22nd Jan 2019

Smart Card vs. HSM – Which is best for your business?

38.8 billion payments were sent in the UK during 2017. Of these, 4.2 billion were business payments. If you’re reading this, it’s likely you belong to one of the organisations that are making these billions of payments, but did you know there are various ways to authorise them?

It may be the case that you are clinging on to your trusty smart card and card reader, carrying them around with you everywhere you go. But there are options out there to give you total flexibility on how, where and when you make these payments.

What you choose depends on what you value most as a business – physical security or flexibility and automation. To help you figure this out, AccessPay asks: “What’s the difference between smart card submissions and HSM?” and  “Which is best for your organisation?”

What is a smart card?

Let’s start by defining the terms –  What is a smart card?

It’s a physical security device that businesses use to validate and authenticate both electronic payments and banking transactions. The size of a credit card, it holds a memory chip which stores security keys. These keys allow for the encryption and authentication of transactions when they’re connected to a smart card reader.

How does this work? There are three things you’ll need to use smart cards. The card and reader, as well as a piece of on-premise software (typically Gemalto) to access them. With these, you can log in by keying in a pin code, and then manually approving payments and/or collection submissions.

One smart card should be assigned to each individual in your organisation who has the authority to submit payment files. One crucial point to consider, however, is that smart cards work manually, so submissions can’t be automated.

What is HSM?

HSM stands for Hardware Security Module. It effectively does the same job as a smart card, but differently. It’s a hardware-based security device that generates, stores and protects cryptographic keys that authorise individuals to submit payments. HSM provides the foundation you need for a high-level, secure certification authority. There’s also nothing stopping you from automating Bacs submissions; something that is very useful when you’re looking for maximum efficiency.

This tech has come a long way. Back in the day, each organisation had to buy a physical HSM box to store their certificate. It was this that allowed you to digitally sign the submissions (this usually costs around an eye-watering £10,000).

Luckily, providers who specialise in cloud-based solutions, like AccessPay, now offer a cloud-based HSM. We store the physical device in our data centre, while you receive a digital certificate that’s both stored on this device and backed up on another device. This means they’re easy to use and highly-secure, while you don’t have to maintain a physical device on site either, so there’s no risk it can be damaged or stolen.

Anyone can use HSM. But is it right for you? Well, that’s what we’ll seek to answer in the rest of this post. First, there’s some terminology that we need to get into…

Attended vs. Unattended HSMs

There are two ways you can use HSM to submit a payments or collections file: Attended and Unattended.

Attended is for those who prize flexibility. Say you’re an AccessPay customer with Attended HSM. You’d simply log into our platform, approve your files (this could be 4 or 6 eye approvals), and when you’re done,  physically press submit – all of this from any device. The files would automatically be sent to Bacs without you keying in a smart card pin. The best thing here is that you still have a secure approvals process, but you can complete submissions anytime, anywhere – not just from where your smart card is installed.

Unattended HSM automates the whole process. As soon as a file is uploaded, it automatically sends without any checks or approvals (a.k.a. straight through processing). This is ideal for organisations that complete all of their approvals in their back-office system, or those who make a vast number of transactions regularly and don’t have time to check and/or approve them all – AccessPay offers both types of HSM and we can help you decide which one is right for you.

What’s the difference?

There are big differences between smart cards and HSM.

Both have pros: Smart cards are effective at tackling employee payments fraud. This is because authorisation is attributed to the individual within your organisation who has permission to do submissions. It creates a detailed audit trail that makes it easier to trace fraudulent activity. Some people simply prefer the comfort of a physical security device. You can set up smart cards cheaply and quickly as well, as you don’t have to apply for a HSM certificate with the bank (more on that later).

HSMs have their pros too. From a security standpoint, automating payments submissions eliminates the issue of human error that comes with manual submissions. This tech is also tamper-proof. HSMs generate a unique digital code that’s attributed to your organisation. This makes it tough for cyber-criminals to make payments from your accounts, as they don’t have access to this code.

HSMs can also serve as the lynchpins of any good Disaster Recovery policy. Your HSM lives in the cloud, and the box needed to store it is held in a secure location. So, if you can’t access your physical premises – or they’re hit with a disaster like a flood – you can still make transactions e.g. Payroll on time, as you can remotely access your HSM anytime, and from any location.

When is this not right for you?

There are certain cases where smart cards or HSMs are not right for your organisation. The cons of smart cards are obvious. As they’re physical devices they can be lost, easily broken, stolen etc. Also, you have to install on-premise software to get a smart card to work, as well as have the card and device with you whenever you want to make a submission, limiting flexibility. Then there’s the issue of human error. For example, your submitter could forget their login pin, barring them from completing Bacs submissions on time – or even worse, they might not be available at all, due to sickness.

HSMs aren’t right for everyone either. The process of setting up HSM is complex – and requires more involvement from your bank – than that for smart cards. This is because you have to apply and pay for the HSM certificate from your bank to access this tech, as well as renew said certificate every three years. So, if you have a simple Bacs need – i.e. you have low transaction volumes, then there may not be a business case for you to use HSM, as it might not fit your organisations requirements.

Also, HSMs are attributed to an organisation – not an individual, like with a smart card. This makes it difficult to trace back who in your organisation made a payment, so it’s hard to tackle employee payments fraud. You can combat this with security tools like two-factor authentication, which requires a submitter to verify their identity with another form of authentication besides a password at the point of login.

Which is best for your payments?

Taking all of this into account, which is best for your Bacs submissions and other payments? Smart Cards or HSM?

If you want to add automation to your business payments processes, strengthen your Disaster Recovery policy or provide staff with remote working options, you might want to invest in HSM. Data shows that around half the UK workforce will work remotely by 2020, so HSM could really help your organisation get ahead in recruiting the best talent. On the other hand, if your Bacs need are simple and small – say you process less than 1,000 transactions each month, then smart cards are your best bet.

Get in touch with the AccessPay team today to find out how you can use smart cards or HSM to transform your organisation’s payments.