Case Study: How Fortanix Displaced Legacy HSMs to Simplify and Modernize Digital Payment Signing at a Global Top 50 Bank

Vikram Fortanix
Vikram Chandrasekaran
Published:Jul 16, 2024
Reading Time:4min
fortanix displaced legacy hsm

With the rise of digital banking and the increasing number of banks, regulators now mandate that all payment-related information be digitally signed before being shared with relevant authorities such as clearing houses or central banks. This ensures the integrity and authenticity of transaction details.

Problem with Legacy HSM

Legacy Hardware Security Modules (HSMs) are still widely perceived as the safest option for storing and controlling access to encryption keys, which is why security standards such as FIPS 140-2 require them.

However, they are also widely known to be exorbitantly expensive and challenging to manage and scale. Their designs date back to when all services were controlled in a traditional data center with a clearly defined perimeter.

Unfortunately, they are no match for today’s modern cloud-first world, where automation and agility are crucial to keeping a financial institution competitive.

The Fortanix solution to Simplify Digital Payment Signing

Fortanix Data Security Manager (DSM) provides a next-generation HSM solution that is accessible wherever encryption services take place—on-premises or in the cloud. It is designed from the ground up to provide KMS (key management system services) with integrated HSMs.

It simplifies cryptographic workflows for modern automation developers (DevOps, DevSecOps, etc.) and is easy for security teams to manage. Fortanix HSM provides the flexibility to deploy it as a physical appliance or adopt fully developed SaaS without compromising the FIPS requirement.

A major global financial institution modernized its payment applications with Fortanix DSM. This adoption facilitates digital transaction signing, ensuring compliance with regulatory requirements by transferring payment details to relevant national authorities such as central banks such as the Federal Reserve in the United States, the European Central Bank (ECB), or the Reserve Bank of India (RBI).

Payment Types:

The bank’s financial applications support two payment types:

1. Fast Payments (e.g., IMPS, RTGS): Real-time transactions with a transfer limit.

2. Non-Fast Payments (e.g., NEFT): Non-real-time transactions that can handle larger amounts.

Both payment types require digitally signed transaction details. The transfer medium can be XML or JSON via API calls. The transactions are digitally signed using the Fortanix API and sent to the regulator.

Fortanix solutions used:

The bank has two options to digitally sign the transaction. The first is to directly interface with Fortanix DSM, either to the SaaS platform or to an appliance cluster. The other approach is to use DSM Accelerator, a locally cached DSM agent. This may be necessary for high-volume, latency-sensitive applications.

Solution 1: Direct to DSM

- Process:

- Private keys are generated and stored in the DSM.

- All signing requests are directed to the DSM.

- Pros:

- This approach is highly secure as the private key never leaves the DSM.

- Cons:

- The bank’s infrastructure team must assess and monitor the required capacity or TPS (transactions per second) to ensure the Fortanix DSM appliance can meet the application’s demand.

Solution 2: DSM Accelerator Method

- Process:

- An exportable RSA key is created in DSM.

- The DSM Accelerator (DSM-A) module is deployed in the same environment as the signing apps. It fetches the key from the main DSM cluster, and caches it. The app can now access the key with near-zero latency to sign the transactions.

- Pros:

- This approach meets high throughput requirements as operations are performed on the application side.

- DSM-A preserves important key attributes, such as access control details, even when the key is exported.

- Cons:

Deploying DSM-A to the app’s environment introduces more maintenance complexity, and security teams may express concerns, delaying the process. However, DSM-A is a very lightweight agent and is successfully deployed in some of the most secure industries.

Adoption Success:

This bank has successfully deployed this solution across multiple regions, including India, Hong Kong, Nepal, Tanzania, and the UAE.

how modernized digital payment signing works

Conclusion

This global bank evolved its digital signing to increase agility and performance. They initially deployed physical DSM appliances and the signing apps interact with DSM directly. Future expansions consider the DSM SaaS platform and the DSM Accelerator to simplify scaling and capacity planning.

Are you a financial institution looking to transform your digital signing process and reduce costs? Read more about Fortanix HSM or contact us! We specialize in modernizing your legacy HSM infrastructure into a next-generation solution.

Share this post:
Fortanix-logo

4.6

star-ratingsgartner-logo

As of August 2023

SOC-2 Type-2ISO 27001FIPSGartner LogoPCI DSS Compliant

US

Europe

India

Singapore

US:

3910 Freedom Circle, Suite 104,
Santa Clara CA 95054

+1 408-214 - 4760|info@fortanix.com

Europe:

High Tech Campus 5,
5656 AE Eindhoven, The Netherlands

+31850608282

India:

UrbanVault 460,First Floor,C S TOWERS,17th Cross Rd, 4th Sector,HSR Layout, Bengaluru,Karnataka 560102

+91 080-41749241

Singapore:

T30 Cecil St. #19-08 Prudential Tower,Singapore 049712