Payment HSMs Are Going Cloud-Based-as-a-Service

Payment Hardware Security Modules (HSMs) will present a more than US$681 million market opportunity by 2028. ABI Research expects cloud-based, service-centric offerings to gain significant traction in this space as they provide superior flexibility, simplicity, and cost savings for banks and financial service institutions.

Registered users can unlock up to five pieces of premium content each month.

Log in or register to unlock this Research Highlight.

Payment HSM Market Update

Shipment revenue is the primary source for the payment Hardware Security Module (HSM) market, with higher margins than general-purpose HSMs. This is due to strict regulations and Payment Card Industry (PCI) certification complexities typically requiring all-inclusive customer service subscriptions. Customers often invest in comprehensive services and warranties to ensure compliance, resulting in high sunk costs and a gradual transition to cloud-based services. Fully compliant and cost-effective HSM-as-a-Service (HSMaaS) could attract customers, but the traditional bank and financial firm user base's risk aversion poses a significant barrier.

The market outlook shows a flat year for payment HSM shipment revenue in 2023 due to macroeconomic pressures, with initial services from Cloud Service Providers (CSPs) like Azure and Amazon Web Services (AWS). Between 2025 and 2026, increased shipment revenue and service spending are expected, driven by demand in open banking, digital transactions, Internet of Things (IoT) payments, and Central Bank Digital Currencies (CBDCs). By 2027-2028, growing trust in HSMaaS will lead to higher shipments and service revenue as more providers enter the market.

By 2028, ABI Research forecasts payment HSM revenue to reach US$681.33 million worldwide, up from US$527.9 million in 2024.

 

“The availability of a fully compliant and cost-effective payment HSMaaS is likely to entice some customers that may want to divest themselves of the complications of administering and configuring a payment HSM on-premises. The opportunity for the payment HSMaaS market is clear, but has a significant risk-averse barrier to overcome from the traditional user base.”  – Michela Menting, Senior Research Director at ABI Research

Traditional Banks and Financial Service Providers Still Prefer On-Premises HSMs

Banks and financial services providers manage highly sensitive data, making digital security a key priority. Naturally, banks and financial institutions are skeptical about outsourcing the management of their payment HSMs, given they are accustomed to having full control via on-premises HSM deployment. Financial institutions also wish to fully control the applications and processes associated with payment HSMs. Another factor to consider is that giving up control of HSM configuration and administration contradicts many of the Payment Card Industry (PCI) compliance requirements. Therefore, cloud-based HSM solutions are still seen as a risky endeavor in the eyes of financial service providers.

The most trust for HSMaaS comes from neo and challenger banks. These institutions are more comfortable leveraging cloud-based infrastructure and generally have a different mindset regarding processing payment transactions. As a result, neo and challenger banks are pivotal in driving trust for service-based HSMs on the merchant side of the wider payments market.

Service-Based HSMs Reduce Costs for Users

Deploying an HSM solution on-premises isn’t always economically wise. Banks and financial service institutions typically pay for an HSM that can meet peak loads. Given that a peak load usually occurs rarely each year—like during Christmas or other high consumer spending periods—an on-premises solution introduces sunk costs.

A cloud-based HSM service does not face this same challenge. HSMaS offers significantly more flexible pricing, ensuring that users only pay for actual usage. In this scenario, you only pay for peak load times when they happen—not year-round. Assuming that the payment HSM can be trusted, the potential for HSMaaS is significant due to its cost-savings benefits.

An essential part of building trust for a payment HSMaaS is meeting PCI compliance on the HSM vendor side of the equation.

Related Research: Cloud Provider Approaches to HSM-as-a-Service Solutions

Service-Based Payment HSMs Simplify Compliance

PCI compliance is one of the biggest hurdles for payment service providers deploying HSMs. Not only is it a complex process, but it also costs tens of thousands of dollars annually to obtain certification and perform audits. Besides adhering to the PCI PIN Transaction Security (PTS) HSM Modular Security Requirements, payment providers must also follow the following PCI requirements:

  • PCI Point-to-Point Encryption (PCI P2PE): Mandates the usage of PCI-approved HSMs to secure payment transactions
  • PCI PIN: Mandatory for Personal Identification Number (PIN)/Primary Account Number (PAN) transactions and includes cloud HSMs
  • PCI-Data Security Standard (PCI-DSS): For service providers
  • PCI Payment Application Data Security Standard (PA-DSS): For software developers

Currently, most managed service-based payment HSM compliance responsibilities are shared between the service provider (PIN, DSS), the HSM Original Equipment Manufacturer (OEM) (PTS), and the customer (P2PE). However, the future of payment HSM compliance will involve the total outsourcing of these responsibilities. This will allow banks and financial institutions to focus solely on payment processing and the associated applications. Amazon Web Services (AWS) with its Payment Cryptography and Verisec with its 10XPAY service are the only vendors, to date, offering all PCI compliance for payment HSMs.

Key Companies

  • Thales leads the payment HSM market with its payShield products, offering services on its cloud and through CSPs, such as Azure, AWS, and GCP.
  • Futurex, a smaller competitor, provides Excrypt HSMs with service-based options and Federal Information Processing Standards (FIPS) 140-2 Level 3 certification. Its CryptoHub line also includes Peripheral Component Interconnect Express (PCIe) formats.
  • Utimaco offers a network-attached HSM, PaymentServer, with service options but no CSP marketplace presence. Integration must be done through Utimaco, with HSMs owned by the customer.
  • IBM bundles its CEX PCIe HSMs with Z mainframe servers, offering a comprehensive solution widely used by major financial and payment providers.
  • Atos and Worldline are prominent in France, while Kryptus in Brazil and Procenne in Turkey have regional operations with limited international sales.

Learn More

Download ABI Research’s Payment HSMs: The Emerging HSMaaS Opportunity report to gauge HSM vendor strategies, emerging opportunities in payment HSM as-as-a-Service, and key players in the market. This deliverable is part of the company’s Hardware Security Modules Research Spotlight.