The first HSM-module appeared in Russia to replace the products that left the country Thales

The first HSM-module has appeared in Russia to replace the products of Thales, which left the country, which today provides encryption of card payments. Banks must switch to domestic modules from January 1, 2024. According to experts, for this you will have to rebuild the interface, and the replacement of the modules themselves can result in multimillion-dollar expenses.

Last week, the first manufacturer of payment HSM-modules “CryptoPro” received all the necessary certificates. Now the equipment can be used by banks and processing companies to protect card payments.

According to the company, it “for the first time in the country has developed and certified a payment HSM, which can be a full-fledged replacement for Thales products, the largest manufacturer of payment HSMs that left Russia, which currently ensures the security of the vast majority of transactions using payment cards in the Russian Federation and in the world”.

As Vladimir Prostov, a representative of CryptoPro, specified to Kommersant, “the number of modules that the company is ready to release on a monthly basis will depend on the number of orders.”

The decision to promptly replace foreign HSM modules with domestic ones was made at a meeting of the Central Bank with banks and domestic manufacturers last spring (see Kommersant dated April 20, 2022). Since then, Russian companies producing HSM modules have been developing its payment option, which banks and processing companies could use to encrypt card transactions.

However, not everyone made it to the finish line. For example, InfoTeKS, which was preparing to launch ViPNet HSM PS on the market, abandoned these plans. According to the company’s deputy general director Dmitry Gusev, the company does not plan to certify the payment module. “The HSM module is a complex technical device, it needs to be manufactured and tested for compatibility with the information systems of specific banks, so, naturally, it takes time,” he explained the long terms of any project in this area. Practical Security Systems, still planning to bring the SPB HSM PS to market, expects to receive certifications in the second quarter.

However, CryptoPro HSM 2.0 R3, which received the necessary certificates, is not yet fully ready to replace Thales products, according to market participants. According to a Kommersant source among customers, the module has “problems in working with online transactions that need to be fixed before the end of the year.” In addition, according to him, in the module itself “there are components from unfriendly countries, which means there is a risk associated with their supply.” At the same time, Kommersant’s interlocutor clarified that “there is already a stock of modules in stock and a number of payment market participants have begun testing them.”

According to the provisions of the Bank of Russia, operators of significant payment systems, including VTB, Gazprombank, Rosselkhozbank and Sberbank, from January 1, 2024, are required to ensure the use of domestic hardware security modules that have been tested for compliance with the requirements of the Federal Security Service of Russia. Moreover, the Central Bank explained to Kommersant that banks that do not act as operators of significant payment systems can be participants in the Mir PS, therefore they must also comply with the requirements.

According to Kommersant’s sources, large banks with their own processing will have to replace dozens of modules, the price of each of which is “measured in millions of rubles.” VTB told Kommersant that “they are testing several solutions recommended by the NSPK for implementation in order to further switch to a domestic product.” Gazprombank, Rosselkhozbank and Sberbank did not respond to Kommersant’s requests.

“In this example, we can see how divorced the legislation is from the real market – the replacement requirement came out before the equipment itself appeared,” emphasizes Fedor Muzalevsky, director of the RTM Group technical department. At the same time, all banking processing software was developed specifically for Thales HSM, adds Anatoly Romashev, director of the design department at Informzashchita, and “rewriting it is not a quick task.”

Maxim Builov, Yulia Poslavskaya