Loading...
BNM RMiT · PCI DSS · FIPS 140-3 Level 3
HSM-as-a-Service Malaysia
FIPS 140-3 hardware security module leased on a 36-month bundle. Key ceremonies, managed firmware lifecycle, BNM RMiT audit pack, and quantum-safe migration planning — all included.
Why Hardware Key Management
Software key stores are the weakest link in your cryptographic architecture
Cryptographic keys that are stored in software — on a general-purpose server, in a database, in a configuration file, or in cloud key management services operated by a foreign provider — are accessible to any adversary who gains operating-system-level access to the host. This is not a theoretical risk. The 2014 Heartbleed vulnerability demonstrated how a memory-disclosure bug in OpenSSL could expose private keys from web servers globally. Malware with kernel privileges can extract keys from software stores in seconds using readily available tools.
A Hardware Security Module solves this by enforcing a fundamental security guarantee: the private key never leaves the physical hardware in plaintext, regardless of what software runs on the host. Operations using the key — signing, decryption, key derivation — are performed inside the HSM itself. The host application submits a request and receives a result; it never receives the key. An attacker with root access to the application server cannot extract the HSM-protected key.
Malaysian financial institutions under BNM RMiT are required to implement hardware key protection for payment credentials, signing keys, and master encryption keys. PCI DSS has equivalent requirements under Requirement 3. Organisations handling digital identity — government PKI, e-signature platforms — also require hardware key protection by regulatory design. See the managed security leasing overview and consider pairing with PAM-as-a-Service to protect both the keys and the administrators who manage them.
The Leasing Case
HSM capex versus 36-month lease — the procurement reality
Thales Luna Network HSM 7 — the current-generation enterprise payment HSM — carries a list price in the RM 150,000–250,000 range for a single appliance. An HA pair, as required by most production deployments, is RM 300,000–500,000. Add support contracts (typically 20–25% of hardware cost annually), key ceremony professional services (RM 15,000–40,000), integration professional services, and the ongoing internal maintenance burden, and the five-year total cost of ownership for a self-managed HSM deployment in a mid-market financial institution is typically RM 600,000–1,200,000.
Under the HSM-as-a-Service lease, the Mid-Market monthly range is RM 7,000–15,000 — an HA pair with key ceremony, integration support, quarterly rotation, firmware management, audit pack, and a hardware refresh at month 30. Over 36 months this is RM 252,000–540,000 all-in, compared to the RM 300,000–500,000 capex for the hardware alone under a buy scenario.
The financial comparison is the straightforward case. The operational case is more compelling for most organisations: key ceremonies require specialised expertise, firmware updates require HSM-specific knowledge, and integration with payment systems requires vendor-trained engineers. These skills are expensive to hire and hard to retain. The lease bundles all of them. Organisations that have previously managed their own HSM operations consistently report that the managed service reduces the annual operational burden by several hundred engineering hours per year.
Frequently asked questions
Why does BNM RMiT require an HSM for financial institutions?
BNM RMiT addresses cryptographic key management as a specific control requirement for financial institutions. The policy requires that cryptographic keys used to protect sensitive financial data — payment credentials, PIN blocks, master keys, signing keys — are generated, stored, and managed in tamper-resistant hardware. A general-purpose server or a software key store does not satisfy this requirement. An HSM meeting FIPS 140-3 Level 3 provides the tamper resistance, key isolation, and audit-grade logging that regulators require. PCI DSS has the same requirement for payment card environments under the Requirement 3 key-management controls.
What is a key ceremony and why does it require witnesses?
A key ceremony is the formal, documented process by which a master cryptographic key is generated, split into custodian components, and loaded into the HSM. The ceremony requires multiple custodians — typically three to five people, each holding one component — to be physically present simultaneously for any key reconstitution. Witnesses (auditors, legal representatives, or designated internal officers) observe and sign the ceremony record. This dual-control, split-knowledge procedure ensures that no single person ever has access to the complete key. nCrypt runs key ceremonies using documented scripts that produce the audit artefacts required for BNM and PCI DSS review.
What is the difference between FIPS 140-3 Level 2 and Level 3?
FIPS 140-3 Level 2 requires evidence of tamper — tamper-evident seals and coatings show if the device has been physically accessed. Level 3 requires active tamper response — the HSM zeroises (destroys) all keying material if it detects a physical intrusion attempt. Level 3 is the minimum required for payment HSMs and for BNM RMiT key management. Level 4, the highest, provides protection against environmental attacks and is typically required only for government and military applications. All HSMs in the nCrypt leasing bundle are FIPS 140-3 Level 3 or higher.
How does HSM-as-a-Service integrate with our application infrastructure?
HSMs expose standard cryptographic APIs — PKCS#11, JCE (Java Cryptography Extension), Microsoft CNG (Cryptography API: Next Generation), KMIP (Key Management Interoperability Protocol), and REST APIs. Application teams consume the HSM through these APIs without needing to understand the hardware internals. nCrypt provides reference integrations for the most common use cases: TLS certificate key protection, database Transparent Data Encryption (TDE) key management, code signing, payment tokenisation, and digital identity signing. Integration typically takes one to two weeks for standard use cases.
What is PKCS#11 and why does it matter for HSM integration?
PKCS#11 is an industry-standard API specification for interacting with cryptographic hardware. Virtually every programming language has a PKCS#11 binding — Java, Python, Go, .NET, and C/C++ all have mature libraries. Applications using PKCS#11 can switch between HSM vendors without rewriting the application code, provided the key material is migrated. This vendor portability is a key reason nCrypt recommends PKCS#11 as the primary integration path for new HSM deployments.
How does this prepare us for post-quantum cryptography migration?
Current RSA and ECC cryptography will be vulnerable to sufficiently powerful quantum computers. NIST has finalised the first post-quantum cryptography standards (CRYSTALS-Kyber, CRYSTALS-Dilithium, SPHINCS+) and is finalising additional algorithms. Thales Luna 7 HSMs support post-quantum algorithm slots and can run classical and post-quantum algorithms in parallel during a transition period. nCrypt plans quantum migration as part of the HSM service design, ensuring the hardware you lease today will support your migration when your organisation reaches that stage.
Hardware-as-a-Service · 36-month bundle
FIPS 140-3 hardware key management, leased. From RM4,000/month.
Thales Luna or Entrust nShield HSM, with key ceremonies, BNM RMiT-aligned operations, and managed firmware lifecycle.
What's included in the bundle
FIPS 140-3 Level 3 HSM appliance (HA pair standard)
Initial key ceremony with audit witnesses
Quarterly key-rotation and firmware updates
Audit-ready logging integration to your SIEM
BNM RMiT and PCI DSS documentation pack
Hardware refresh at month 30
Who this is for
- ✓BNM-licensed financial institutions
- ✓PCI DSS Level 1 / Level 2 merchants and processors
- ✓Government PKI / signing infrastructure
- ✓Fintech issuing payment credentials or digital identity
Deployment timeline
Week 1-2
Procurement, secure shipment, racking
Week 3
Key ceremony with audit witnesses, integration testing
Week 4
Production cutover, audit-pack delivery
Ongoing
Quarterly key rotation, firmware management, audit support
Sample bundles by company size
SMB
RM 4,000 – 7,000 / month
Single Thales Luna 7 HSM, FIs onboarding to RMiT
MidMarket
RM 7,000 – 15,000 / month
HA pair, multi-region, PCI DSS Level 1 merchant
Enterprise
RM 15,000 – 40,000+ / month
Multi-pair HA across DR sites, code-signing + tokenisation + payment workloads
Aligned to your regulatory obligations
BNM RMiTPCI DSSeIDAS-equivalentCommon Criteria EAL4+
Frequently asked questions
Need a one-off engagement instead of a leased bundle?
See our consulting service →Get a HSM leasing quote
Share your user count, locations, and current stack. We'll respond within 24 hours.
Ready to size HSM for your environment?
Three minutes in the calculator. A precise quote emailed within 24 hours.
Financing available via our partner financial institutions. Indicative monthly figures based on standard 36-month terms; final pricing subject to credit assessment and signed master service agreement.