Key Management Device (KMD)

The Key Management Device provides secure, flexible and efficient key management for Thales eSecurity payment HSMs

Key Management Device (KMD)

KMD is a compact, secure cryptographic device (SCD) that enables you to securely form keys from separate components. KMD generates keys in a manner that is compliant with relevant security standards, including X9 TR-39, ANSI X9.24-1 and PCI PIN Security. Unlike traditional approaches, this critical key management task can be carried out without any physical connection to a production HSM, providing greater operational flexibility without compromising security. A single Key Management Device (KMD) can form keys for multiple payment HSMs distributed across multiple data centers.

Key Management Device
Reduces Operating Costs

Standalone operation enables personnel to import and export HSM keys and allows for HSM key management, without having to physically access or interact with transaction HSMs, saving time, reducing travel and minimizing operating costs.

Simplifies Security Audits

By offering a secure approach and leveraging a secure cryptographic device (SCD), this HSM key management solution enables efficient compliance with banking industry security requirements from ANSI, X9 and PCI.

Maximizes Flexibility

With this flexible HSM key management solution, you can use a single device to manage keys for numerous HSMs with multiple LMKs, maximizing flexibility and operational efficiency.

Key Management Support

Offers compatibility with various LMKs used in payShield 9000 and with Thales standard HSM LMK smart cards.

Administration Options

With KMD, you can establish separate administrator and operator roles. LMK component holders can create administrator roles, and administrators assign roles to operators. With the solution, you can enforce dual controls for all operator functions, including key management and system operations.

Physical Security and Certifications

KMD is a tamper-resistant and responsive device that offers proven support for PCI PED certification schemes. The device offers two-factor authentication using ISO 7816-compliant smart cards.

The solution's key component management is compliant with the following security standards:

  • ANSI X9.24-1:2009
  • X9 TR-39/TG-3:2009
  • PCI PIN Security requirements V2.0:2014
Power Supply Unit

The KMD is supplied with a power cable that is specific to the country/region of use. The following regions are supported: US, UK, Continental Europe, Australia, Italy, Denmark, Switzerland, Israel, India and Japan.

Additional Smart Card Packs

The KMD supports two distinct roles: Administrator, which is analogous to an HSM Security Officer, and Operator. The smart cards used by each role are programmed in a different, highly secure manner and for security reasons these smart cards are not interchangeable. To complement the smart cards supplied with KMD, customers can purchase additional Administrator and Operator smart cards in packs of 12.

Data Sheet : payShield 9000

Thales payShield 9000 is a hardware security (HSM) payment module that provides the cryptographic protection required for ATM, point of sale (POS), credit and debit card issuance, and processing Of transactions. Encryption and management functionality meets or exceeds the operational and security requirements of the major international card system, including American Express, Discover, JCB, MasterCard, UnionPay and Visa. It is deployed as an external peripheral for mainframes and servers running card issuance applications, mobile platform provisioning, and payment processing software for the electronic payment industry.


Data Sheet : Key Management Device

The Thales eSecurity Key Management Device (KMD) for payment HSMs is a compact, secure cryptographic device (SCD) that enables keys to be formed securely from separate components in a manner that is compliant with relevant security standards including X9 TR-39, ANSI X9.24-1 and PCI PIN Security. With its touch screen graphical user interface, the KMD is simple and intuitive to operate, and is compatible with the full range of Thales payment HSMs including the award-winning payShield 9000. The device configuration and management user interface complies with banking grade security best practices and the installed software is automatically validated for integrity prior to use. Upgrades are supported to meet future functional enhancements and security audit requirements.


Data Sheet : payShield Manager

payShield Manager enables security teams to perform all tasks remote from data centers, reducing costs and delivering greater operational efficiency. payShield Manager is a hardware security module (HSM) management tool specifically designed for the Thales payShield 9000 HSM that operates in both local and remote modes via a standard browser interface. A secure connection to the HSM underpinned by smart card access control enables key management, security configuration and software/license updates to be carried out remotely from the data center.

Watch our interactive demo Explore
Schedule a live demo Schedule
Get in contact with a specialist Contact us