Back to home
Solutions/01 — HSM Gateway
01 — HSM Gateway

Integrate your payShield and Luna HSMs in minutes, not months.

Containerized service that exposes the cryptographic capabilities of Thales payShield 10K and Luna HSMs through an HTTP/S REST API with standard JSON messaging — eliminating the complexity of native C, Java or PKCS#11 integrations.

Request a diagnostic
IMPACT IN PRODUCTION
min ▸ months
Historical integration time vs. with HSM Gateway
A single integration protocolHTTP/S + JSON
Typical time-to-production< 2 wks
Gateway SLA99.99%
Solution pillars

Four fronts,
a single defense.

Each pillar can be contracted independently, but it reaches its full potential when they work together on the same control plane.

01

Friction-free integration

No proprietary TCP messaging or native C, Java or PKCS#11 APIs in the application layer. One single HTTP/JSON API.

02

Lower time-to-market

OpenAPI documentation and ready-to-use examples accelerate development. Onboarding in hours, not weeks.

03

Unified HSM management

Consolidate fleets with different performance tiers under one interface, without touching application logic.

04

High availability

Smart load balancing and message queues minimize downtime. Scalable on-prem or cloud-native architecture.

Architecture

Configuration Manager,
parallel workers.

Your applications speak HTTP/S to a load balancer. Workers translate to proprietary TCP and spread the load across your HSM fleet. Administrators manage everything from a Web GUI connected to the Configuration Manager.

· Logical flow
01 · Clients
your apps
Core / backend
service
Web banking
front
Mobile / SDK
PB Library
HTTPS
02 · Edge
Load Balancer
distribution + retries
HTTPS · REST + JSON
03 · HSM Gateway
Ziglabit
Configuration Manager
Web GUI · config · logs
Worker 1
Worker 2
Worker N
native TCP · Thales messaging
04 · HSM Pool
Thales
payShield 10K
native TCP
Luna
proprietary messaging
Cryptographic functions

We cover the real operations, not just cryptographic “hello world”.

payShield 10K
via native TCP
Thales
PIN managementGeneration · ABA PVV verification · Translation (ZPK, TPK, BDK/DUKPT, RSA)
Key managementGeneration · Import under RSA · RSA pub/priv key pair
Card operationsCVV/CVC verification · EMV authentication (ARQC/ARPC)
Data encryptionEncryption · Decryption · RSA/ECC signing
DiagnosticsHSM status · System load · General diagnostics
CustomSupport for custom functions on request
Luna
via proprietary messaging
Thales
RSASign · Verify · Encrypt · Decrypt · Wrap · Unwrap
3DES / AESEncrypt · Decrypt · Wrap · Unwrap
For specific operations not listed, reach out to our team directly.
Companion library

PB Library

npm · @ziglabit/pb-library

JavaScript library (Node.js 12+) for client-side PIN and sensitive-data encryption with RSA. Compatible with ISO 9564 Format 0 and 1.

Node.js 12+ISO 9564 F0/F1IonicReact NativeCordova
Deployment

Wherever your HSMs live, HSM Gateway lives.

Same API, same functions, same SLAs. Only the control plane changes.

01

On-premises

Installation on your own infrastructure, alongside your physical HSMs. Ideal for regulated environments with strict perimetering.

Bare metalVMAir-gapped
02

Cloud-native

Docker or Kubernetes containers in your cloud. Horizontal auto-scaling and zero-downtime rolling updates.

DockerK8sHelm
03

Hybrid

Cloud workers that connect to on-prem HSMs via VPN or Direct Connect. Best of both worlds.

VPNDirect ConnectMulti-region
Compliance

Auditable out of the box.

Each control has persistent, exportable, cryptographically signed digital evidence.

PCI HSM
FIPS 140-2 L3
Common Criteria EAL4+
PCI-DSS
PCI 3DS
ISO 27001
Integrations

Connect with what you already have.

Certified connectors for the most widely used core systems and observability platforms across LATAM.

Thales payShield 10K
Thales Luna
Docker
Kubernetes
OpenAPI 3
Prosa
Visa DPS
Mastercard MDES
HTTP/S + JSON
A single integration protocol
< 2 wks
Typical time-to-production
99.99%
Gateway SLA
on-prem / cloud
Flexible deployment
Next solution →
File Exchange System
Explore
Ready to defend?
Let’s talk architecture, not slides.