Introducing the payShield 10K

  • Payment HSM payShield 10K

    payShield 10K, the fifth generation of payment HSMs from Thales, delivers a suite of payment security functionality proven in critical environments including transaction processing, sensitive data protection, payment credential issuing, mobile card acceptance and payment tokenization. Like its predecessors over the past 30+ years, payShield 10K can be used throughout the global payment ecosystem by issuers, service providers, acquirers, processors and payment networks.

    Thales payShield 10K Product Picture
    Thales payShield 10K Product Picture

    You can confidently secure digital payments. Watch the Thales payShield 10K Product Picture.

    Playing a fundamental security role for both face-to-face and digital remote payments, it delivers the necessary trust that underpins the communications between payments participants. Thales payShield 10K addresses the latest mandated security requirements and best practices for a wide range of organizations including EMVCo, PCI SSC, GlobalPlatform, Multos, ANSI and the various global and regional payment brands and networks.


    Simplify deployment

    Our payment HSMs are capable of being securely configured, managed and monitored remotely from locations of convenience to reduce your costs and simplify your ongoing operations.

    Maximize resilience

    Equipped with dual hot-swappable power supplies and fans, our latest HSMs significantly increase the mean time between failure (MTBF) and simplify field maintenance.

    Leverage proven integrations

    Thales payment HSMs are the most widely deployed in the world and are supported by the largest number of payment application providers.


    Card/Mobile Payments Support

    payShield 10K has a comprehensive range of functions that supports the needs of the leading payment brands (American Express, Discover, JCB, Mastercard, UnionPay and Visa) including:

    PIN and card verification functions for all major payment brands

    EMV transaction authorization and messaging

    Mobile payment transaction authorization and key management

    Remote Key Loading for ATM and POS devices

    Regional/National key management (including Australia, Belgium, Germany and Italy)

    Mastercard On-behalf key management (OBKM) support

    Magnetic stripe and EMV-based data preparation and personalization including mobile provisioning

    PIN generation and printing

    Cryptographic Algorithms

    DES and Triple-DES key lengths 112 & 168 bit

    AES key lengths 128 bit, 192 bit & 256 bit

    RSA (up to 4096 bits)

    ECC as defined in FIPS 186-3 (P-256, P-384 & P-521)

    HMAC, MD5, SHA-1, SHA-2, SHA-224, SHA-256, SHA-384 & SHA-512

    Financial Services Standards

    ISO: 9564, 10118, 11568, 13491, 16609

    ANSI: X3.92, X9.8, X9.9, X9.17, X9.19, X9.24, X9.31, X9.52, X9.97

    ASC X9 TR-31, X9 TG-3/TR-39

    APACS 40 & 70

    Host Connectivity

    TCP/IP & UDP (1Gbps or 10Gbps) – dual ports

    Secure Host Communications Management option for TLS authenticated sessions on Ethernet host port

    Security Certifications

    FIPS 140-2 Level 3 (security sub-system)

    PCI HSM v3 (selected software versions) including RAP

    PCI HSM v3 KLD (for payShield TMD)

    AusPayNet approved


    Base software packages

    Base software packages with a range of performance levels are available to align closely with customer deployment and usage requirements.

    Optional software licenses

    Optional licenses are available to extend payShield functionality and can be acquired and installed at any time throughout the product lifecycle.

    Package and license upgrades

    As your transaction volumes grow or you need to support new application use cases, performance is boosted via software licenses and additional HSMs with different software packages can be added to the estate and managed as easily as the installed base.

    payShield Manager

    payShield 10K HSMs can be managed in local or remote mode using the payShield Manager browser-based application. The remote mode of payShield Manager is specifically designed to eliminate the need to travel to data centers for HSM management requires the purchase of an additional license.

    payShield Monitor

    A comprehensive monitoring platform for both payShield 9000 and payShield 10K HSMs that enables operations teams to gain 24x7 visibility into the status of all their payShield HSMs, including those residing across distributed data centers.

    payShield Trusted Management Device

    The payShield Trusted Management Device (TMD) complements the payShield Manager remote management solution for Thales payment HSMs by offering an efficient, flexible and secure approach to managing and sharing critical keys in locations remote from production HSMs.

    Smart cards

    Secure smart cards to hold local master key (LMK) components for master key management and authentication credentials associated with remote HSM management options are available in packs of 6, 30 or 100 to suit a wide range of customer deployment requirements.

    Additional PSUs and fans

    Each payShield 10K devices is fitted with dual hot-swappable power supply units (PSUs) and fans as standard. To provide coverage in the unlikely event of a hardware failure you can purchase spare PSUs and fans in advance to avoid any scheduled downtime.

    Replacement locks and keys

    payShield 10K uses two highly secure locks with associated keys on the front panel as part of the security administration procedures. The items are tightly controlled and registered and are not available on the open market. In the event that the device locks are damaged or keys are lost, a secure service to provide replacement locks and key is available from Thales.

SafePloy & Thales' Customers