite the technological advances that have taken place to date, we still have a lot to improve.

With the new payment method, baptized by the Central Bank of Brazil as PIX, the main goal of the electronic transfer is to make financial transactions, such as a transfer between accounts, in less than ten seconds, at any time, every day of the week.

However, the immediacy of this new payment method, despite its numerous benefits, raises a problem: if instant payments are made in real time, in a short space of time, is it not also susceptible to fraudulent maneuvers and cyber attacks?

To reduce these risks, the Brazilian central bank has defined fundamental security requirements to ensure the protection of transactions and user data.

And once again, the use of technology will be key for us to adopt instant financial transactions in a safe and efficient way, promoting the transformation of the means of payment.

The big challenge of instant financial transactions

As part of the development of instant payment solutions, banks face an increasing complexity of combating financial fraudulent transactions.

The speed of transactions requires fully automated anti-fraud handling, with no manual review options. The challenge is protection while keeping pace with evolving compliance requirements.

According to the Central Bank, through the PIX technical and business specifications, the instant financial transaction ecosystem should be designed and developed considering good security practices.

This will require ensuring the privacy and protection of users’ data.

Based on this context, the following ecosystem security requirements determined by the CB will need to be met:

Encryption and mutual authentication in communication

Each Payment Service Provider (PSP) must connect to the PIX exclusively via the HTTP protocol using TLS encryption.

There must be mutual authentication when establishing the connection, i.e. both the client and the server must present digital certificates to authenticate themselves.

Digital signature of messages exchanged during instant payments

All messages transmitted on the PIX must be digitally signed by the sender. The receiver will verify the digital signature of each message to ensure its integrity and non-repudiation.

In addition, signatures must appear in the Business Application Header (BAH) of ISO 20022 messages, and the standard adopted is XMLDSig, using the RSA-SHA256 algorithm for signing.

Use and management of Digital Certificates

For both communication encryption and digital signature, ICP-Brasil certificates in the SPB standard should be used.

The activation of a new certificate for a financial institution that makes use of instant financial transactions will take place by sending a specific file in the File Transfer System (STA).

Once the certificate has been validated by the CB, it will be activated automatically.

Cloud based HSM DPoD vs On Prem HSM TCO WP

Maintenance of security logs

All participants in the PIX ecosystem should maintain security logs to record all messages sent and received, allowing for auditing of the messages passed.

The records should contain time references identifying when the messages were signed. In addition, the certificates used and identification of the algorithms used to verify the signature of messages should also be recorded.

While the essence of protecting instant payments lies in data encryption as a solution to protect information relating to PIX transactions, companies can be challenged by the cost and complexity of deploying encryption.

This includes the management of certificates and digital signatures, as well as hardware security modules to protect cryptographic operations.

Indeed, the worsening threat landscape, combined with aggressive cloud adoption and evolving privacy regulations, new challenges related to encryption, privileged access and financial transactions have emerged for financial institutions seeking to evolve the industry.

In addition, many organizations would like to deploy data security more broadly, but are often cautious due to concerns about requirements, complexity, cost and staffing, particularly with respect to encryption and key management.

HSM technology is designed for safety practices and regulatory requirements

When it comes to instant financial transactions, security is one of the most important issues. Banks and financial institutions can suffer considerable financial losses in the event of fraud.

Reliable and flexible protection solutions integrated with payment systems are needed.

A hardware security module (HSM) is a physical device that provides extra security for sensitive data.

This type of device is used to provision cryptographic keys for critical functions such as encryption, decryption and authentication for the use of applications, identities and databases.

As an example, companies can use an HSM to protect trade secrets with significant value. This ensures that only authorized individuals can access the HSM to complete an encryption key transaction.

In the applied context of instant financial transactions, the HSM is recommended for financial institutions to perform the proper management process (generation, safekeeping, activation and revocation) of their digital certificates used within PIX.

HSM solutions are useful for companies that need to run digital rights management or a public key infrastructure.

These systems can be used to provide high levels of security for products that need it, particularly to ensure regulatory compliance.

The direct benefits of HSM applied to instant financial transactions

There are many benefits to using an HSM, these systems are often designed to meet stringent government and regulatory standards, such as the Central Bank’s PIX.

They usually have strong access controls and role-based privilege models, hardware specifically designed for cryptographic operations and resistance to physical tampering, and flexible API options for access.

Using an HSM is the most secure way to store cryptographic keys and manage their lifecycle. Its applicability is now standard practice for any highly regulated organization employing, for example, cloud services.

Cloud providers that don’t offer tools and capabilities are likely to lose business from government, financial and healthcare customers, who demand strong protection controls for all key materials.

To contribute to the transformation process and assist in the implementation of instant financial transaction systems, Eval has digital signature and certificate solutions, such as the E-VALCryptoCOMPE .

Technology developed to provide high performance Digital Signature, or even the EVALCryptoSPB which today serves the digital signature of messages exchanged by the National Financial System. To help with this challenge, your company can count on Eval’s help.

Finally, it is necessary to choose a quality HSM and for this Eval markets the Luna from Thales, the world leader in HSM.

About Eval

A Eval está há mais de 18 anos desenvolvendo projetos nos segmentos financeiro, saúde, educação e indústria. Desde 2004, oferecemos soluções de Autenticação, Assinatura Eletrônica e Digital, e Proteção de Dados. Atualmente, estamos presentes nos principais bancos brasileiros, instituições de saúde, escolas e universidades, além de diferentes indústrias. 

Com valor reconhecido pelo mercado, as soluções e serviços da Eval atendem aos mais altos padrões regulatórios das organizações públicas e privadas, tais como o SBIS, ITI, PCI DSS, e a Lei Geral de Proteção de Dados (LGPD). Na prática, promovemos a segurança da informação e o compliance, o aumento da eficiência operacional das empresas, além da redução de custos. 

Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível. 

Eval, segurança é valor. 

About the author

Other posts