What are the details?
While PCI DSS applies broadly for protection of cardholder data, PCI PTS PIN (known as PCI PIN) focuses on protection of customer PIN numbers through all data flows, requiring Hardware Security Modules (HSMs) for most payment network use cases. The PCI PTS program has a stand-alone certification regime for HSMs, known as PCI HSM. The IBM HSMs certified under PCI-HSM are listed on the PCI website under PCI PTS approved devices.
The approval received recently adds the IBM 4770 (also known as the CEX8S) for IBM Z16 to the list of PCI PTS approved IBM HSMs. This is the first certification achieved for the 4770, which has the official product listing name of "IBM 4770-001 Cryptographic Coprocessor Security Module". The certificate and the security policy for the IBM 4770 are posted publicly by the PCI SSC at the following link:
https://listings.pcisecuritystandards.org/popups/pts_device.php?appnum=4-20373
How does the IBM HSM support PCI-HSM?
IBM HSMs implement a PCI-HSM 'compliant mode', that must be configured using the IBM Trusted Key Entry Workstation (TKE). The 'compliant mode' is a net add to your normal run-time mode with the IBM HSM - you can even keep your normal application online and running to the domain while you configure your IBM HSM domain into compliant mode and bring a compliant workload online. This is possible because the PCI-HSM compliant mode is implemented using securely tagged keys - each compliant-tagged key is only usable in compliant mode and useless otherwise. Compliant-tagged keys live in the CKDS (IBM key storage) alongside your normal/legacy keys - while the secure tag allows you to run an audit report at any time showing which keys are used with PCI-HSM workloads.
Further note that IBM's HSM virtualization technology, known as domains for IBM Z, is PCI-HSM certified. This means that the same physical IBM HSM is allowed to have a mix of domains: some configured in PCI-HSM compliant mode and some not, supporting applications of both types at the same time on the physical HSM.
To Learn More...
See this link for the independent review report covering IBM key blocks' PCI compliance (Look for "IBM_Key_Block_Review"):
(https://public.dhe.ibm.com/security/cryptocards/pciecc4/docs/).
Watch the CCA news page for any updates:
(https://www.ibm.com/security/cryptocards/cryptonews).
ICSF Application Programmer's Guide for z/OS V2R5 ICSF 77D2, supporting CCA 8.0 for IBM 4770/CEX8S:
(https://www-40.ibm.com/servers/resourcelink/svc00100.nsf/pages/zOSV2R5sc147508/)
PCI SSC PTS Approved Devices (search for 'IBM Corporation' to see all the IBM approved devices)
(https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices?agree=true)