IBM Crypto Education Community - Group home

PCI-HSM v4.0 certification for CEX8S/4770 on IBM Z16

The CEX8S/4770 with Common Cryptographic Architecture (CCA) firmware for IBM z16 was recently honored with the Payment Card industry Security Standards Council (PCI SSC) certification as an approved Personal Identification Number (PIN) Transaction Security (PTS) device. 

Audience: Users of CCA for payment or cryptography applications on 
  • ICSF and Linux for IBM Z, 
  • IBM z16.
What is CCA?
CCA is both an Architecture and a set of APIs.  It provides:
  • Crypto algorithms and secure key management
  • Specialized functions for banking and payment network interoperability
  • A common API and architecture for all IBM z, IBM POWER/Cognitive and x64/x86 server platforms
  • Over 156 APIs* with more than 1000 options, from ASC X9 TR-31 key support to ASC X9 TR-34 mutually authenticated RSA/certificate based TDES and AES key exchange, as well as traditional PIN-secured transaction processing and other support for core banking functions and major payment network key derivation and cryptograms.
What are the details?
While PCI DSS applies broadly for protection of cardholder data, PCI PTS PIN (known as PCI PIN) focuses on protection of customer PIN numbers through all data flows, requiring Hardware Security Modules (HSMs) for most payment network use cases.  The PCI PTS program has a stand-alone certification regime for HSMs, known as PCI HSM.  The IBM HSMs certified under PCI-HSM are listed on the PCI website under PCI PTS approved devices.

The approval received recently adds the IBM 4770 (also known as the CEX8S) for IBM Z16 to the list of PCI PTS approved IBM HSMs. This is the first certification achieved for the 4770, which has the official product listing name of "IBM 4770-001 Cryptographic Coprocessor Security Module".  The certificate and the security policy for the IBM 4770 are posted publicly by the PCI SSC at the following link:

How does the IBM HSM support PCI-HSM?

IBM HSMs implement a PCI-HSM 'compliant mode', that must be configured using the IBM Trusted Key Entry Workstation (TKE).  The 'compliant mode' is a net add to your normal run-time mode with the IBM HSM - you can even keep your normal application online and running to the domain while you configure your IBM HSM domain into compliant mode and bring a compliant workload online.  This is possible because the PCI-HSM compliant mode is implemented using securely tagged keys - each compliant-tagged key is only usable in compliant mode and useless otherwise.  Compliant-tagged keys live in the CKDS (IBM key storage) alongside your normal/legacy keys - while the secure tag allows you to run an audit report at any time showing which keys are used with PCI-HSM workloads.

Further note that IBM's HSM virtualization technology, known as domains for IBM Z, is PCI-HSM certified.  This means that the same physical IBM HSM is allowed to have a mix of domains: some configured in PCI-HSM compliant mode and some not, supporting applications of both types at the same time on the physical HSM.

To Learn More...

See this link for the independent review report covering IBM key blocks' PCI compliance (Look for "IBM_Key_Block_Review"):


Watch the CCA news page for any updates:


ICSF Application Programmer's Guide for z/OS V2R5 ICSF 77D2, supporting CCA 8.0 for IBM 4770/CEX8S:


PCI SSC PTS Approved Devices (search for 'IBM Corporation' to see all the IBM approved devices)