Open Source Payment HSM Simulators

Most card payments software products are proprietary solutions, developed either in-house or to be sold commercially. Because of this there isn’t much out in the open source world to help you develop your own custom solution. However, there are a few libraries out there that are worth a mention, particularly for simulating and testing HSM integrations.

The plan is for this article to be updated over time as I become aware of more of these packages.

Cryptographic Libraries

Because of various industry requirements, the cryptographic processing for things like PIN verification has to be done in dedicated hardware appliances called HSMs. These are Hardware Security Modules, which are tamper-resistant physical devices used to specific types of processing in the payments world. Examples of operations typically done in an HSM directly involving payment cards:

  • CVC / CVV generation (for card personalization), and verification (at authorization time)
  • PIN setting and verification
  • EMV ARQC verification and ARPC generation

All of these operations are special, in that they specifically require the PAN as one of the inputs to the algorithm. As such, any HSM you deploy will be squarely in scope for your PCI DSS audit.

These operations are done in dedicated hardware to ensure the security of PINs, and the cryptographic keys used in the processing. So if the work needs to be done in hardware, why have multiple people written open source software implementations of these algorithms?

Simply put, cost. HSMs are expensive. With a simulator each developer effectively has their own HSM on their desktop. Without a simulator the dev HSM becomes a shared resource, in some cases licensed by the number of hosts allowed to connect.

There is also value in simulating the EMV cryptographic processing done on the ICC (“chip card”) itself. If you are writing an issuer processing platform, you need to be able to calculate test values for the ARQC, as the chip on a card would. Code also exists for actually driving the chip on the card, formatting appropriate requests for it to then respond to.

There are some sites that provide web interfaces where you can supply keys and other material, and they will calculate the appropriate responses for you. Those will be the subject of another article, but here we focus on libraries implementing this functionality. Even if you don’t find one supporting the language you need, these can still be useful reference implementations for understanding how the algorithms work, and data formats involved.