A Hardware Security Module (HSM) is a dedicated device (or cloud HSM service) that generates, stores, and uses cryptographic keys inside a tamper-resistant boundary. Payment systems use HSMs for PIN translation, key wrapping, and PAN encryption operations that must never run in general-purpose application memory.
PCI DSS and card network rules require HSMs (or equivalent validated modules) for many production cryptographic functions. Software-only key storage fails assessments for high-volume or Level 1 environments. Cloud HSM offerings (AWS CloudHSM, GCP Cloud HSM, Azure Dedicated HSM) provide the same guarantees with operational tradeoffs.
Token service providers wrap data encryption keys (DEKs) and perform sensitive operations inside HSMs so plaintext keys never export. Merchants evaluating BYOK models should understand which operations still occur inside the provider HSM versus keys they supply.
Veliro’s vault and cryptogram infrastructure uses FIPS-validated HSM-backed modules for key custody and scheme connectivity. HSMs are invisible in day-to-day API work but underpin the assurance claims in security reviews and PCI AoC scope.
Disaster recovery drills should include HSM availability and key ceremony steps, not only application failover. Payment outages from expired HSM partitions are rare but long-lasting when they occur.